Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Is Enterprise VPN on Life Support or Ripe for Reinvention?

While enterprise VPNs fill a vital role for business, they have several limitations that impact their usability and cybersecurity

While enterprise VPNs fill a vital role for business, they have several limitations that impact their usability and cybersecurity

Overnight, remote work evolved from a rarely used ‘perk’ with separately managed security and compliance processes, to becoming the center for keeping business running during the pandemic. To get work-from-anywhere initiatives off the ground quickly and keep their business afloat, many organizations turned to enterprise virtual private networks (VPNs). This allowed them to connect their remote employees to critical business operations at the corporate site.

However, as fast as VPNs were deployed, organizations learned their limitations and security risks. While acceptable under the unique conditions created by COVID-19, VPNs’ shortcomings have exposed the technology as being out of step with the new realities of the cloud and the anywhere workforce era. So are traditional VPNs really “dead” as some industry analysts and pundits claim? Or do they simply need a refresh akin to the introduction of next-gen firewalls? 

Enterprise VPNs encrypt and tunnel traffic to a VPN server, which typically resides within the main secure corporate network. The tunnel connects employee devices to the enterprise network as if they were on-premises — providing secure access to all organization’s resources. 

VPN Limitations and Security Risks

While enterprise VPNs fill a vital role for the modern business, they have several limitations that impact their usability and corporate cybersecurity, including:

• Limited scalability and management complexity – A major VPN disadvantage that quickly emerged as part of the rushed COVID-19 built-out is its lack of scalability. Adding more VPN concentrators and appliances to minimize VPN overload issues leads to increasing network complexity and additional maintenance expenditure.

• End user friction – Typically, users who need to access the corporate network are used to thinking of a VPN as a cumbersome, unreliable way of getting remote access. Application disruptions, requiring frequent manual restarts and re-connection to the network, or at minimum re-authentication, are very common experiences that impact user productivity and adoption.

Advertisement. Scroll to continue reading.

• Endpoint vulnerabilities – Endpoints who have legitimate access to the VPN can sometimes be compromised via phishing and other cyberattacks. Since the endpoint, once authenticated, has full access to the corporate resources via the VPN, so does the cyber adversary who has compromised the endpoint.

• Excessive and implicit trust – One of the biggest disadvantages of VPNs is that they implicitly trust all users and connections. VPNs rely on a set of credentials that allow authenticated users to access corporate data and applications from any location. That’s great in theory, but in practice if an attacker manages to get those credentials, they have almost unfettered (and often unnoticed) access to exploit any of an organization’s network resources and applications.

VPNs are dead. Long live next-gen VPN.

In today’s perimeter-less environment, security practitioners can no longer assume implicit trust among applications, users, devices, services, and networks. That’s why many organizations have started to embrace a Zero Trust approach and are considering augmenting their conventional network access security concepts with Zero Trust Network Access (ZTNA) solutions. Does ZTNA sound the death knell for enterprise VPNs? Or is ZTNA the natural next-gen evolution of legacy VPNs? As a comparison, next-gen firewalls provide additional layers of security to protect against more sophisticated threats. For example, they go beyond the static inspection used by traditional firewalls and offer application-level control.

ZTNA solutions meanwhile provide additional layers of security by creating identity- and context-based, logical access boundaries around an application or a set of applications. Access is granted to users based on a broad set of factors, for instance, the device being used, as well as other attributes such as the device posture (e.g., if anti-malware is present and functioning), time/date of the access request, and geolocation. Upon assessing these contextual attributes, ZTNA solutions then dynamically allow the appropriate level of access at that specific time. As there is a constant change in the risk levels of users, devices, and applications, access decisions are made for each individual access request.

Some ZTNA solutions add advanced capabilities such as resilient agent technology to assure that the application itself always functions as intended; network resilience technology that assures resilient tunnel and network sessions to actively improve the employee experience; as well as diagnostics and experience monitoring to proactively remediate end user performance issues quickly and at scale

Conclusion

Traditional VPNs aren’t dead, but they are likely to be phased out in favor of more flexible, scalable next-gen VPNs, or ZTNA. These will provide organizations the best of both worlds; protection on any device and any network, with an on-demand VPN connection that can be deployed back to the enterprise whenever it’s needed. 

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.