Security and Speed Matter: Why the U.S. Government and Microsoft are Sounding the Alarm about VPNs

The Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security recently took a huge leap forward in defining a secure work-from-home (WFH) experience for federal workers at the time it’s needed most. CISA’s leadership highlighted zero trust access in new guidelines for government agencies that are managing more teleworkers than ever before.

Federal News Network reports the guidelines are aimed at helping to, “relieve the latency of connecting back to agency networks through virtual private networks and to government cloud services, such as Office 365.” In other words, the government is trying to help agencies deliver a great and secure user experience during this COVID-19 pandemic with a new set of best practices.

The guidance delivers a stark and much-needed change to remote telework policy. It is the first time the government’s cybersecurity leaders have recommended a zero trust access approach as a way to securely connect remote users. Zero trust greatly reduces the attack surface by directly connecting an authorized person to a business application through a cloud service such as Zscaler Private Access (ZPA) without ever touching the network. Previous federal policy required connections to come back through the network, which significantly slowed the experience for the user and introduced enormous security risk.

A VPN Security Warning to Government and Healthcare

The new government guidance also delivers a reminder of the diligence required to overcome the cybersecurity dangers posed by VPNs. CISA sounded the alarm around VPN security just a few weeks ago as well, and Microsoft Security recently warned hospitals that use VPNs about an imminent risk of being targeted with ransomware attacks.

I can only plead with government and enterprise operators charged with managing VPNs to closely follow the guidance from these experts, but it all seems so unnecessary in a world that is moving to the cloud. It’s extensive advice from CISA on how to secure VPNs including the following: update software patches and security configurations of all VPNs, network infrastructure and all devices connecting into the system; ensure your SOC can swiftly monitor, detect, respond to and recover from attacks; implement multi-factor authentication; and test the system’s usage limitations so you know how to rate limit for priority users.

Just reading that list of recommendations would exhaust most of us. As a CIO, this means you need to ensure that every single device related to the VPN is updated and configured correctly at all times, and you will still have to tell some of your users that they get slower connections so the more ‘important people’ can be faster. Even Cisco has had to ration VPNs for its staff. No company is immune from the fallout of legacy technology.

You Can Work from Home with Speed and Security

It does not have to be this hard. It does not have to be this slow. It does not have to be this insecure. The ancient design of VPNs and legacy firewalls is part of why Zscaler was founded more than 10 years ago—to make it easy for any enterprise user, anywhere, to have fast, secure, reliable connections to the web and their applications hosted in the cloud and data center.

We live in an always-on world. Why would we power this world with technology that is sometimes on and rarely secure? Although I am bewildered by the continued widespread use of VPN technology when we are in a cloud era, I’m hopeful that the government’s acknowledgment of zero trust as a modern approach will mark the beginning of a new era of progress.