2020 Was the Year of the Great VPN Comeback, or Was It?

For much of 2020, enterprise VPNs underwent a resurgence due to the proliferation of remote work initiated by the COVID-19 pandemic. Once denounced as a “dying” technology that would cease to exist in a post-digital transformation world, enterprise VPN usage surged by 87% at a time when organizations desperately needed a proven way to keep their increasingly decentralized workforce efficient, productive and secure.

However, a series of recent cyber breaches have reignited the debate about the inherent vulnerabilities of VPNs. Earlier this year, the cybersecurity firm CrowdStrike identified an Iranian hacking group exploiting VPN vulnerabilities and selling credentials on the Dark Web. This news followed the revelation of a code execution bug that threatened unpatched Pulse Secure VPNs. Other problems surrounding Pulse Secure, for example, are well documented, and date back to April 2019.

Further, NordVPN, along with other primarily consumer-facing VPNs often used for business purposes, have dealt with recent cyber-attacks that made mainstream news.

With remote work here to stay – temporarily for some and permanently for others – questions about VPN viability are bound to consume 2021 planning and budget discussions. After all, this year illuminated both the many pros and cons of VPNs, perhaps more clearly than ever before.

To VPN or not VPN in 2021

In this era of remote and mobile work, legacy, hardware-based VPNs have passed their prime, as they were designed for an age when only a small percentage of employees worked remotely.

When the pandemic forced offices to shut down around the world, organizations using legacy VPNs quickly discovered that they just couldn’t scale quickly enough to meet demand. The only way to effectively increase capacity was to add equipment, which in many cases is proprietary, expensive, and requires ancillary hardware such as load balancers and other redundancies.

Apart from the cost, there are a couple of real disadvantages of legacy VPNs. First, they just aren’t smart. While legacy solutions support split-tunneling mode, most are brittle and not responsive to changing conditions, often relying on a port or IP address in a modern, cloud environment that requires split tunneling on a process or domain name.

This adds to the cost and complexity of the network, puts an unnecessary strain on already taxed bandwidth, and quickly degrades the user experience for all users.

The second major disadvantage is security. A bad actor who is able to steal someone’s VPN credentials may have carte blanche to navigate through an organization’s sensitive data – including intellectual property and customer information. The addition of multi-factor authentication has helped, but even then the risk of lateral movement is enormous.

Not all enterprise VPNs are cut from the same cloth

Despite cost and security complexities, there are reasons for organizations, particularly those in -highly-regulated industries without a digital transformation mandate, like transportation and public safety, to remain bullish on the VPN. For starters, some enterprise VPNs offer connectivity resilience, insulate applications from instabilities in networks and enable connected devices to roam seamlessly between Wi-Fi and cellular networks without user intervention.

Additionally, some advanced VPNs employ traffic optimization via intelligent compression to automatically fine-tune connection performance so that essential business applications run reliably across networks, giving priority to mission-critical applications. While digital security is increasingly called into question, enterprise VPN’s do offer network security and data protection safeguards that are absent from many consumer-grade options.

For example, on a VPN’s tunneled connection, every data packet is encrypted before it is sent over the internet, delivering impenetrable security regardless of the network. Not to mention sensitive and proprietary information flowing through a VPN tunnel can be encrypted, eliminating the risk of third-party interception.

Should software-defined perimeters replace the VPN?

Software-defined perimeter (SDP) and zero trust network access (ZTNA) solutions are relatively new on the stage. Designed to create multiple, on-demand micro connections between a user’s device and the specific resources that they need, SDPs greatly reduce the risk of lateral movement that plagues traditional VPNs.

By default, SDPs apply the principles of a zero trust architecture, meaning that access is denied until a user can adequately prove their identity. SDPs use a controller (typically on the device) that gathers a variety of data, such as the application being used, the location of the device, the device’s operating system, the Wi-Fi or cellular network it is connected to, and dozens more. This real-time data is used to build a risk assessment for each request, determining whether the user can access the resource or not.

Using these kinds of tools, it’s very easy for an IT or security team to customize and automate access based on an individual’s role and needs within the organization. Privileged or sensitive data can be kept secure, while access to data and applications remains seamless and invisible, regardless of their location on-prem or in the cloud.

VPN and SDP are actually complementary technologies

SDP is not about to usurp the role of the VPN completely, and for most organizations, the choice between one over the other will not occur for at least a decade.

That’s because SDP and VPN complement one another extremely well, creating a hybrid solution that combines the benefits of a mobile VPN’s data encryption, compression and application persistence, with the incredibly granular security benefits of an SDP. Combining an SDP and an intelligent VPN enables split tunneling directly to the web – reducing network congestion while maintaining security over corporate assets.

As we look toward the future, use of VPNs will evolve as companies elect more resilient, dynamic, and secure methods of remote access like software-defined perimeter and zero-trust network access solutions. While the reality for the foreseeable future is that most companies – about 98%, in fact – will continue to maintain some applications on-premise or at least hosted in a private cloud, organizations should implement hybrid VPN/SDP solutions that meet their business needs of today, with the ability to scale to meet the increasingly zero-trust oriented needs of tomorrow.

What’s Hot on Infosecurity Magazine?