A virtual private network (VPN) was until recently the go-to solution for remote access. Organizations use VPN for remote access, enabling employees, partners, and automated systems to connect to a corporate network over an encrypted channel. 

However, in the current IT environment, with organizations running resources in the cloud and outside the traditional data center, and employees transitioning to remote work, VPN cannot scale to support these needs. In addition, a distributed environment and new cyber threats mean VPN is no longer secure enough. 

Let’s see what are the main challenges organizations are facing with VPN and which are the top alternatives for securing remote access.

What is a VPN?

A VPN is a secure networking model that establishes an encrypted connection between a server and a user device. VPN services provide security when a user connects to the Internet or an organization’s internal network. 

Many businesses use VPNs to allow remote workers to access sensitive data and internal applications or to establish a single common network connecting multiple branch offices. In either case, the main objective is to prevent the exposure of web traffic to the public Internet. This security measure is especially important for traffic containing proprietary or confidential data. 

While business VPNs remain popular, they pose significant security risks. The main deficiencies of a VPN relate to the security perimeter’s limitations in ensuring comprehensive network protection: 

  1. Limited Scale - traditional VPNs are based on devices deployed on-premises, and the number of users they can support is limited by their hardware. Most companies deployed VPN based on the number of remote employees they experienced in the past. These numbers are no longer relevant following the COVID-19 epidemic and the massive transition to remote work. 
  2. Complex Infrastructure - businesses may want to address VPN overload by using additional VPN appliances or VPN concentrators, but this adds cost and complexity to the network. Additionally, configuring VPN appliances for high availability (HA) increases costs and requires advanced configurations and specialized expertise.
  3. Lack of Granular Security - VPN devices belong to a previous security era where organizations aimed to establish a security perimeter around their networks and prevent attackers from breaching it. Thus, a VPN blocks access by unauthorized individuals, but once it authenticates an individual, it provides virtually unlimited access to all subnets (see this blog post to understand the difference between authentication and authorization). This exposes organizations to credential theft, privilege escalation, and insider threats.

VPN alternatives

Zero Trust Network Access (ZTNA)

Zero trust network access (ZTNA) solutions use predefined policies to allow or restrict access to the network and the applications and data it includes. It helps establish granular control to ensure privacy and security. Access is granted based on users’ roles and the privileges they require to perform their jobs. 

Like VPNs, ZTNAs allow users to establish access through an encrypted tunnel that hides their IP addresses. Unlike VPNs, ZTNAs use the zero-trust principle to ensure that only authorized parties can access corporate resources. It involves establishing strict authorization and authentication mechanisms that treat all users as untrustworthy entities until they prove otherwise. 

Enterprises use ZTNA as part of the security architecture to provide granular access and prevent cyber criminals from infiltrating the network. 

Here are notable ZTNA use cases:

  1. Secure multi-cloud access - ZTNA enables organizations to secure hybrid and multi-cloud access. 
  2. Reduce third-party risk - organizations can leverage ZTNA to prevent external users from gaining access to network assets while allowing authorized users to access applications without disrupting normal operations.
  3. Accelerate M&A integration - merger and acquisitions (M&As) integration can span several years as organizations attempt to converge networks and handle overlapping IPs. ZTNA minimizes and simplifies the management and time required to ensure a successful M&A and provide immediate business value.

Secure Access Service Edge (SASE)

Secure access service edge (SASE) is a network security model that bundles several crucial functionalities into one architecture. SASE provides both network connectivity, based on SD-WAN, and security capabilities. It’s a cloud-based model that enables organizations to monitor all traffic flowing from one endpoint to another. Here are key benefits of SASE:

  1. Underlying cloud native security architecture 
  2. An extra layer of network functionality 
  3. Simplified management and operations
  4. Increased visibility and security 
  5. Lower costs

SASE provides the flexibility needed to enable secure remote work, supporting the new work paradigms of a post-COVID workforce.

Here are notable SASE use cases:

  1. Controlled move to cloud services - SASE provides single-interface management to enable IT to move as gradually as desired from on-premises to multi-cloud or hybrid environments. There is no need to sacrifice workspace availability, security, or application performance.
  2. Support for mobile users - Internet of Things (IoT) devices and the increasingly mobile workforce challenge IT to ensure secure access and consistent wireless performance. As 5G rolls out, factories, branch offices, warehouses, utility centers, and various locations increasingly use automated wireless endpoint applications and IoT. A unified SASE model delivers the scalability and control needed to manage these components.
  3. Support for multiple operating systems - a SASE environment can support many operating systems to enable enterprises with substantial Linux demand to avoid moving to separate clouds or systems just to support their users.

Unified Endpoint Management Tools

Unified endpoint management (UEM) solutions enable organizations to secure and manage various employee devices and operating systems from a single console. UEM fills in the gaps left by traditional mobile device management (MDM) solutions. 

Organizations can employ UEM to secure personally-owned devices such as laptops and desktops, ensuring that employees can work remotely in a secure manner without the assistance of a VPN. 

It typically involves using conditional access capabilities to run agents on endpoint devices. The agent evaluates conditions before granting a user access to a certain resource. The solution can evaluate identity information, user behavior, and device compliance to determine whether users can access resources. UEM providers often integrate with ZTNA providers to extend protection.

Conclusion

In this article, I explained the basics of VPN and the challenges it creates for modern IT environments, and described three solutions that are gradually replacing VPN as a remote access solution:

  1. ZTNA - an access management solution that uses predefined policies to allow or restrict access based on users’ roles and their current security context.
  2. SASE - a network platform that bundles network infrastructure based on SD-WAN with security capabilities such as firewall as a service (FWaaS) and secure web gateway (SWG), and can secure connections from any location to any resource (on premise or in the cloud).
  3. UEM - a solution for securing and managing employee devices, including personally owned devices, evaluating the health and security hygiene of a device before granting access.

I hope this will be useful as you transition to the next generation of remote connectivity solutions.