Jun 14 2021

What Agencies Should Know About VPNs as Reliance Continues

The technology, critical for keeping teleworking employees secure, can be more complex than it seems.

The rapid rise of remote work saw a commensurate shift in technology deployments as agencies sought options to enable staff productivity without compromising security. For many, virtual private networks were the natural best fit.

According to a survey of global IT leaders by VPN provider NetMotion, at least 54 percent of these enterprises relied on VPNs in 2020 for remote security. But the survey also found that only 29 percent of public sector IT leaders employed the technology.

As federal agencies moved to adopt VPNs at scale in the wake of the COVID-19 pandemic, some did struggle at first. For example, an April 2021 assessment by the Department of Defense’s Office of Inspector General found that many DOD components had not fully tested telework capabilities in advance and were not fully equipped for maximum telework.

According to Greg Touhill, the first federal CISO and a board director at ISACA, part of the problem stems from protective fallacies around the technology itself.

“With VPNs, you’re just running a big, encrypted pipe into your perimeter and then opening it up to remote users,” he says. As a result, it’s easy for federal agencies to veer off course when it comes to effective VPN adoption, application and adjustment.

Here’s a look at the top facts — and biggest fallacies — for government VPNs.

FREE RESOURCES: Get your agency ready for a new way to work.

Fallacy: VPNs Offer Complete Protection

VPNs create an encrypted “tunnel” of traffic that helps protect data in transit from being stolen or damaged by malicious actors. As Touhill notes, however, “this is old technology — it was developed the same year as the Palm Pilot. And because a lot of these tools have been on the market so long, bad actors have been able to study them and attack based on discovered vulnerabilities.”

This creates a potential disconnect between deployment and defense. Federal IT teams may assume that the protective nature of VPNs makes them largely immune to common attacks, but “VPNs are complex, and complexity is the bane of security,” Touhill says. “When a seam appears, adversaries can exploit these vulnerabilities.”

Fact: VPNs Aren’t Deployed in Isolation

Wherever possible, federal agencies look to limit the number of outside organizations that are involved in technology deployments, which makes sense; even with adherence to standards such as DOD Directive 8140, additional providers naturally increase total risk.

According to Touhill, this outsourcing can’t be avoided when it comes to VPNs. “Most agencies will procure VPN technology and then hire a services company to install, configure and operate it,” he says. “While some still have organic employees for this job, most .gov deployments are outsourced to a solutions provider.”

As a result, agencies must account for both current employees and approved contractors when it comes to VPN management.

RELATED: New tools help agencies let users connect remotely to classified networks.

Fallacy: VPNs Are Always Cost-Effective

The straightforward nature of VPN solutions is often associated with cost-effectiveness, but that’s not always the case, especially in sudden ramp-ups such as the one at the beginning of the pandemic.

Greg Touhill, former Federal CISO
VPNs are complex, and complexity is the bane of security.”

Greg Touhill former Federal CISO

“Most organizations surged on their existing contracts,” Touhill says. “They had remote access that was almost universally VPNs and leveraged existing contracts to surge ASAP.”

And while this offered security continuity, it also came with costs. “Now the bills are coming in,” says Touhill, “and these VPNs are expensive.”

Fact: VPNs Require Ongoing Management

VPNs aren’t set-it-and-forget-it — to ensure they deliver on defensive potential, federal organizations must ensure they’re effectively incorporated with existing IT solutions and monitor these networks for potential misuse.

“Agencies must accommodate VPNs in the firewall,” notes Touhill, “along with ensuring they support efforts to better define mobile technology deployments, cloud computing solutions and zero-trust initiatives.”

It’s also important for federal agencies to recognize the potential performance impacts of VPNs on existing networks. Because full-tunnel VPNs place the burden of remote host traffic on existing agency networks, the sheer volume of data traffic driven by remote workforces can create issues with bandwidth, access and latency. As a result, a successful VPN implementation for federal agencies requires ongoing management and monitoring to ensure effective adoption.

Fallacy: VPNs Are the Only Choice for Federal Agencies

While VPNs remain the most common choice for federal agencies, they don’t guarantee security. “In the past 14 months, we’ve had 14 high-vulnerability alerts,” says Touhill. “These older technologies may pose risks that are not immediately apparent.”

Fortunately, VPNs aren’t the only option for federal organizations. Touhill points to the growing adoption of software-defined perimeters (SDPs). These solutions make it possible for agencies to effectively render internet-connected infrastructure invisible unless users have the correct permissions.

“SDP lets you control all the way down to the data, rather than giving access to the site,” says Touhill. “When users come in, they only see what they’re authorized to see — nothing else.”

“Even after the pandemic is over, we’re not necessarily going to return to normal,” he says. “We will still see a more distributed workforce. Federal agencies will want more cost-effective measures to serve the American people.”

This means that despite their challenges, VPNs aren’t going anywhere. While new solutions such as software-defined security are gaining ground, the ease of use offered by virtual private networks makes them a federal mainstay for the foreseeable future. The caveat? Federal agencies need frameworks built on fact — not fallacy — to leverage consistent VPN value.