by Erin Risk —
Cloud VPNs: As Brittle, Unsecure as Traditional VPNs
Cloud VPNs deliver traditional business virtual private networking (VPN) technologies like cloud-based services. Flexible and globally accessible, cloud VPNs address some of the frustrations generated by this decades-old technology.
We will introduce you to cloud VPNs and explain why companies use them to provide mixed-cloud access. Cloud VPNs may offer benefits over their traditional counterparts, but we will show how they keep the same security weaknesses. Because of these weaknesses, many companies are bypassing cloud VPNs for solutions based on Zero Trust.
What is a cloud VPN?
Cloud VPNs provide the same security, connectivity, and remote access features as traditional virtual private network solutions. However, they are implemented as cloud-based services rather than as network appliances. Also referred to as hosted VPNs or VPN-as-a-Service (VPNaaS), cloud VPNs solve some of modern companies’ issues with hardware-based versions. These connectivity solutions can take one of two forms:
- Site-to-site cloud VPN services connect a company’s on-premises LANs to its public or private cloud networks.
- Remote access cloud VPN services connect a company’s remote users to its on-premises, private cloud, or public cloud networks.
Cloud VPN benefits
As companies increasingly rely on a mix of on-premises and cloud-based resources, cloud VPNs are becoming standard elements in today’s more distributed network architectures. These services offer several benefits, including:
- Familiar technology - VPN has been part of the security landscape for more than three decades. Administrators’ familiarity with traditional VPN shortens the learning curve when adding cloud VPN services.
- Affordable, flexible, and scalable - Compared to the costs of deploying, maintaining, and upgrading VPN hardware, usage-based VPNaaS fees are more affordable. Modifying a cloud VPN is much easier than changing a physical network. And cloud VPNs are more responsive to changing business requirements, letting companies scale up or down whenever they need.
- Compatibility - Third-party cloud VPN providers have integrations with many cloud services, allowing companies to use one security solution for all cloud-based and on-premises resources.
- Globally accessible - Unlike hardware VPNs, companies can rapidly deploy a cloud VPN solution globally. Cloud VPNs are accessible anywhere remote users can get an internet connection.
- Direct access - Cloud VPNs eliminate backhaul by letting remote users connect directly to cloud-based networks. The only time users connect to the company network is when they need access to on-premises resources. As a result, the network’s performance improves, and users experience lower latency.
How are cloud VPNs different from traditional business VPNs?
Companies increasingly rely on a distributed mix of on-premises and cloud-based systems. With the company’s networked assets spread far beyond its physical network, IT departments turn to cloud VPNs to address weaknesses in traditional business VPN technologies.
Cloud VPNs remove network chokepoints
Hardware VPN solutions provide access to a protected, physical network. All remote traffic passes through the VPN gateway. This approach worked when all resources resided on the corporate LAN. But with a mixed-cloud environment, the VPN gateway channels all traffic between remote workers and cloud-based resources through the company network. This backhauled traffic consumes bandwidth and adds latency to user connections.
Cloud VPNs break this logjam by letting users connect directly to the network they need, whether in the cloud or on-premises.
Cloud VPNs Centralize Remote Access Security
Local VPN solutions only address one aspect of network security: remote access to the company LAN. As we have seen, protecting cloud-based assets by running traffic through on-premises VPN gateways does not work. Most cloud-hosting services offer remote access security features. When companies run a multi-cloud infrastructure, however, using each service’s security creates too much complexity:
- Administrators must set up and maintain security policies across all cloud platforms.
- End-users must use separate credentials to access each platform.
Cloud VPNs simplify matters. Companies can use a single system to control remote access to their on-premises and cloud networks. And end-users only need to learn a single system to get remote access.
Cloud VPNs are More Flexible
The sudden shift to work-from-home in 2020 highlighted how inflexible traditional VPN technology has become. VPN gateways have hard limits on bandwidth and user numbers. Adding more capacity requires buying, testing, and deploying new hardware — without disrupting business operations.
On the other hand, cloud VPNs can adapt and scale whenever changing business requirements demand.
What are the security risks of using a cloud VPN?
