Cyxtera Blog: Appgate

Written by Christopher Scheels on June 27, 2019

Is Your VPN Complexity Slowing Progress?

VPN policy management is complex and time consuming, often requiring a significant number of resources to manage. Empower your organization to efficiently move forward by adopting a Software-Defined Perimeter.


In a previous post on insecure VPNs, we asked the question “should User X have access to the production server?” The answer was “it depends.” Whereas technologies rooted in Zero Trust, like Software-Defined Perimeters (SDP), can handle this question with dynamic controls, VPNs simply cannot.

VPN Complex Policy Management Slows Progress

When administrators set policies for their VPNs, they end up in one of two problematic situations: the policies are set for broad access to the network, or they are too restrictive and prohibit some users from gaining access to resources they actually need. It is a challenging choice between broad, open policies that introduce significant security risks or restrictive policies in which admins must spend valuable time manually providing or “fixing” access. Remember: strict access requires a proliferation of rules to be managed, maintained, and audited.

Worse yet, as VPNs are used across on-premises and now cloud environments, managing access based on static IP addresses is also not very effective. As new IP addresses are assigned dynamically by the cloud provider, the same VPN policies must be assigned or new rules are written. This once again gives admins the time-consuming task of applying and deciphering overbearing sets of VPN rules.

Furthermore, most organizations will deploy firewall rules alongside the VPN. The firewalls will be deployed in front, collocated, or behind the VPN server. Firewalls are often configured and forgotten as any deviations usually result in a significant change ticket. All of this adds another layer of complexity for an already insecure technology.

Overall, VPN policy management introduces too much complexity requiring significant resources to manage—resources that are not always managed by the same team and whose overuse serves only to erode progress.

Abandon VPN, Embrace Change

Change requires moving on from the past and embracing the present. For telco, change meant replacing the switchboard with automated systems to handle the influx of required connections. For cybersecurity, it is simplifying VPN access to enable progress and innovation by removing layers of unnecessary complexity. Businesses can then implement new ways of working from rapid application development to cloud adoption, helping drive competitive advantages.

The Software-Defined Perimeter is the modern security architecture that replaces VPNs and enables business transformation by implementing the principles of Zero Trust. By applying Zero Trust, it enables cloud adoption and focuses on the user’s identity rather than the IP address, providing a better alternative to the insecure VPN and does not require manual intervention to manage policies and access requests.

The dynamic policies used within an SDP break down the need for resource-intensive management. Solutions like AppGate SDP dynamically look at what a user is doing at any point in time and adjust access based on agreed rules. AppGate SDP’s programmable architecture allows it to seamlessly scale with new cloud or on-prem deployments, and its API integrations enable process automation unachievable with VPNs.

Datadog Embraces DevSecOps to Innovate Faster

Datadog understood the importance of progression in cybersecurity for the success of their organization and replaced their legacy solutions with a Zero Trust model that gave them full visibility and control, leaving behind the manual hassle and complexity of the VPN.

With their highly-automated DevSecOps process, Datadog needed a simplified, cohesive platform to manage user access. Previously, the company relied on traditional VPNs and jump hosts, which left an unacceptable level of risk and provided an unsatisfactory user experience. With AppGate SDP, Datadog automatically grants access by creating encrypted AppGate SDP segment of one network connection between each developer and the resources they are entitled to use. AppGate SDP supports Datadog’s rapidly-changing DevSecOps environment, allowing flexible network access patterns that support rapid application development.

“AppGate was able to address our requirements around segmentation, performance, and user experience while aligning with our DevSecOps philosophy”, said Datadog Chief Security Officer Andrew Becherer. “This is especially important to Datadog as we continue to rapidly expand our user count over the next couple of years.”

The Definitive Guide to a Software-Defined Perimeter

Get the Definitive Guide to a Software-Defined Perimeter to learn how SDP overcomes VPN complexity to enable businesses to innovate and compete in today’s modern world.