Why VPN Is Dead

Thanks to the VPN for decades of providing secure remote access to networks. For a time, the VPN was the right technology to protect sensitive information and systems. But, the VPN has come to the end of its life as it was built to support access to hardened perimeters with most systems and applications residing in an organization’s data center. 

Now, enterprises have data stored and systems and applications running inside and outside the traditional perimeters in hybrid and multi-cloud environments. This drives the need to replace the VPN with solutions that are purpose-built to secure data in environments with porous perimeters, expanded attack surfaces, and highly sophisticated threats.

While the VPN had been showing weaknesses for a while, the COVID-19 pandemic brought these deficiencies into high relief. Users accessing enterprise resources were, and continue to be, distributed and remote using multiple devices, including BYOD.

To support the exploding numbers of remote workers, enterprises fell back on the tried-and-true VPN. The results made it clear that the VPN was not up to the task of protecting enterprises’ vastly increased and dynamic attack surface.

Primary Reasons that the VPN Met Its Waterloo

• Blunt approach to secure access
  The VPN lacks the nuanced access controls required to protect enterprises. It is a binary system. Once a user is authenticated, they are allowed to access the perimeter and are assumed to be trusted. This is a fundamental flaw that violates Zero Trust architecture policies  as it allows an attacker, who gains control of a user’s VPN connection, to access resources inside the perimeter. Even in segmented networks, an attacker could access the resources in a particular segment.
• Complex with maintenance overhead
  VPN gateways and client software must be supported and maintained, including regular updates and patches. This is increasingly complex as it includes split tunneling, WAN optimizers, and adjacent security appliances.
• Cumbersome user access
  Users typically have to log in to their device, then the VPN, and then the service they are using, because most enterprises do not integrate the VPN with single sign-on (SSO). In addition, VPN connections can be slowed down due to the physical distance from resources users try to access remotely.
• Network performance issues
  VPN appliances not only create bottlenecks by adding an extra leg to the path taken by packets, but also do not support services such as QoS and dynamic path selection.
  

VPN Security Risks

Although VPNs do provide an encrypted connection between two points, they are fraught with gaps that create a number of critical security risks, including the following.  

• Utilize castle-and-moat-style security, often without traffic inspection, cloud security, or access policies
• Lack of layered defenses or granular access controls enabling third parties and unauthorized users to have unfettered access once inside the perimeter
• Have limited capabilities to identify or stop an intrusion  
• Eliminate visibility and the ability to inspect cloud-bound traffic for potentially malicious content when users connect directly to cloud-based resources (due to VPN’s degradation of network and application performance)
• Do not protect against threats, such as malware or data exfiltration 
• Expose enterprises to attacks when VPN software goes unpatched (one of the top three vectors used by cybercriminals for ransomware attacks)  
• Are not able to enforce policies that protect credentials, allowing users to share credentials, reuse passwords, or use weak passwords
• Provide little or no granular audit records, making it impossible to monitor and record the actions of VPN users
  

Additional risks associated with VPNs include:

• VPN hijacking, where an unauthorized user takes over a VPN connection from a remote client 
• Weak user authentication
• Man-in-the-middle attacks, where an attacker intercepts data in transit
• Malware infection of a client system
• Split tunneling, where a user is accessing an insecure internet connection while also accessing the VPN connection to a private network
• Users granted excessive network access privileges
• DNS leak, where the system accessing a network uses its default DNS connection rather than the VPN’s secure DNS server 
  

Bury the VPN

It is time to say goodbye to the VPN, which is unable to meet the demands for remote access—neither from a performance and scalability nor a security perspective. VPNs were not designed to meet the security protocols required to defend against current use cases and threats. 

Simply put, the VPN has died, because it cannot provide the nuanced and granular access controls required. The ability to enforce the principle of least privilege as well as to identify and stop unusual user behavior is paramount to supporting the security strategies that enterprises must embrace.

Organizations are varied in their response to the death of the VPN. Some choose to gradually phase out VPNs as they reach the end of life. Others mothball them and adopt new technology that supports the new environments that enterprises have created.  

Regardless of how it is done, enterprises have no choice but to adopt security strategies and solutions that replace the VPN. What is required are processes and technology that reduce complexity and provide protection for a growing attack surface that is being targeted by ever-increasing sophisticated attacks by cybercriminals and malicious insiders.