Hardware VPNs are the primary method the enterprise uses to connect remote, or what we now call the hybrid workforce, to the IT tools that power our digital economy. From enterprise resource planning solutions like SAP down to the legacy point of sales solutions hosted on IBM AS400s, the underpinnings of our economy flow through pizza box-sized devices with origins in the 90s. Originally designed to connect employees back to the private data center who may occasionally work from home, these solutions are the primary road in and out of the workplace. While an essential appendage of modern business, it also became a risk due to the explosion of cybercrime, projected to cost the global economy 10.5 trillion by 2025, according to the analyst firm McKinsey.

What is the concern with hardware VPNs?  It’s about their inflexible nature and the code they run on. Just this month, a large, big box networking and a top “platform” security vendor got called out for vulnerable code. Not just small or medium issues here.  They received a full ten on the common vulnerabilities and exposures (CVE) score. While a ten score is elite in sports like ice skating or gymnastics, in the cyber security world, a ten means either fix it now or turn it off.  Additionally, since 2021, there have been 314 VPN vulnerabilities discovered with an average score of 7.4 on these devices. Any score above seven is rated as high severity.

Common issues include code execution and injection, denial of service, information disclosure, and, most concerning, privilege escalation.  According to CISA, of these 314 discovered issues, at least 20 are known to be actively exploited. And the situation is not improving. During 2024, the estimate is for a 22% year-on-year increase in reported vulnerabilities.  How did this happen? How can you protect yourself, and most importantly, is there hope the future will be better?  Let’s explore these questions.

How Did We Get Here?

Due to the explosion of networking set off by the advent of the internet, companies sought solutions to connect workers from remote locations. Rather than run the remote VPN gateway on an x86 server in software mode, networking vendors designed dedicated devices to provide this function. They added specialized chips to accelerate encryption and base security functions. The enterprise gobbled them up like candy and became ubiquitous within IT data centers. Security became a concern in the mid-2000s. To protect the enterprise, IT folks sandwiched a series of security devices to inspect, detect, and protect traffic flows. The challenge is that each layer of the sandwich was often supplied by different vendors and, worse, managed by different functional teams.  Examples are identity services, network services, IDS protection and firewalls, to name a few.  As a result, the IT department needs to care for, feed, and update each aspect of the remote access security sandwich.

As these devices are dedicated to a purpose, each has its variant OS or firmware.  Additionally, the vendors who supply the solutions consider the firmware  “mature.”  Therefore, the vendor only provides bug fixes or service updates.  As these devices straddle the barrier between the danger of the barbarians of the internet and the relative security of the enterprise corporation, this became a situation where the status quo was “good enough” until it wasn’t. The lack of innovation and vision for the future has put workers and their data at risk. The inflexible nature of single-purpose devices run with rigid code came up against a tsunami of challenges in 2020 when the workers of the world were asked to leave the four walls of the enterprise and work from home.

In March 2020, companies scrambled to either double down on their current hardware-based solutions or consider alternatives better suited to our current decade. These new options do away with hardware and focus on delivering remote access by modern cloud-based architectures.  Rather than funneling traffic through the private data center and injecting latency, which slows down the line of business applications, these new solutions build a series of islands across the internet called point-of-presences (PoPs).  These PoPs live in common meeting areas of the internet and provide acceleration and inspection of business traffic at scale.

Commonly known as security service edge (SSE), this framework is built on zero-trust architecture, which means least privilege.  Only allow the traffic required to perform a duty.  Nothing more, nothing less. The advantage of this framework, as it is fully software-based, is it does not have the limitations of our hardware past.  If an update is needed, it can be applied at internet time.  If there is a new feature, you don’t need to wait until the next hardware model is available.  The development cycle is Agile, not Waterfall.  Currently, only 20% of enterprises have moved to this model. The analyst firm Gartner expects 70% of new remote access deployments will be based on this new SSE model by 2025.

Working remotely is here to stay.  The hard truth is we need to transition off the hardware-based approaches of the past and move to a cloud-based model for connecting the remote worker to the digital enterprise. Hardware is hard, rigid, and lacks innovation, and as a result, it is an easy target for bad cyber actors.  The new solutions based on SSE and zero-trust are the future path.  Adaptable, fast, and continuously evolving to meet our modern-day threat landscape while delivering high performance to move the enterprise forward.  If you are not looking to migrate to SSE and zero-trust, start today.