Companies large and small have come to rely on virtual private networks (VPNs) as the solution for securing traffic between the corporate network and remote devices. But as working from home and remote access have evolved from nice-to-haves to the norm, VPNs have come to shoulder a heavier burden than they were designed for. IT managers do well to stay mindful of the shortcomings of VPNs for remote work.
A VPN connection links client devices to a secure network, typically a corporate data center. The goal is to provide the same level of network access the user enjoys while on campus, but the reality is that users have to deal with slow connections and increased network latency.
VPNs also require that users log in and authenticate their client to the network periodically. This is necessary to keep the network secure, but it also has the effect of making remote connections inherently less productive than working in the corporate office.
As VPN services and connections proliferate, the network becomes more extended, more complex and harder to monitor effectively. Besides the links between individual users and the data center, remote offices connect larger groups of remote users in ever-growing constellations of point-to-point connections. The result is a trade-off between network visibility for IT managers and access for devices.
VPNs by default are designed to provide network-level access. This means they expose more of the network to threats, especially in scenarios where a user’s credentials are hijacked and used by nefarious actors. This leaves corporate data, applications and other sensitive material vulnerable to attack. VPNs also typically rely on open ports to establish connections. This provides attackers a handy exploit route as they often target open ports to gain access.
The highest priority for any VPN solution is secure remote access over a public network, but even that is not a given. Enterprise-grade network security depends on functionality that leverages multifactor authentication (MFA) and encrypts data in transit; not all VPNs enforce those functions.
Also, the home network has become part of the security equation. Corporate IT managers cannot push upgrades and patches to privately owned computers, switches and routers, so they cannot ensure security on the remote end of the connection.
Another concern is the point-to-point nature of VPNs, which results in traffic being encrypted only between those points. The workload of inspecting traffic over every VPN connection grows burdensome as the number of connections increases, and the trend toward hosting those workloads in the cloud adds to the burden.
In a world of hybrid workforces and hybrid network environments, work has become an activity instead of a place. With apps and remote users everywhere, the need for new, secure VPN alternatives has become more urgent. Consider the following approaches.
As the typical enterprise attack surface has grown, Zero Trust network access(ZTNA) has emerged as a way of protecting apps and data by preventing lateral movement, preventing Layer 7 threats and simplifying policies around least-privileged access.
Zero Trust is a strategic approach to cybersecurity with the goal of eliminating implicit trust across digital interactions with continuous validations at every stage of those interactions. It facilitates this through strong authentication and authorization, typically by routing each request for access to applications through an access broker. If the user is entitled to use the requested application, then the broker enables access and allows the user to communicate directly with the application.
ZTNA solutions apply to users, applications and infrastructure:
Advanced ZTNA, or 2.0, solutions ensure users have only the access they need to perform their tasks while continuously verifying the trust level granted and inspecting all traffic for threats.
As remote access and software as a service (SaaS) have grown, so has the trend toward sending traffic to a variety of internet-based and other cloud services rather than to the data center. SASE has evolved as a way to meet the need for security and access control with uninterrupted access for remote users.
SASE blends the reach of the wide area network (WAN) with the protection of enterprise-caliber security. The solution is delivered in a single, cloud-based service model that a company can use to unify their network, consolidate their security and simplify their operations.
SASE addresses the problem of fragmentation in the security landscape, which convinced many enterprises that the key to cybersecurity was implementing multiple “best-of-breed” products and technologies from multiple vendors on-premises. SASE is based on the alternative view that, as with data and applications, the future of network security is in the cloud.
Most notably, SASE offers the flexibility of a cloud-based infrastructure. This helps companies more easily implement security services such as threat prevention, DNS security, sandboxing, credential theft prevention, web filtering and next-generation firewall policies.
In a traditional architecture, the WAN relies on physical devices like routers to connect remote or branch users to the corporate network and data center. The flow of data among sites is determined by rules and policies written for each network device and typically followed a hub-and-spoke design, where the data center was the hub and any remote or satellite offices were the spokes. The process of managing the rules and policies governing site-to-site connectivity is time consuming and prone to errors, so the software-defined WAN has evolved to move the control and management of data flow from hardware to centralized software.
That allows network administrators to write new rules and policies, and then configure and deploy them across the entire network at once. Compared to VPNs, SD-WANs are known for lower cost, higher performance and greater reliability. They offer features like quality of service (QoS) and application routing, embracing the cloud in a way that’s impossible on a VPN.
Most companies turn to VPNs to solve the security problem of wide area network access, so it's best to evaluate the benefits of VPN alternatives in that light:
There are various solutions on the market that you can consider for replacing your VPN. Palo Alto Networks Prisma Access is the only cloud-delivered security solution that delivers ZTNA 2.0. It is purpose-built to provide continuous trust verification, continuous security inspection and consistent protection for data and all apps. It also delivers cloud scale, data plane isolation and Autonomous Digital Experience Management (ADEM) to ensure the best user experience.