While enterprise VPNs fill a vital role for business, they have several limitations that impact their usability and cybersecurity
Overnight, remote work evolved from a rarely used ‘perk’ with separately managed security and compliance processes, to becoming the center for keeping business running during the pandemic. To get work-from-anywhere initiatives off the ground quickly and keep their business afloat, many organizations turned to enterprise virtual private networks (VPNs). This allowed them to connect their remote employees to critical business operations at the corporate site.
However, as fast as VPNs were deployed, organizations learned their limitations and security risks. While acceptable under the unique conditions created by COVID-19, VPNs’ shortcomings have exposed the technology as being out of step with the new realities of the cloud and the anywhere workforce era. So are traditional VPNs really “dead” as some industry analysts and pundits claim? Or do they simply need a refresh akin to the introduction of next-gen firewalls?
Enterprise VPNs encrypt and tunnel traffic to a VPN server, which typically resides within the main secure corporate network. The tunnel connects employee devices to the enterprise network as if they were on-premises — providing secure access to all organization’s resources.
VPN Limitations and Security Risks
While enterprise VPNs fill a vital role for the modern business, they have several limitations that impact their usability and corporate cybersecurity, including:
• Limited scalability and management complexity – A major VPN disadvantage that quickly emerged as part of the rushed COVID-19 built-out is its lack of scalability. Adding more VPN concentrators and appliances to minimize VPN overload issues leads to increasing network complexity and additional maintenance expenditure.
• End user friction – Typically, users who need to access the corporate network are used to thinking of a VPN as a cumbersome, unreliable way of getting remote access. Application disruptions, requiring frequent manual restarts and re-connection to the network, or at minimum re-authentication, are very common experiences that impact user productivity and adoption.
• Endpoint vulnerabilities – Endpoints who have legitimate access to the VPN can sometimes be compromised via phishing and other cyberattacks. Since the endpoint, once authenticated, has full access to the corporate resources via the VPN, so does the cyber adversary who has compromised the endpoint.
• Excessive and implicit trust – One of the biggest disadvantages of VPNs is that they implicitly trust all users and connections. VPNs rely on a set of credentials that allow authenticated users to access corporate data and applications from any location. That’s great in theory, but in practice if an attacker manages to get those credentials, they have almost unfettered (and often unnoticed) access to exploit any of an organization’s network resources and applications.
VPNs are dead. Long live next-gen VPN.
In today’s perimeter-less environment, security practitioners can no longer assume implicit trust among applications, users, devices, services, and networks. That’s why many organizations have started to embrace a Zero Trust approach and are considering augmenting their conventional network access security concepts with Zero Trust Network Access (ZTNA) solutions. Does ZTNA sound the death knell for enterprise VPNs? Or is ZTNA the natural next-gen evolution of legacy VPNs? As a comparison, next-gen firewalls provide additional layers of security to protect against more sophisticated threats. For example, they go beyond the static inspection used by traditional firewalls and offer application-level control.
ZTNA solutions meanwhile provide additional layers of security by creating identity- and context-based, logical access boundaries around an application or a set of applications. Access is granted to users based on a broad set of factors, for instance, the device being used, as well as other attributes such as the device posture (e.g., if anti-malware is present and functioning), time/date of the access request, and geolocation. Upon assessing these contextual attributes, ZTNA solutions then dynamically allow the appropriate level of access at that specific time. As there is a constant change in the risk levels of users, devices, and applications, access decisions are made for each individual access request.
Some ZTNA solutions add advanced capabilities such as resilient agent technology to assure that the application itself always functions as intended; network resilience technology that assures resilient tunnel and network sessions to actively improve the employee experience; as well as diagnostics and experience monitoring to proactively remediate end user performance issues quickly and at scale
Traditional VPNs aren’t dead, but they are likely to be phased out in favor of more flexible, scalable next-gen VPNs, or ZTNA. These will provide organizations the best of both worlds; protection on any device and any network, with an on-demand VPN connection that can be deployed back to the enterprise whenever it’s needed.