Investigations into the devastating Colonial Pipeline ransomware attack have revealed that cybercriminals accessed the network by compromising a dormant, “”legacy”” virtual private network (VPN) account that didn’t support multifactor authentication (MFA).
This wasn’t the first time a compromised VPN played a role in a ransomware attack. In April, a VPN vulnerability enabled cybercriminals to deploy ransomware in two production facilities belonging to a European manufacturer, forcing the plants to temporarily shutter. Recently, network device maker Zyxel warned customers of ongoing attacks on certain types of security devices that have remote management or SSL VPN enabled.
This begs the question: Are VPNs helping fuel the epidemic of ransomware attacks? If so, what can organizations do about it?
Answer: It’s time to ditch VPNs and implement zero-trust network access (ZTNA) solutions.
All VPNs Are Legacy Equipment
Colonial Pipeline took pains to note that its compromised VPN was “”legacy”” equipment. In reality, all VPNs are legacy equipment. They were designed to be used in a wildly different world. How different? When VPNs were first introduced, Bill Clinton was the U.S. President, The X-Files was in first-run on network television, and in the overwhelming majority of enterprises, both employees and computer equipment were located on-prem.
VPNs have evolved, of course, but they haven’t deviated far from their original use case: to provide secure remote access under a security architecture called “”castle-and-moat.”” A castle-and-moat setup assumes that threats to the network come only from the outside; all users, devices, and apps inside the network perimeter are implicitly trusted by default.
There are two big problems with this:
- Castle-and-moat ignores threats originating from inside the organization. This includes not only negligent or malicious insiders, but also external cybercriminals who use compromised credentials to access the network, as in the Colonial Pipeline case.
- Castle-and-moat depends on a very clearly defined network perimeter. In today’s cloud-based environments, there is no “”network perimeter.”” Systems, apps, data, hardware, and even employees are distributed. Further, network access is no longer restricted to employees. Freelancers and other contractors, vendors, and business partners must be able to remotely access certain areas of the network.
Zero Trust Killed the VPN Star
For these reasons, organizations have been moving toward zero-trust security architectures for years, a transition that’s accelerated since COVID-19 ushered in a new era of remote work. A Forrester study conducted post-pandemic found that 82% of organizations are “”committed”” to migrating to a zero-trust architecture.
Instead of implicitly trusting all users within the network perimeter, zero trust doesn’t trust anyone by default. In a zero-trust environment, all users, devices, and apps must be strongly authenticated, authorized according to least-privilege access constraints, and inspected for anomalies before they’re permitted to access network resources. Role-based access control (RBAC), least-privilege access, and MFA are indispensable to achieving zero trust.
While newer VPNs support MFA, they still fall flat in zero-trust environments. They lack the granular security settings needed to implement RBAC and least-privilege access. Users who connect with VPNs have free rein within the organizational network. They can move laterally, disable MFA and other endpoint security, exfiltrate data, and plant ransomware and other malware.
While it’s possible to add RBAC support to a VPN, doing so requires organizations to deploy additional solutions, adding further complexity to their security stacks and making it more likely that something will be misconfigured—or an important security patch will be missed.
Zero trust isn’t the only reason to move away from VPNs. They also degrade operational efficiency. They don’t scale well. They’re difficult for employees to use, and for IT admins to configure and maintain. They’re not compatible with all devices and operating systems, and they’re notorious for performance and reliability issues.
ZTNA Solutions Are Modern Alternatives to VPNs
So, you’re ready to retire your VPN and begin your zero-trust journey. Now what?
Fortunately, many vendors offer zero-trust network access (ZTNA) solutions as a service. While VPNs are hardware-centric, ZTNA solutions are cloud-based, which enables organizations to replace their VPNs without having to purchase new hardware or retool their data environments. Instead of adding complexity to their security stacks, ZTNA solutions enable IT admins to simplify them while reducing administrative overhead.
In addition to providing real-time verification of every user, ZTNA solutions give IT admins the ability to control user access and enforce security protocols, such as MFA. Unlike VPNs, ZTNA solutions allow admins to hide internal resources from the public internet, shielding the resources from credential-stuffing and denial-of-service attacks.
Organizations need a modern security model to protect themselves from ransomware and other modern security threats. A zero-trust model, enabled by a ZTNA solution for remote access to internal resources, is the secure, scalable, and reliable alternative to VPNs.
Patrick Tiquet is vice president of security at Keeper Security, a provider of zero-knowledge security and encryption software covering password management, dark web monitoring, digital file storage, and messaging.
