Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

VPNs Are Becoming Extinct: What’s Next?

March 30, 2020

Nextgov reported on March 26 that government agencies are struggling because of their dependence on virtual private networks (VPNs) to connect remote employees with their agency networks.

Why is that important to the rest of us? Because as the post says, VPNs have a lot of problems.

Gartner predicts that by 2023, 60% of private companies will have phased them out in favor of zero-trust networking and other technologies. Today, almost nobody is using VPNs for large-scale connectivity.

There are many problems with VPNs. As the post says. "They don't easily support network segmentation, have zero native on-site security and don't function well in conjunction with a dynamic or software-defined network. Sometimes they even mess up when trying to tunnel over Wi-Fi, which is how many newly homebound workers will try and connect."

They also have licensing issues, so that an entity supporting limited telecommuting before the coronavirus outbreak may now have to procure a lot of new licenses for all the new remote workers. Even with expanded licensing, VPNs require massive bandwidth to operate, and your network may not be able to support such a big rise in usage.

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency just released a set of VPN guidelines that might solve, or at least workaround, major chokepoints.

Tips in CISA's AA20-073A Alert include:

  • Defining network rules to ensure information technology teams have full access to log reviews, attack detection tools and the ability to respond to and remediate threats.
  • Implement rate limiting and prioritize users that require higher bandwidths.
  • Require multifactor authentication for all users.
  • Warn employees using agency VPNs about the strong possibility of increased phishing attacks and give them clear ways to report suspected phishing attempts.
  • Agencies should report incidents, phishing, malware and all other cybersecurity concerns to CISA immediately.

You can also consider, if you are a larger entity, staggering the workload by having different groups work at different times. That would stretch both their limited bandwidth and licenses, though some people may be forced to work at odd hours. That doesn't work very well for lawyers, but the suggestion may help others.

Teleconferencing can also help. More info on that in the post.

I remain amazed at how many lawyers still believe that VPNs are 100% secure!

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson