Virtual private networks are a ubiquitous tool in the business world, yet most organisations have no clear idea of their associated costs. Many believe expense stops with the purchase of a VPN appliance, but in reality there are many other factors to consider.
Part of the problem of accurately assessing VPN costs lies in the fundamental task that they were designed to perform –connecting authorised users to well-guarded networks in order to access the private, internal applications housed there.
There are a number of issues associated with that task. The first is getting the user to the data centre that will offer the best performance. If your enterprise is operating at scale, that usually means regionally dispersed data centres, but what if a data centre goes down or becomes overloaded? That requires a global server load balancer (GSLB). One could argue that the need for a GSLB is not only due to the VPN, but they certainly front the large deployments required for VPN access.
Also, the biggest issue with VPNs stems from the fact that, just like any other Internet-facing device, they must be listening for an inbound request which opens up a host of security issues. Just like any other outward-facing device, the VPN is vulnerable to Distributed Denial of Service (DDoS) attacks, so many security-minded enterprises place DDoS protection in front of the VPN.
Another issue is firewalls. Many enterprises sandwich their VPN between external firewalls, which take all the traffic from the internet, and an internal firewall to manage access control lists. Then the enterprise may employ another set of load balancers for the resources themselves.
Not only is the price tag high for this stack of devices, there are additional considerations that must be thought through. Just like any stack of disparate appliances, each device views the world through the lens of its specific purpose. That can make service chaining extremely difficult. Also, each data centre must be synched with all the others, multiplying the effort required to maintain a consistent user experience. And the problems only grow as your applications move to the cloud.
There are costs outside the data centre as well. The operating costs for deploying and maintaining VPNs, as well as parts of the components in front of and behind them in the stack, can be considerable. Managing the access control lists in the firewalls, for example, has been difficult enough to keep enterprises from realising the goal of network segmentation, despite acknowledging the need to do so.
There are also challenges on the client side. In fact, much of the move from IPsec to SSL-based VPNs almost 20 years ago was driven by the difficulties that end users faced in installing and operating VPN clients. Not only was there downtime associated with getting users up and running, but there was a very real price tag for the associated helpdesk costs. SSL VPNs solved some problems, but many enterprises have returned to a failover IPsec model to ensure application connectivity.
The largest potential costs, however, come from the security risks posed by users themselves, who are being placed on the data centre network to get application access. Most users don’t understand the implications of such access, and unless they are actually in IT, it’s not reasonable to expect that they ever will.
Users will not understand, for example, the dangers posed by split tunnelling. All they know is that the VPN is slow and if they can avoid using it, they will. Users do not understand, and should not be expected to understand, the ramifications of placing an infected device on an internal network.
Most are completely unaware of damage that could be done if their VPN password fell into the wrong hands. The notion of lateral movement within the data centre from the application users are seeking to access to other apps that are reachable has almost certainly never occurred them. The problem only multiplies when your users are actually business partners or contractors, who many need to access applications owned by a number of their customers.
Can a VPN actually be secured? Theoretically, yes, and enterprises have spent vast sums over the years attempting to do so. In practicality, however, the rise in press-worthy data breaches that can be directly traced to VPN use says no. The new Software Defined Perimeter (SDP) spec, which originated with the Department of Defence “Black Cloud” initiative and is under development by the Cloud Security Alliance, seeks to develop a usable alternative to the VPN.
SDPs grant authenticated users access to authorized applications at Layer 7, instead of the Layer 3 network connection utilised by VPNs. The specification includes provisions for strong authentication and zero trust, as well as ensuring that traffic cannot move laterally from the selected apps to others in the data centre.
As the specification evolves, it may appear to require that the enterprise walk away from an infrastructure investment that has already been made. Such investment may be perceived as a “sunk” cost, making a new option seem unrealistically costly.
The complete picture
In reality, however, the price tag associated with operating VPNs is often much bigger than it initially appears. In comparing the solutions, it may be useful to bear in mind the additional hardware required to secure what is essentially an open Internet port in the form of a VPN. Such hardware must typically be deployed in a redundant configuration for failover.
To get a complete picture of your VPN expenses, all factors must be considered. It's not just a box in a data centre that's involved. It's factors such as load balancing, user behaviour and network security. Adding these factors to the calculation mix will provide you with a much more accurate measure of what your VPN is costing your organisation.