When VPN was developed more than 30 years ago, it let companies save money by securely connecting remote LANs to the central office over the internet. The technology evolved to allow small numbers of people working to remotely access the company’s network.
Despite its migration to the cloud, the original network-to-network model is still a fundamental part of VPN’s design. Many of the security weaknesses associated with hardware VPN solutions are just as much part of Cloud VPNs.
- Visibility - VPN gateways publish their presence to the public internet to connect client apps. This visibility lets cybercriminals discover a company’s VPN gateways and incorporate what they learn into their attacks.
- IPsec complexity - Cloud VPN solutions use IPsec protocols to protect site-to-site and remote access connections. IPsec, however, is notoriously complex. Any mistakes in its configuration could provide an opening for an attack.
- Permissive network connections - Even as a remote access solution, VPN treats the user’s device as a second network to be connected. Anyone connecting to a cloud VPN gets access to the network it protects. Compromised user credentials let hackers traverse the protected network freely.
Cloud VPNs address some of the performance and manageability issues of standard business VPNs. As we have seen, they do not address the security weaknesses inherent to VPN technology. This is why more and more businesses are turning to the Zero Trust model of network access control.
What alternatives exist for securing company resources other than cloud VPNs?
Zero Trust has emerged as an approach to network access for how computing works in the 21st Century. Unlike the increasingly outdated “secure perimeter” approach companies have used for decades, Zero Trust recognizes that trust is an illusion. A clicked link or an opened attachment is all it takes for a trusted device to become an attack vector.
A central tenet of Zero Trust security is the assumption that every user, device, and network has already been compromised. In that context, the only way to protect the company’s assets is to challenge every connection attempt. Users must be verified explicitly each time they try to access a resource. And the access privileges they receive for each session must be limited to the minimum necessary for users to do their job.
Twingate uses software-defined perimeters (SDPs) to implement Zero Trust security. Compatible with Infrastructure as Code practices, Twingate replaces brittle legacy technologies with a modern, flexible approach. Among the benefits Twingate delivers:
- Reduced attack surface - Twingate’s SDPs do not require public IP addresses. Whether on-premises or in the cloud, all resources effectively disappear from the internet and become undiscoverable by hackers.
- Identity provider integration - Twingate integrates with a company’s existing security stack, including identity providers such as Okta and Azure AD.
- Rapid deployment - Companies have deployed Twingate’s Zero Trust solution in as little as fifteen minutes. No changes are needed to the underlying network or the protected resources. Since Twingate can coexist with an existing security system, companies can phase in their Zero Trust migration.
- Performant direct connections - Twingate’s client app connects directly to protected resources no matter where they are hosted. Traffic is efficiently routed along the most performant path while reducing overhead on the private network. Split tunneling improves performance by routing users’ non-essential traffic over the public internet.
- Better user experience - Users do not need to hand their device to IT staff or change obscure settings in their device’s operating system. Instead, they follow an installation process similar to consumer app stores. The Twingate client app runs seamlessly in the background without user interaction.
- Administrative simplicity - Help desk calls decline as users adjust to the streamlined experience. Twingate’s administrative consoles also make life easier by enabling single-click on-boarding and off-boarding.
- Monitoring and auditing - Twingate’s extensive activity logs are indexed by user identity and device. This helps administrators spot unusual behavior to seal security breaches quickly.
Skip cloud VPN for Twingate’s 21st Century security solution
While cloud VPNs offer tangible benefits over their physical equivalents, they do not address the technology’s most significant weakness: security. Flexibility and cloud compatibility may justify cloud VPNs in the short term. But they are not long-term solutions for the modern company.
Twingate delivers a more secure and performant solution by implementing Zero Trust principles. Whether users are on-site or remote, have managed devices or bring their own, or resources on-prem or in the cloud, Twingate reduces your network’s attack surface and simplifies access control.
Contact Twingate to learn more about protecting on-prem and cloud-hosted resources within a single Zero Trust solution.
by Jimmy Li —
Simple, Secure & Free Remote Access to your Raspberry Pi + Home Assistant
A step-by-step guide to set up Twingate on your Raspberry Pi and enable secure, remote access to Home Assistant