By Praveen Kannan and Anna Strokolyst The Hotspot Shield team believes the internet should be open and secure …
“Cloud VPN” could be an easy shorthand for securing cloud-based resources. Or it could be an overused buzzword bolted onto an aging technology. The truth is, neither definition is a particularly useful way to look at today’s network security challenges. The concepts underpinning traditional VPN technology make security both difficult to manage and easy to compromise.
What Does Cloud VPN Mean?
The quick answer to this question is that a cloud VPN is whatever a security provider’s marketing department says it is. Some companies rebrand their consumer-grade VPN technology as a cloud VPN solution for businesses. Other companies provide software-based versions of their original enterprise VPN hardware in an effort to address the management limitations of on-premises security appliances.
A third category consists of companies that do not use traditional VPN technology at all. Instead, these companies provide secure access to on-premises resources, cloud-based proprietary resources, and X-as-a-Service resources without the management and security headaches inherent to traditional VPN solutions. In this case, “cloud VPN” is just a shorthand that sacrifices accuracy to communicate a new concept.
VPNs Trust Too Much
Given how loosely the industry applies the term, “cloud VPN” has a limited shelf life. The IT community’s growing skepticism towards VPN-based security even makes the convenient shorthand less useful. VPN technology has become the source of too many problems. It makes networks more difficult to manage, undermines business productivity, and expands the attack surface for cyber-attacks.
IPSec-based VPN was a solution to the IT environment of the 1990s. That environment no longer exists. A company’s IT resources are now scattered across both privileged networks and cloud providers. Access must now be managed across a web of distributed teams, mobile and remote workers, individual contractors, and third-party partners. At the same time, the security landscape has become extraordinarily complex as organized crime syndicates and nation-states develop more sophisticated ways to penetrate secure perimeters.
A paradigm of trust is what drives all of the problems VPN-based security creates in today’s IT environment. The VPN trusts employees’ devices connecting to a company’s network. If the employee or the device is compromised, then so is the network. The VPN also trusts that the network itself can be trusted and does nothing to protect resources from within.
To mitigate these challenges, IT departments must piece together a series of partial solutions such as deploying layers of security systems and moving resources onto subnets with their own VPN gateways. Unfortunately, all of those actions make the network more difficult to manage and more resistant to change.
Zero-Trust Keeps Resources Secure
Network security based on a zero-trust paradigm avoids these challenges. It does not assume that users can be trusted. It does not assume that devices can be trusted. Even a company’s privileged network is treated no differently from the public internet.
Done right, a security architecture based on zero-trust operates on a need-to-know basis. Resources are not deployed publicly, either to the privileged network or to the internet. And any connection requests a resource receives are automatically rejected unless they come from the security system itself.
Software-defined perimeters like the ones Twingate creates move the secure perimeter from the network to each individual resource. Each user and device must be authenticated and confirmed to meet access control policies on a resource-by-resource basis. Once authorized, they can only connect to a specific resource and, even then, only through a secure tunnel with end-to-end encryption. Once the session ends, so does the access authorization and any assumption of trust.
Zero-trust security works no matter how decentralized a company’s IT architecture and workforce structure becomes. Whether resources run on-premises or cloud instances or come from X-as-a-Service providers, they are all protected from unauthorized access. Whether employees use company-managed laptops or personal smartphones, they can only access resources they are meant to access.
What are the Best Cloud VPN Solutions?
Given how loosely marketers use the term “cloud VPN”, you need to look carefully at the claims and underlying technology. For example, Google Cloud VPN enjoys near-universal name recognition but can only provide security within a specific context. The service creates a secure, IPSec-based connection between a company’s network and its virtual resources hosted on Google’s cloud platform. Naturally, other cloud services are not protected by this system. It also suffers the same limitations of IPSec-based VPN such as forcing all traffic to run through a single 3Gbps connection. Azure VPN Gateway and AWS VPN provide similar functions for their respective cloud platforms.
Cloud VPN solutions from companies like OpenVPN and Perimeter 81 also rely on virtualized VPN technology. These solutions may be deployed to on-premises servers or cloud instances, but they still require the brittle security policies of any other VPN-based solution.
Enterprise IT solutions providers like Cisco and Okta offer cloud VPN options as part of their suite of hardware and services. Many of these solutions have been built on the framework of zero-trust software-defined perimeters to provide secure access to resources. However, they are tightly integrated with the providers’ broader product line and often require enterprise-wide transformations of a company’s IT architecture.
Twingate Secures OpsDev Resources
DevOps teams can not wait for C-level decisions to re-architect the enterprise. That’s where Twingate comes in with a security solution optimized for developer operations. Twingate was built from the ground up as a software-defined perimeter security solution based on zero-trust policies rather than traditional IPSec-based VPN.
Managing the constantly-changing access needs of employees, third-party partners, and independent contractors is a constant challenge for DevOps administrators. The brittle nature of VPN-based network security makes administrators’ jobs even more difficult and gets in the way of developer productivity.
A DevOps team can deploy Twingate in a matter of days without having to modify resources or the network. Integrated with the existing security stack, Twingate gives administrators a frictionless way to manage developer access policies. And a self-serve enrollment process makes new user onboarding seamless.
Since Twingate’s software-defined perimeter does not require changes to the company’s existing security infrastructure, this approach to zero-trust provides a frictionless way to boost DevOps productivity while keeping developer resources secure.
Contact Twingate to learn how zero-trust can make your developer team more secure.