Well, Coronavirus lockdown 2020 is well underway and the recent global shift to work-from-home has put a spotlight on one of my least favorite technologies of all time – and one that’s really moved to the forefront of a lot of people’s minds that never had to really think about it before: VPN.
Yes, Virtual Private Networking – that old way to tunnel into your corporate network from afar that dates back to the Clinton administration. Most give credit to Microsoft’s Gurdeep Singh-Pall in 1996, though you could argue that VPN really started with dial-in banks years before. Either way – can we agree that VPN is old? Like in technology terms – really, really old? For comparison’s sake: in 1996 Windows 3.1 was still widely in use and NT 4.0 wouldn’t be released until August 24th. In general I try to avoid using software and architecture from those days for a myriad of reasons, but chiefly among them is this: we have better options now.
First, let me briefly give you a few reasons to hate VPN:
Shut up. VPN is not this simple. This is all a lie.
It is inherently complicated and confusing to end-users. I’ve used lots of VPN software from different vendors, and all of them involve a confusing mess of software, drivers, and processes that are required to get logged on. Most non-technical users all but tip over when they need to figure out how to get connected. I can’t tell you the frustration I’ve listened to over the past two weeks from people who “just want to do their job” but need to muck around with VPN for what seems like half a day before they can get started.
VPN is historically not only one of the most common IT support ticket types, but also the most complicated to help with because there are so many variables. VPN software by nature does a poor job of integrating into the OS – and depending on your configuration may require you to pre-authenticate to VPN before you can log on to the laptop, which is extra-difficult if you aren’t already connected to a network.
It is exactly like creating a back door into your network – because it creates a back door into your network. InfoSec teams are (rightly) concerned that the wrong person could get access to the whole network via VPN, so the vast majority of companies I have knowledge of require two-factor authentication to get in. Often, this two-factor auth is not seamlessly integrated with your VPN software, which in turn is almost never well-integrated with your OS. All of this compromises usability like we were talking about earlier.
Usability aside, if you are worried about someone inappropriate getting access to your network, you start building inspection points and defenses in around the point of entry – adding to complexity and upkeep – not to mention just another thing to keep you up at night.
It’s expensive – oftentimes really expensive. Sure, the devices are expensive and licenses often come at a cost per user, (which can clearly get astronomical when your entire company needs to use it simultaneously,) but the support and labor costs are immense. Between design, implementation, support, maintenance, and the unending end-user assistance these things suck the most valuable things an IT organization has – time and resources (human and financial.)
Perhaps the most important reason I hate VPN is that it exists only because your applications are not inherently secure. VPNs were designed for a time when everyone was in the same building and you could control who was in the building. Only sometimes – but very rarely – was someone working from somewhere other than their cube or mahogany-walled office. Encryption between the endpoint and the app server wasn’t even a supported option – let alone an expectation. In this way, VPNs are a band-aid because the applications and networks you are using aren’t designed to be sure – or geographically flexible – so you stick this thing on the side to try, but it never really does a great job.
There are more reasons I hate VPN – but those are the ones that I think are almost universal. I’ve also seen some really dumb things like putting an application with excellent authentication, encryption, and security posture behind VPN for no reason whatsoever - but that’s just lazy design or poorly-designed policies and outside the scope of this particular rant.
I hear some people screaming at me that there are no other options – and I will concede that for some applications that are essential to business that are legacy (or poorly constructed) you may have to resort to VPN, but if your organization makes most people use VPN for most or many routine operations – they are suffering from poor technology strategy. So, briefly – here’s what I recommend that your company investigate rapidly:
Pictured: Where your company’s employees would rather work from: home.
Not pictured: actual work-from-home attire consisting of sweatpants a hoodie.
Re-envision your boundaries. If your company doesn’t have an “anytime, anywhere” access strategy – you’re living in the past, especially if you plan on recruiting millennials or Gen Z as any part of your hiring plan. Younger employees expect that they will be able to balance work and life by blending them. If recruiting the largest segment of the workforce isn’t part of your plan, step away from this blog as you have much larger business problems than just a technology strategy.
SaaS applications are designed to be used remotely – because the application is sitting “up in the cloud” by design. You don’t need to use a VPN to get to Salesforce, ServiceNow, Workday, Office365, Dropbox or a myriad of other applications that have excellent controls in place – and frankly probably have a bigger InfoSec team than your entire IT shop. Here’s an added benefit: not only do you not need to VPN in to get real work done, you also don’t need to spend a ton of time and effort building a bunch of defenses in the application – as they’re generally already there.
Even if you’re going to have applications on-premises (which there are a lot of valid reasons to do) you should be thinking through the security posture of those applications well before you launch them, and should be selecting, designing, or deploying applications that have security built-in and are hardened and designed to be accessed from the outside – without the use of VPN.
Think about VPN alternatives such as VMware Horizon or other VDI solutions. These can be deployed without a VPN and allow users to get into a VM that is internal to your network thereby getting “VPN-like” access. Of course, you could also just host the application in Horizon or something similar. These are often far more usable ways to get access to information and data than having your users fire up the VPN client.
And of course last but not least, if you absolutely must have a VPN, look to a modern VPN solution that is software-based and not hardware-based. All the folks that are (or were) using a hardware VPN concentrator found out just how inflexible that model is when they needed to scale up access by a factor of ten when everyone had to work remotely. Those of us with software-based technologies (especially those deployed virtually) were able to simply scale up the resources provided to that function to hold the increased load.
That was cathartic. I’m not at all a fan of VPN technologies for the simple reason that I think there are far better options out there and available for all of us to use. I acknowledge that some companies simply need to use a VPN, but I encourage them to re-think their strategy and plans and not just let the status quo win the day.
So how about you?
When’s the last time you had to VPN in? Was it as simple as you’d like it to be?
Do you have any applications that you’re running that require VPN for off-premises access that could be migrated to a new application?
Do you have access to any technologies that can supplant the VPN such as VDI or hosted apps presented through a portal? What would it take to migrate users to that new solution?