I have a confession: I’ve always hated virtual private networks (VPNs). They’ve been popular in tech for a very long time, but to me a VPN always seemed to be a kludge solution… even in the heyday of on-premise computing… now, with it making so much more sense for normal sized churches to leverage cloud computing, I despise them even more. They also tend to be a pain on the user experience front given a lot of them don’t use standard interfaces to actually make their connections. 🤦
I know, that’s all a bit over the top, call it a “pet peeve” if you will, but as one of the early adopters of zero trust alternatives to VPNs, I’ve been calling for their demise for a decade and with each passing year, the alternatives get so much better. So let’s take a quick look at VPNs, why you need to question when an IT professional recommends it, and what your other options are.
What is a VPN?
A Virtual Private Network, or VPN, is a tool that creates a secure and encrypted connection between two networks or a device and a network. For a long time, if you needed access to shared files or an application, you needed a way to have users that were at other locations be able to connect to that network. Modern VPNs are also encrypted to help prevent interception of the communications. Finally, a lot of VPN use is to make it appear that a computer or other device is in a different country; however, this is often not fool-proof due to issues like DNS leakage.
There are still times when you might want to establish a modern VPN. Personally, I limit those to cross-cloud hosting. For example, if your church needed to host some compute resources in Azure, some in AWS, and some on-premise, then you might have a case for setting up a VPN. Similarly, there are some legacy applications that will only work with legacy VPN (which you should really replace 😉 ).
Why VPNs Fall Short
So you are probably saying “that all sounds pretty good actually… why is Isaac so opposed to VPNs?” Well, it’s a legacy solution designed around an antiquated mindset of how users and data should interact and as such has a whole bunch of pitfalls. Here’s the two biggest offenders:
The Illusion of Anonymity
First, let’s look at commercial VPN providers promising anonymity and security… that’s inaccurate. A VPN doesn’t inherently make the internet secure, that’s what SSL and TLS (that ‘S’ in “https”) are for. Sure, it might help fend off someone doing a man-in-the-middle attack on public WiFi, but so do SSL/TLS. Long and short, you really just move the problem up a level instead of solving the problem.
Device Trust vs. Device Security
One critical aspect often overlooked is that VPNs treat devices as trusted solely by virtue of them connecting to the network. However, the devices themselves may be unmanaged and potentially compromised by hackers even before even joining the network. This “device trust” approach poses a significant security risk, basically, if a hacked device connects to your network then you now have a hacker that’s inside the network… which is really bad! 😱
Most of Your Data Should be Cloud Native Now
So, I’ve alluded to this a bit already, but if you can just keep all your data on a cloud native platform like Microsoft 365 by using OneDrive/Teams/SharePoint, then do that and avoid the VPN thing altogether. Similarly, if you can run your apps either in Power Apps or on Azure using your annual $3,500 USD donation then you likely won’t need a VPN or Application Proxy. Keep it simple, especially if you aren’t a huge church.
Why Churches Should Use an Application Proxy Instead of a VPN
So what do you do instead of relying on a VPN? Well, this is where a philosophy and suite of technologies known as “zero trust” come into play. Under a zero trust model, you do not use VPNs, VPN are anathema to zero trust because zero trust does not inherently trust any computer or device connected to the network. Instead, proxies like the Microsoft Azure Proxy should be used if you need to access anything on-premise and anything in the cloud is ideally connected via Single-Sign On (SSO) via an identity provider like Azure AD.
Enhanced Data Protection
By implementing zero trust with application proxies, churches can ensure that only authorized users can access specific resources. This approach reduces the risk of data breaches and unauthorized access due to the granularity it provides, safeguarding sensitive information from potential threats both inside and outside the network. Think of it this way: if you have setup the online based accounting software to use SSO or an Azure Proxy, then you can set the conditional access rule to only allow people from the “accounting” security group to access it and only when they use their church issued computer, and only when that computer has all its updates. You can apply this thinking to anything sensitive.
Assumed Breach Mindset
If you follow a zero trust approach, then you will actually have setup your IT assets to assume that any device in the network could be compromised. This makes pivoting a lot more difficult for hackers and helps limit the damage a hacker can do. This is helpful because, given the amount of cybercrime these days, its more and more likely that someone will compromise a device.
Zero trust relies heavily on multi-factor authentication because every time data is accessed it needs to know that A.) the device is compliant for access the data and B.) the person is authorized to access the data. 2FA confirms both the device and person and makes hacking considerably more difficult. While some VPNs can also use 2FA, it’s not something innate to the design and I am aware of major data breaches at churches due to brute-force password guessing of open VPNs.
So there you have it, if you try to avoid situations in which you would even need a VPN by making full use of cloud donations and you leverage an application proxy for the times where you would have needed a VPN in the past, you can really enhance your church’s security posture. Furthermore, you may also find that you save a lot of money by decreasing reliance on expensive Unified Threat Management (UTM) gateway/firewalls that include VPN licensing. In a zero trust scenario, you don’t usually need anything complicated unless you decide to host something to the broader internet.