BLOG: Hybrid Work and the Need to Ditch VPNs



Virtual private networks (VPNs) certainly have had their time and place. Pre-pandemic, they were the defacto standard for secure network access for road warriors and, at the time, a moderate but growing remote workforce.

Amid the scramble to establish secure connections during COVID-19, organizations had to act quickly to ensure workers could continue doing their work from home.

“They already had VPNs in place and it was a kneejerk reaction to roll them out more widely,” says Don Meyer, Director of Product Marketing at Palo Alto Networks.

However, there are several significant risks around VPN usage, he advises.

The latency problem

VPNs have been around for more than 20 years and were built to facilitate location-to-location — also called hub-and-spoke — connectivity, based on the legacy castle-and-moat model of guarding the network “perimeter.” They have traditionally provided a secure access tunnel predicated on data assets residing solely in on-premises data centers.

However, the growing popularity of remote work along with widespread adoption of cloud and edge computing have made that perimeter a moving target. Applications and data no longer strictly reside within corporate premises data centers. Instead, they now live in a variety of cloud environments — platform-as-a-service, software-as-a-service, etc. — as well as in private cloud and public cloud data centers. Using VPNs, while beneficial from a security perspective, actually slows down remote traffic because it now has to traverse (or “trombone”) from data centers to the cloud and back, then to employee devices.

The growing appetite for all things cloud, fueled by digital transformation and other modernization initiatives, further exacerbates the issue as more and more apps, data, and employees move outside the controls of the corporate network. Now more traffic must be tromboned through the VPN concentrator to allow remote workers access to the vital apps and data they need. This tromboning effect results in latency, which in turn reduces productivity. The slowness may cause workers to not use the VPN, putting sensitive data and environments at increased risk of a breach.

The security problem

Legacy VPN technology wasn’t built to accommodate the needs of today’s hybrid environments with hybrid workforces.

It used to be that users only leveraged corporate-issued devices to connect to the network. Now they may augment those devices with a variety of smartphones, iPads, and other compute devices. These bring-your-own (BYO) initiatives help employees maintain productivity by allowing them to choose the best compute options for any given task, but they also provide a handy exploit route. If any one of these BYO devices is compromised while an employee is using the VPN, it provides attackers a way into the corporate network.

“VPNs by design have very limited controls over what a user can or cannot do,” Meyer says. “Because they are designed for network-level access, they lack fine-grained controls that limit what users can do when they connect. Thus, it becomes an exploitable route that allows malware to spread laterally or gain access to sensitive systems or data. Likewise, there is no mechanism within a VPN architecture to provide robust context about the session; to accurately identify the user, confirm the identity and status of any of the multiple devices used by an employee; to limit access to particular applications or subsets of apps; and more.”

Consider that these VPN limitations not only affect remote employees, but also independent contractors and third-party vendors who may only need to access a few resources.

The need for a different approach

Enterprises need to move beyond network-level, coarse-grained access provided by VPNs to satisfy the needs of their hybrid workforces while reducing risk. Savvy organizations are doing so by adopting the Zero Trust concept of “never trust, always verify” with Zero Trust Network Access (ZTNA). According to the Foundry 2021 Security Priorities Study, 46% are actively starting on their ZTNA journey by incorporating technologies such as multifactor authentication (MFA) and security assertion markup language (SAML) single sign-on into their identity and authentication schemas.

In addition to strong identity and authentication, an important next step to solving the challenges of hybrid work is providing granular access control based on continuous trust verification and threat inspection via Zero Trust Network Access (ZTNA) 2.0.

Unlike VPNs and early ZTNA (or 1.0) approaches, ZTNA 2.0 solutions default to a “deny access” state unless the user and their device have been carefully vetted and explicitly granted access to an app. But ZTNA 2.0 doesn’t stop there. After provisioning access, it continues to validate that the user, device, and application behave as expected while providing continuous threat inspection throughout the session to ensure threats aren’t introduced. Because ZTNA 2.0 sits in-line with the traffic, any deviation from “normal” either in behavior, traffic patterns, or payloads can be instantly identified and remedied, which dramatically reduces risk while reducing the organization’s attack surface.

“We’re seeing that forward-thinking organizations that were struggling to gain visibility into network movement and data traffic before the pandemic started deploying ZTNA,” Meyer says. “The notion of control to limit blanket access to the network is appealing.”

What next?

If your organization is exploring ZTNA, an important first step is to transition to MFA to further validate users.

“Most enterprises are using a bunch of cloud services and infrastructures, so it makes sense to transition to a secure access service edge that is built in the cloud,” Meyer says.

This edge, or SASE as Gartner refers to it, converges software defined wide-area networking (SD-WAN) with network security services like cloud access security broker (CASB), secure web gateway (SWG), firewall-as-a-service (FWaaS), and ZTNA into a single cloud-delivered service model. It modernizes the access infrastructure to overcome the challenges of VPN by reducing network and security complexity, while increasing the organization’s agility.

SASE solutions incorporating ZTNA 2.0-based identity authentication and granular access control capabilities not only reduce the attack surface by continuous trust validation and security inspection, but also provide rapid access to the apps that users need to be productive.

Learn more about the risks of VPN and the benefits of ZTNA 2.0 here.