Why every CIO should retire their VPNs

I’m going to agree with the thrust of this article, but with more of a focus on the operational realities of VPNs. As a telco, I’ve been a provider of secure remote access, authentication, and secure gateway services to large enterprises. From a security provider perspective, the debate was always around the termination point of the VPN: ‘inside’, ‘outside’, or on a dedicated DMZ. There’s no perfect answer and the decision gets more complex when you factor in mobile applications and apps delivered from SaaS clouds.

The rise of SASE as an approach is partly addressing this complexity though I prefer the more puritan approach of zero-trust for everything. I still remember looking on with jealous eyes at a technology partner back in the 90s using https access for Lotus without a VPN. 

Of course, all of this pales into insignificance when the realities of Windows 7 updates, securing legacy applications, user behaviour etc. which are the CIOs more immediate challenges…:

[…] VPNs are expensive and require a significant amount of network and manpower to operate. For example, in .mil and .gov firewalls, approximately 80% of the tens of thousands of firewall rules are associated with VPN management. Managing and configuring those tens of thousands of rules translates into significant costs including manpower, training, software licensing and hardware. It also presents greater complexity for both the end user as well as the information technology staff, often leading to misconfigurations and greater cyber risk. During my time as the Director of the National Cybersecurity and Communications Integration Center in 2014-2015, our United States Computer Emergency Readiness Team (USCERT) identified misconfigurations of firewalls and VPN tunnels as one of the top five cyber risks exploited by nation state and criminal hacker groups.


Original article here