Companies are constantly evolving, and their networks and IT infrastructure need to evolve as well to meet their changing needs. These needs can be driven both internally – by digital transformation initiatives – and externally – by events like the COVID-19 pandemic.
The transition to supporting telework has been going on for years, but COVID-19 dramatically accelerated it. Within a matter of weeks, many organizations shifted from having few (if any) remote workers to a mostly or wholly remote workforce.
This rapid transition redefined critical infrastructure within an organization. Systems that are primarily designed to support on-premises workers are relegated to the background as enterprise VPN solutions and other secure remote access systems become vital to the business’s ability to function and its security against cyber threats.
VPNs are an inadequate solution for the modern enterprise
Traditionally, many organizations have used VPNs for secure remote access. The principles behind a VPN are simple, and it is a technology that has been around for a while now. This long tenure means that businesses have had time and opportunity to grow accustomed to it and that they can continue to leverage existing investments in the technology.
However, VPNs are not a remote access solution that is well-suited to the modern business. From a functionality standpoint, their lack of scalability and point-to-point connectivity model are problematic. As the need for secure remote access solutions grew during COVID-19, many businesses found that their VPN infrastructure couldn’t keep up. Additionally, as both ends of VPN connections moved off-site – to cloud infrastructure and home offices – backhauling traffic through enterprise networks for security inspection became an increasingly unworkable and inefficient solution.
Cybercriminals call out poor VPN security
Shortcomings in scalability and efficiency are not the only problems that VPN solutions face. While labeled a “secure remote access” solution, VPNs have significant issues with security.
One of the security shortcomings of VPNs is that they don’t actually provide much security. A VPN provides an encrypted channel, preventing eavesdropping on traffic between the two ends of the connection. However, a VPN does not perform any security inspection of the traffic flowing over it. A full security stack must be deployed at one end of every VPN connection, a requirement that grows increasingly difficult to meet when enterprise resources are increasingly hosted in the cloud and accessed by remote workers.
The other major security challenge for VPNs is that they commonly contain exploitable vulnerabilities. In order to do their jobs, VPN appliances must be exposed to the public Internet, making them easily accessible to potential attackers. If these systems contain exploitable vulnerabilities, then an attacker could take advantage of these weaknesses to gain access to the enterprise network, perform a Denial of Service attack against an organization’s VPN infrastructure (likely rendering the company unable to operate), or eavesdrop on sensitive communications flowing over the VPN connection.
VPNs have received a high level of security scrutiny due to their importance in enterprise telework programs, and a number of vulnerabilities have been detected. Cybercriminals are actively exploiting these vulnerabilities, taking actions like publicly posting exploit code for a vulnerability in Fortinet VPNs that affects approximately 49,000 systems. While manufacturers of VPN software often release updates that patch these vulnerabilities rapidly, it takes time to apply these patches, and organizations are vulnerable to exploitation in the meantime.
Selecting an alternative secure remote access solution
VPNs are one of the most commonly used secure remote access solutions. However, they are far from the only solution available. While VPNs were designed and built for an organization with most of its assets and employees working on-premise, other solutions have been created since and specifically designed to meet the needs of the modern enterprise.
One alternative to the VPN for secure remote access is Secure Access Service Edge (SASE). SASE is deployed as a network of cloud-based point-of-presences (PoPs). Each SASE PoP contains software-defined wide area network (SD-WAN) functionality – which optimally routes traffic between SASE PoPs – combined with an integrated security stack.
Compared to VPNs, SASE offers a number of benefits for enterprise secure remote access, including:
- Scalability: A major shortcoming of VPNs is that their design scales poorly, making it difficult for them to meet the needs of the modern enterprise. SASE, with its network-based design, provides a much more scalable WAN solution.
- Integrated Security: A VPN only provides encryption for traffic passing between two points, requiring a standalone security stack for traffic inspection. SASE integrates a security stack into each PoP, providing more than just traffic encryption.
- Optimized Routing: VPNs are a point-to-point solution, which can result in inefficient routing between points on the network. SASE PoPs can optimally route traffic between themselves, providing improved network performance.
- Managed Services: Many organizations deploy enterprise VPN appliances themselves, resulting in a solution that is difficult to manage and lags in security patches and other updates. SASE is commonly offered as a managed service, offering rapid patching for vulnerabilities.
VPNs are ill-suited to the modern network and are prone to vulnerabilities that endanger corporate cybersecurity. SASE is a modern solution that is designed to meet the performance and security needs of today’s companies.
