The pandemic greatly accelerated interest the adoption of zero trust solutions among enterprise IT and security pros in search of ways to reduce the cybersecurity risks and network instability inherent to remote work while also optimizing the end-user experience. Simultaneously, over the past year, software-defined perimeter (SDP) technology and the secure access service edge (SASE) framework have evolved from niche considerations into mainstream options to mitigate rapidly-evolving security and network challenges.
But while interest in both SDP and SASE was justifiably high during the initial months of Covid-19, actual adoption has lagged for a variety of reasons. In fact, research conducted by NetMotion in recent months found that less than half of enterprises have actually implemented SDP for their workforce and only 12% have fully deployed a SASE architecture.
Instead, NetMotion’s research consistently found that enterprises mostly doubled and tripled down on VPN deployment in 2020, even as a growing chorus of security and networking vendors, select analysts and some in the media loudly proclaimed over the past few years that the VPN is dead. Provocative and attention-grabbing, yes, but based in reality, not so much. In actuality, NetMotion fulfilled thousands of requests for new enterprise VPN licenses in just the first few months of quarantine, culminating in a year of record growth.
The VPN isn’t dead – but it’s moving to the cloud
In Q1 2021, NetMotion conducted an exhaustive study by surveying 750 leaders working in IT, security and networking, and polled leaders across five geographical markets and eight sectors to gain better insight into pandemic-driven trends. While the research into VPN usage revealed consistent results throughout 2020 and into 2021, it did uncover that for the first time a majority of organizations (54%) shifted their VPN from an on-premise environment into the cloud to produce greater secure remote access capabilities. This includes VPN products hosted as SaaS offerings or those managed in the private cloud (IaaS), such as Microsoft Azure or AWS.
Recent research also found that:
- Government and public safety bodies are more apprehensive about adopting cloud-hosted VPN products, with only 29% of public sector organizations making use of a cloud VPN. By contrast, companies in the healthcare (72%), manufacturing (68%) and legal (56%) sectors were the most likely to utilize a cloud VPN.
- Though full-scale SASE adoption is still on the horizon for most organizations, implementation of cloud-first solutions is partly being driven by SASE initiatives. Almost three quarters (74%) of organizations have started to embrace the SASE framework in managing network security in the cloud and at the edge, with only 26% having no plans at present.
- A small majority of organizations (50.2%) have migrated at least half of their core applications to the cloud.
- A significant share of manufacturing and law firms (56%) are over the halfway mark in their migration to cloud applications, while public safety agencies (36%) have been much slower to make the shift.
Continued cloud growth
While cloud-based VPNs now represent the majority of total enterprise VPN usage, it isn’t surprising that 46% of organizations still manage on-premise VPN hardware. Data show that IT teams are genuinely migrating to the cloud, but it is often not as cut and dried as cloud vendors would have us believe.
Indeed, about half of all enterprises still have valid reasons to operate their secure access solutions from a central location, either on premise or in a hybrid environment. That’s because, as our research from 2020 showed, 98% of organizations still maintain at least one mission-critical application on premise, so for many companies this slow march to the cloud will continue to take years – rather than months – to complete. Many, in fact, may never realize a fully cloudified infrastructure, as part of a strategic choice. There are benefits and drawbacks to both, and it is a free market after all.
The opportunity cost of cloud VPNs
As more applications and workloads move to the cloud, whether via IaaS or SaaS, the logic of maintaining bandwidth and redundancies simply to route traffic back through the corporate backbone starts to make less sense – it’s inefficient if the traffic is ultimately directed to a cloud service such as Salesforce or Microsoft 365 anyway. Because cloud VPNs and secure access solutions in general are effectively hosted in ‘rented’ data centers, it also allows for infinite scalability, meaning organizations can swiftly adjust capacity without requiring any new capital investment to replace obsolete hardware. Adopting a cloud option also results in reduced maintenance needs for IT staff, and no requirement to continually update or patch machines. Clearly, there are benefits for both the end user and the administrator.
In contrast, some companies may already have made sophisticated, modern or recent investments in their own corporate data centers, and are not in a position to retire that infrastructure. It also comes down to company philosophy and often the vertical – many IT leaders prefer the increased ownership and control of managing an on premise VPN without relying upon a third party for delivery. In sectors like government, public safety, finance and other highly-regulated industries, there may also be compliance-related reasons for entities to select on premise deployments instead.
The cloud VPN as a stepping-stone to zero trust network access
NetMotion’s research indicates that the VPN is unlikely to be replaced altogether. Analysts and industry experts align with this, as well. Zero trust network access (ZTNA) solutions are being implemented alongside VPNs to build out a robust secure access strategy, allowing the right solutions to be used in the right moments. According to Gartner’s most recent Market Guide for Zero Trust Network Access, “although VPN replacement is a common driver for its [zero trust] adoption, ZTNA’s rarely replace VPN completely.”
In truth, secure access is becoming more sophisticated, with IT leaders turning to VPN, CASB, secure web gateways (SWG) and ZTNA to intelligently manage access to different kinds of resources as they adjust to an increasingly cloud-centric and distributed workforce. This is just one reason why a company’s journey to SASE and other zero trust principles could take two years or more.