VPN not-great for everything?
I don’t know if you heard about a high-profile case several years ago related to an ongoing investigation of unauthorized code found in Juniper software. It acted as a gateway to launch a cyberattack on the devices that worked under it. The report concluded that most likely an unauthorized software vulnerability had been placed there on purpose. It was designed in a way so it’s really difficult to detect it. Bloomberg has recently been informed about new facts related to the Juniper case.
Does a VPN make sense?
Why am I writing about this and how does this relate to the strong authentication that we deal with at Secfense on a daily basis? We observe that in many cases, and especially in the now widespread remote work, companies trying to adapt to the new reality use VPNs to let external employees into their network. This can be dangerous. And although VPN has a wide range of uses, and only one of its roles is to let outsiders into applications, Juniper has found this to be harmful. If the company decided to put the application outside and just protect it with strong authentication, the attack surface would be much smaller.
When to use VPN?
Conclusion?
Firstly, using a VPN for everything conceivable is not only inefficient but also dangerous. Secondly, stretching it to secure web applications is a complete contradiction to the principles of effective cybersecurity design. Due to various vulnerabilities and backdoors, cybersecurity should be constructed in layers, much like an onion, diversifying security methods.
I encourage you to dive deeper into this and learn more about the zero trust methodology and easy implementation of strong authentication, which we User Access Security Broker helps with.
