Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Is Enterprise VPN on Life Support or Ripe for Reinvention?

While enterprise VPNs fill a vital role for business, they have several limitations that impact their usability and cybersecurity

While enterprise VPNs fill a vital role for business, they have several limitations that impact their usability and cybersecurity

Overnight, remote work evolved from a rarely used ‘perk’ with separately managed security and compliance processes, to becoming the center for keeping business running during the pandemic. To get work-from-anywhere initiatives off the ground quickly and keep their business afloat, many organizations turned to enterprise virtual private networks (VPNs). This allowed them to connect their remote employees to critical business operations at the corporate site.

However, as fast as VPNs were deployed, organizations learned their limitations and security risks. While acceptable under the unique conditions created by COVID-19, VPNs’ shortcomings have exposed the technology as being out of step with the new realities of the cloud and the anywhere workforce era. So are traditional VPNs really “dead” as some industry analysts and pundits claim? Or do they simply need a refresh akin to the introduction of next-gen firewalls? 

Enterprise VPNs encrypt and tunnel traffic to a VPN server, which typically resides within the main secure corporate network. The tunnel connects employee devices to the enterprise network as if they were on-premises — providing secure access to all organization’s resources. 

VPN Limitations and Security Risks

While enterprise VPNs fill a vital role for the modern business, they have several limitations that impact their usability and corporate cybersecurity, including:

• Limited scalability and management complexity – A major VPN disadvantage that quickly emerged as part of the rushed COVID-19 built-out is its lack of scalability. Adding more VPN concentrators and appliances to minimize VPN overload issues leads to increasing network complexity and additional maintenance expenditure.

• End user friction – Typically, users who need to access the corporate network are used to thinking of a VPN as a cumbersome, unreliable way of getting remote access. Application disruptions, requiring frequent manual restarts and re-connection to the network, or at minimum re-authentication, are very common experiences that impact user productivity and adoption.

• Endpoint vulnerabilities – Endpoints who have legitimate access to the VPN can sometimes be compromised via phishing and other cyberattacks. Since the endpoint, once authenticated, has full access to the corporate resources via the VPN, so does the cyber adversary who has compromised the endpoint.

• Excessive and implicit trust – One of the biggest disadvantages of VPNs is that they implicitly trust all users and connections. VPNs rely on a set of credentials that allow authenticated users to access corporate data and applications from any location. That’s great in theory, but in practice if an attacker manages to get those credentials, they have almost unfettered (and often unnoticed) access to exploit any of an organization’s network resources and applications.

VPNs are dead. Long live next-gen VPN.

In today’s perimeter-less environment, security practitioners can no longer assume implicit trust among applications, users, devices, services, and networks. That’s why many organizations have started to embrace a Zero Trust approach and are considering augmenting their conventional network access security concepts with Zero Trust Network Access (ZTNA) solutions. Does ZTNA sound the death knell for enterprise VPNs? Or is ZTNA the natural next-gen evolution of legacy VPNs? As a comparison, next-gen firewalls provide additional layers of security to protect against more sophisticated threats. For example, they go beyond the static inspection used by traditional firewalls and offer application-level control.

ZTNA solutions meanwhile provide additional layers of security by creating identity- and context-based, logical access boundaries around an application or a set of applications. Access is granted to users based on a broad set of factors, for instance, the device being used, as well as other attributes such as the device posture (e.g., if anti-malware is present and functioning), time/date of the access request, and geolocation. Upon assessing these contextual attributes, ZTNA solutions then dynamically allow the appropriate level of access at that specific time. As there is a constant change in the risk levels of users, devices, and applications, access decisions are made for each individual access request.

Some ZTNA solutions add advanced capabilities such as resilient agent technology to assure that the application itself always functions as intended; network resilience technology that assures resilient tunnel and network sessions to actively improve the employee experience; as well as diagnostics and experience monitoring to proactively remediate end user performance issues quickly and at scale

Conclusion

Traditional VPNs aren’t dead, but they are likely to be phased out in favor of more flexible, scalable next-gen VPNs, or ZTNA. These will provide organizations the best of both worlds; protection on any device and any network, with an on-demand VPN connection that can be deployed back to the enterprise whenever it’s needed. 

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Expert Insights

Related Content

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...