It's been two decades since the introduction of virtual private networks (VPNs), and they are still the go-to solution for many organizations that need to connect remote users to company resources.
But while VPN technology remained relatively static — grounded on the principle that your resources are primarily located on a corporate network — remote work requirements have changed dramatically.
More and more, private applications — alongside the resources they host — have moved to the cloud. And users aren't located in the perimeter, either. The norm used to be that most people worked inside an office, with only a few people needing remote access. Now, most people require some level of remote access — whether they're employees, partners, or third-party contractors — and they're often using personal devices to do it.
VPNs simply aren't built to operate in this environment. They can't give you visibility into resources outside the perimeter, and they can't monitor user behavior or unmanaged devices. If your organization is still using a VPN as its primary remote access solution, there are three things you need to know about how they affect your security posture.
1. VPNs prioritize access over security
VPNs operate under the assumption that if someone has the right credentials, they are authorized to access everything on your corporate network. There’s a huge assumption of trust, and no actual visibility into risky behavior or how data is being handled once a user gets access. This makes VPNs particularly vulnerable to user threats like phishing attacks that lead to compromised accounts.
Passwords can be leaked, multi-factor authentication (MFA) can be bypassed, and social engineering can convince people to give up their credentials. While VPNs can integrate with third-party identity providers, verifications happen after a connection has been established. That cedes a critical foothold to attackers — if they gain network-wide access, they can easily move laterally throughout your infrastructure to find additional vulnerabilities or sensitive data.
Because VPNs prioritize access over security, their susceptibility to user-based threats creates a recipe for data compromise. That's why it's so critical to have a remote access solution that gives your organization insight into user and device vulnerabilities.
2. VPNs are vulnerable to exploitation
In addition to being vulnerable to user-based threats, there are numerous ways VPNs can be exploited, making them attractive targets for attackers.
Manual upkeep requirements
VPNs are first and foremost hardware appliances inside data centers, and they’re typically deployed on-premises. As a result, any software updates such as security patches, have to be done with manual labor. As a result, it requires more resources for upkeep, creating room for human error or gaps for when a vulnerability isn’t patched. This is very different from a SaaS app that is constantly updated and patched.
More susceptible to misconfigurations
Misconfigurations are also more prevalent with VPNs. Especially when organizations often run multiple VPNs, it becomes difficult to ensure that settings are configured properly. Whether it’s unused passwords, not-yet-deprovisioned users, or accidental exposure to the internet, VPNs leave a trail of paths for attackers to potentially exploit.
3. VPNs slow users down and hinder productivity
The shift to remote and hybrid work models should enhance productivity, but VPNs have the potential to undo those gains. VPNs were simply not designed to support an entire workforce — including contractors and partners — operating remotely from an array of personal devices, accessing a host of cloud apps and IaaS apps. As a result, when organizations attempt to scale their VPNs to accommodate all their users, the user experience can suffer.
To integrate VPNs with cloud services like IaaS apps, organizations must adopt complex setups that route traffic first back into a centralized perimeter, and then out again to the cloud. This process, known as hairpinning, introduces a noticeable slowdown in the user experience, or even experience downtime. Because users have to wait longer to reach these important resources, they may not be as productive as they would be otherwise.
In order to optimize productivity in the evolving remote and hybrid work landscape, organizations need to explore remote access solutions that eliminate hairpinning and are designed to work with the cloud.
Can VPNs keep your organization secure?
Remote and hybrid work are here to stay, and because of that, VPNs can no longer be your first line of defense for securing remote access.
To further understand why remote access via a standard VPN is no longer sufficient, register for our upcoming webinar, 5 Key Considerations for a Successful Migration from Legacy VPN to ZTNA. You’ll leave with practical takeaways and strategies for data protection and visibility into unsanctioned apps.
Book a personalized, no-pressure demo today to learn:
Discover how adversaries use non-traditional methods for phishing on iOS/Android, see real-world examples of threats, and learn how an integrated security platform safeguards your organization.
5 Considerations for a Successful Migration from VPN to ZTNA
Hear firsthand from Joel Perkins, Lookout’s head of IT, to discuss how he overcame challenges of a legacy VPN with Lookout Secure Private Access, our ZTNA solution.