How Long Before VPNs Are Mothballed?

A Gartner CFO survey revealed 74% of organizations are planning to keep at least some portion of their employees permanently remote. That alone should’ve guaranteed a thriving VPN market in the future. Yet, Gartner also pointed out that 60% of enterprises will be phasing out most of their remote-access VPNs in a few years. So, what gives? 

Cyber-attacks leveraging zero day vulnerabilities increased by a whopping 1916% and 1527% for two leading enterprise VPN providers. This recent surge in cyber-attacks involving VPNs, coupled with latency-based productivity losses and high VPN support costs, is eroding the trust organizations have in VPNs. 

VPNs were abused during the pandemic. Given how they were designed to be used sporadically (for example, connecting to the office while on a business trip), VPNs are being used simultaneously by all workers. This is not what they were designed for, not networking-wise and not security-wise. If a user finds a VPN cumbersome, they might decide not to use it.

Can VPNs Protect Future Enterprises? 

Mobility is one of the most significant enterprise security challenges that VPNs fail to address, including on-site mobile devices and users working on the go. VPNs inherently lack the agility needed to protect mobile devices – the VPN connection resets every time users switch the network they’re connected to and also whenever they turn on their mobile devices from sleep mode. All these reconnections put a drag on network resources, affect work performance and employee productivity, something that modern businesses don’t like. 

VPNs also don’t sit well with BYOD (bring your own device) policies because they often use authentication certificates that reside on particular devices that are usually company-owned. When employees are constantly hopping between multiple devices for work, VPNs fail to catch up with all of them seamlessly. Adding insult to injury, VPNs do not provide granular control over security policies because of their simplistic, all-or-nothing approach to security. When independent contractors and other third-party vendors need access to just a few internal resources, VPNs grant access to the entire network by default.  

Finally, the cloud is effectively becoming the death sentence for VPNs. Now that data isn’t entirely residing within the confines of the enterprise network protected by corporate firewalls, VPN’s secure tunnels are not designed to extend their security to all the places that data is distributed across. Modern enterprises have resources in the cloud as well as at the edge, so they need a security ecosystem that’s as pervasive as their IT footprint. 

So what does this mean for organizations currently relying on VPNs? It means that now’s the time to map out a transformation journey for future-proofing their network security. 

It’s Time for a Security Everywhere Approach 

Businesses must have the ability to dynamically extend their security perimeter to practically anywhere their critical assets and workers are. For that, they need a security everywhere mindset that covers BYOD, remote workers, cloud resources, third-party vendors and the network core as well. For that, businesses will need to let go of their legacy VPNs in favor of cutting-edge solutions like SWG (secure web gateway) for protecting internet-connected users and devices and enforcing acceptable-use policies for the internet, CASB (cloud access security broker) for extending security and access policies to their cloud-based applications and ZTNA (zero trust network access) for verifying every user before granting access to critical assets even if they’re already inside the secure network perimeter.  

These services and controls which modern businesses require create a complex security stack with multiple vendors and arduous management, since each security control a business adds to its network will essentially increase its attack surface, rendering it more vulnerable. SASE (secure access service edge) can potentially fill the gaps since it integrates networking with the above-mentioned security controls. Gartner has been predicting the rise of SASE for a couple of years now. However, like any new technology, there’s hesitation and even skepticism surrounding the adoption of newer security models. Organizations that have already invested heavily in their legacy VPNs are naturally at the front end of this opposition, but they’re likely putting much more at stake than their resistance.  

The Bottom Line: The VPN Era is Running Out 

Although many are unwilling to acknowledge it, VPNs are inadequately meeting the security challenges of tomorrow. The deciding factor for many businesses may be the investments they’ve already made and will have to make to further their transformation journey. They can choose to gradually phase out VPNs as it eventually reaches end-of-life, or when contracts approach renewal, or they expand their branches. Because in any case, VPNs that seem to dominate the market today will be mothballed in the coming years, and businesses have just enough time to test the waters by gradually implementing VPN alternatives before bidding them farewell for good.

What’s Hot on Infosecurity Magazine?