Updated April 13, 2023. Originally published January 21, 2021.
Looking back, the early days of the Covid-19 pandemic may have been the “golden age” of the Virtual Private Network (VPN). Organizations around the world needed a solution to enable employees and third-party users (think contractors, vendors, etc.) to work from home and maintain business continuity. VPNs, which in many instances were already in use in a more limited capacity, were called into action.
But paradoxically, the rapid and widespread elevation of VPNs as a business-critical remote access tool quickly revealed a laundry list of serious problems with VPNs. Not only can VPNs be vulnerable to cyberattacks (just recall the August 2020 incident in which cybercriminals succeeded to gain access to nearly 1,000 VPN servers by Pulse Secure), they also cause a major drag on productivity and can limit business operations.
This blog will examine five of the main problems with VPNs and explore the benefits of augmenting or replacing your VPN connection with zero-trust access.
Perimeter-based network security was a mostly sufficient solution when employees worked from corporate offices, global connectivity was scarce, and cyberattacks were less advanced. Today, modern businesses are likely to employ both remote and hybrid workers, need to continuously communicate with people all around the globe, and require multiple types of networks and connections in order to operate at peak effectiveness. This growing level of sophistication on the business side is mirrored by a growing sophistication on the side of cyberattackers, who use ransomware and other attack methods to wreak havoc across industries.
It’s not an overstatement to say that today’s corporate networks are constantly under attack. Merely attempting to block the network entry point is no longer enough to prevent dangerous outcomes. VPNs in particular can be a critical point of failure for companies’ network security, as incidents like the 2021 NordVPN breach demonstrate. This is because VPNs tunnel users directly into networks, meaning that if attackers can gain access to your VPN, they essentially get a key to all the locks in your digital house. They can then proceed to install ransomware and other forms of malware to steal or destroy your company’s data and severely disrupt your business.
So, what are VPN-dependent companies to do? Many are realizing that zero-trust access is a more secure option that can complement or even replace the VPN. Beyond the initial verification that VPNs also conduct, zero-trust access solutions ensure that users and devices are continuously authenticated each time they attempt to access systems, applications or assets. Additionally, in the zero-trust model, users are delivered directly to the systems or applications they have authorization for and are never given full network access. This prevents the type of lateral movement that attackers (or malicious employees) often perform after achieving access via a VPN.
Slow loading times, systems getting stuck, and long connection waits are common occurrences for employees connecting from home (or elsewhere) through a VPN. This is a result of network latency, which routes all traffic through a data center that then encrypts it. The concentration point becomes a bottleneck situation, as it may not be scaled to handle today’s volume of concurrent connections. Modern businesses require faster, more agile communication, especially given the significant rise in remote work opportunities.
In contrast to VPNs, zero-trust access solutions like Cyolo operate within the company’s network and can even be deployed over the public internet. This offers employees a smoother, more efficient connection than is possible with VPNs and can lead to fewer headaches for remote workers and greater productivity overall.
Scaling your business with a VPN can be done, but it’s a bulky process that eats up a lot of time and resources. You need more bandwidth, more security measures, and more VPN terminators to even start thinking about proper scaling. Still, it’s easy to think this isn’t much of a problem if you don’t hire new employees very often. After all, there’s no need to scale if there’s no growth, right?
Wrong. Scaling isn’t just about growing a team. It’s also about enabling more connectivity options like remote work, new third-party suppliers, and new devices, among others. Anytime you need to securely onboard a new connection to your VPN, you’ll need to invest in a lot of resources to do so.
A primarily cloud-based solution like zero trust efficiently scales like other SaaS solutions. All you need to do is add a user or device to the policy, and you’re good to go. Cyolo even enables this through a web-based UI. As a result, scaling – or even mass onboarding after an M&A – becomes practically painless for IT and security teams.
Suppliers and partners are vital to the success of most businesses, but to do their work well they require network connectivity and access. As noted above, accomplishing this with VPNs can be incredibly resource-intensive. Additionally, not all employees on the supplier side will agree to having a VPN client installed on their devices. This can limit who you do business with and hurt your company’s bottom line as a result.
Using VPNs to support third-party connectivity can also cause serious security issues, for reasons similar to those we’ve already outlined. However, the risk with third parties is even greater because individuals you have not personally vetted may be accessing your business-critical systems, applications, and assets. Beyond the possibility of someone with malicious intent gaining full network access as a third-party user, contractors who aren’t familiar with your organization’s security best practices could easily make a mistake that proves disastrous.
Whereas VPNs must be installed or downloaded as agents, secure zero-trust access can be set up remotely by your IT or security team with only a few clicks to add new users to the correct policies. Significantly, zero-trust access requires no installation on the supplier side, allowing you the flexibility to work with any partner you choose. And equally important, zero trust makes it easy to enforce just-in-time (JIT) access for third parties and then rescind all access when a contract ends.
Zero trust also lowers the security risk of allowing suppliers and partners access to your systems, as every access attempt requires user authentication. This means that even if you aren’t able to vet every single user on your network, the chances of an attacker successfully infiltrating through a third-party are substantially reduced.
One of the lasting effects of the COVID-19 pandemic has been the solidification of remote work as a viable option for employees and employers alike. VPNs were built to enable the odd connection from home and were never intended to handle the load of an entire workforce all operating outside the office.
Zero trust, on the other hand, enables secure access and connectivity for all users and resources, regardless of their location. Whether users are working from the public library, the local coffee shop, or the comfort of their own bedroom, zero-trust access will ensure the security of your company’s assets and keep your data safe. Additionally, zero-trust access applies the same level of security controls (and experience) to onsite workers. This level of security makes zero trust an ideal security framework for every type of work.
While VPNs retain some limited business use cases, relying exclusively on them for secure remote access is bound to cause problems. With zero-trust access, organizations can ensure secure connectivity for users while remaining agile enough to cope with the increasingly complex demands of the modern business ecosystem. Whether you currently use a VPN and want to augment its security capabilities or you’re seeking to fully replace your VPN, zero trust access might be exactly what you’re looking for.
Eran Shmuely is the Chief Architect and Co-Founder of Cyolo. Prior to Cyolo, Eran was the Senior Security Engineer at Salesforce and the Open-Source Security Research Leader at GE Digital.