Why you still have a VPN in 2020

Many organisations are today able to access their email, corporate video conferencing and other services while mobile and without being connected to their company VPN endpoint.

Universal access over the Internet – on IPv4 and IPv6 – working seamlessly wherever you are to these services just works. It’s liberating, and no one is jumping up and down asking about the firewall, VPN.

Key amongst the platforms being used to give this is Microsoft Office 365 and its various platforms.

So why do you still have a corporate VPN? Why does your existing corporate IT services require you to jump through hoops to access it?

Let me be direct: your corporate strategy on security is based around lowest cost, lowest effort. This budget approach also means the least amount of work for the technology staff who operate these services for your organisation.

Office365, Salesforce, and a slew of other universally-just-works over the Internet solutions have something that the bespoke solutions you have in-house do not: funding to operate as such.

The main premise when you make services available over the internet is a commitment to do several things from an operational perspective:

  1. Support newer encryption protocols (TLS) over time, and remove older encryption protocols (TLS) over time
  2. Add new encryption ciphers over time, and remove older encryption ciphers over time
  3. Use federated sign-on (single sign-on)
  4. Maintain (update) the single sign on service over time, with continual uplift (eg, introduce MFA)
  5. Examine logs and look for anomalies in access, and then automatically lock out a user, and iterate improvements into the application

Your organisation probably does not do this. Your company’s IT operations team probably “keep the lights on”, ensuring the currently deployed application is responsive, poking it with a stick to ensure it moved. They probably didn’t uplift to TLS 1.3 in the last 2 years, and they probably haven’t removed TLS 1.1 and below.

And while they collect application logs, any review is probably pretty basic.


Doing so requires time, training, effort, experience and knowledge. Until you have a 24×7 DevOps team able to turn on a dime, a CISO who represents the security risk and operational response to the board, and a few other tell-tale signs, then your organisation is not ready.

All of the above requires a strong vision, strong senior leadership fro the top, and a strong funding model that prioritises the digital security of the company.

A traditional VPN means there is a controlled ingress point (in theory) as a single point to protect. Here you need to have the focus on encryption and authentication, but quite often most organisations just deploy a firmware on a device, install an initial config, and leave a device for years.

I’ve seen some MSPs deploy minor version updates on their security endpoints, but never adopt the major version updates they are entitled to, despite the customer paying support for the major upgrades. And still, when the major version upgrades were installed, the config was not adjusted to enable newer capabilities, or disable outdated options.

So, next time you have to VPN in to the company, ask yourself: why? Why are spending money on expensive bottlenecks that slow you down, instead of mature operations? The value proposition isn’t there. Budget. Focus. Leadership.