While today’s printer manufacturers might make a little money on their hardware, it’s the ink that brings in the big profits. The same concept applies to razors and razorblades. It turns out it’s also true for something as ubiquitous and seemingly well understood as the virtual private network (VPN).
Today, practically every company has a VPN, and most enterprises have many. Just like the printers and the razors, many companies may think of the VPN appliance, often included in the firewall, as representing the solution in its entirety. But even if you consider the client-side agents, you’ll still only be scratching the surface of the VPN’s reach and its costs.
Designed for performance
Part of the problem lies in the fundamental task that VPNs were designed to perform –connecting users to protected networks in order to access the private, internal applications housed there. There are a number of issues packed into that statement. The first issue is getting the user to the data centre that will offer the best performance. If your enterprise is operating at scale, that usually means regionally dispersed data centres.
But what if a data centre goes down or becomes overloaded? That requires a global server load balancer (GSLB). One could argue that the need for a GSLB is not only due to the VPN, but the fact is that regional data centres often don’t work well without them, but they certainly front the large deployments required for VPN access. That’s not all.
Tackling VPN barriers
The biggest issue with VPNs stems from the fact that just like any other internet-facing device, they must be listening for an inbound request. Just like any other outward-facing device, the VPN is vulnerable to Distributed Denial of Service (DDoS) attacks, so many security-minded enterprises place DDoS protection in front of the VPN. With these come firewalls. Many enterprises sandwich their VPN between external firewalls, which takes all the traffic from the internet, and an internal firewall to manage access control lists, allowing the enterprise to employ another set of load balancers for the resources themselves.
Just like any stack of disparate appliances, each device views the world through the lens of its specific purpose. This means that each data centre must be synched with all the others, multiplying the effort required to maintain a consistent user experience. These problems only grow as your applications move to the cloud.
There are costs outside the data centre as well. The operating costs for deploying and maintaining VPNs can be considerable. Managing the access control lists in the firewalls, for example, has been difficult enough to keep enterprises from realising the goal of network segmentation, despite acknowledging the need to do so. Not only was there downtime associated with getting users up and running, but there was a very real price tag for the associated helpdesk costs. SSL VPNs (Secure Sockets Layer virtual private networks) solved some problems, but many enterprises have returned to a simpler IPsec model to ensure application connectivity.
The largest potential costs, however, come from the security risks posed by users themselves, who are being placed on the data centre network to get application access. Most users don’t understand the implications of such access, and unless they are actually in IT, it’s not reasonable to expect that they ever will. Most are completely unaware of damage that could be done if their VPN password fell into the wrong hands.
Can VPN actually be secured?
Theoretically, VPNs can be secured and enterprises have spent vast sums over the years attempting to do so. Though in practicality, the rise in press-worthy data breaches that can be directly traced to VPN use, says no.
As the specification evolves, it may appear to require that the enterprise walk away from an infrastructure investment that has already been made. Such investment may be perceived as a “sunk” cost, making a new option seem unrealistically costly. In reality, the price tags associated with operating VPNs is often much higher than they appear on the surface. In comparing the solutions, it may be useful to bear in mind the additional hardware required to secure what is essentially an open Internet port in the form of a VPN. When debating the pros and cons of VPNs, operating costs should be considered, particularly as users proliferate and applications move to the cloud.
Of course, as we’ve seen from many high profile cases in the last few years, the cost of a security breach given well-documented VPN vectors must be acknowledged. In other words, it’s not just the cost of the printer; one must factor in the ongoing cost of the ink.