TL;DR Yes, and no.
If you read the headlines from many technology media and security professionals, you’d be forgiven for believing that the Virtual Private Network (VPN) is dead. The reality – particularly as many of us continue to work remote – is quite different.
Dating back more than 20 years to the first Peer-to-Peer Tunneling Protocol (PPTP) specifications, the legacy VPNs of that era were designed at a time when most people accessed corporate data from the office, with far fewer remote workers and an almost non-existent cloud-based SaaS infrastructure.
Fast forward to 2020 and we have a very mobile, very remote workforce with vastly different remote access needs. Add to that the emergence of zero trust technologies and it’s easy to assume that the VPN has outlived its usefulness. The truth, however, is that the VPN is not only very much alive, use of VPNs has exploded in 2020, and will continue to play a critical role in the security landscape for many years to come.
The Problem with VPNs
If VPNs are still relevant today, why have so many people been ringing their death knell prematurely? The argument goes that VPNs aren’t capable of protecting the attack surface of today’s networks. They are good at providing secure access to corporate data and applications when a network has a well-defined perimeter, but this kind of environment is less common, due to the popularity of cloud computing, software as a service (SaaS) and the current growth of remote work.
The traditional VPN relies on a set of credentials that allow authenticated users to access corporate data and applications from any location. That’s great in theory, but in practice if an attacker manages to get those credentials, they have almost unfettered (and often unnoticed) access to any corporate resources. The VPN model also falls flat when it comes to insider threats. According to the most recent Verizon Data Breach Investigations Report, more than 30 percent of data breaches are the result of employees, acting maliciously or accidentally. And consider this: 80 percent of data breaches can be attributed to compromised, weak or reused passwords.
Legacy vs. Modern
Legacy VPNs also aren’t context aware. To highlight this, if the credentials of an Atlanta-based employee (who normally doesn’t travel) are suddenly being used log into the corporate network at 1:30 a.m. Eastern Time, from Turkey, then this should naturally raise a red flag. Unfortunately, traditional VPNs can’t do this.
Also worth mentioning, traditional VPNs are costly, often requiring dedicated hardware that is time-consuming to deploy and not scalable when needs spike. As many newly-remote workers have recently discovered, old-school VPNs can negatively impact network performance by forcing all data down the ‘tunnel,’ even when that data (such as many SaaS apps) can safely be sent directly to the Internet. Simply put, being either ‘on’ or ‘off’ doesn’t cut it.
One important thing worth pointing out is that not all VPNs are created equal. There is a new breed of highly scalable and context-aware VPNs that are designed specifically for mobile workforce. These VPNs can complement or even incorporate elements of a zero-trust architecture, which in the VPN space is also often referred to as a “Software-Defined Perimeter” (SDP).
The zero-trust model only allows users and their devices to access services and data only if they can meet certain criteria. These take into account many factors, including the individual’s role and level of ‘clearance,’ the ID of the device, the type of application or data they’re attempting to access, the user’s location, time of day, the type of network (public Wi-Fi, cellular, etc.), and more. The key takeaway is that the threshold for accepting a user’s request can be managed to an extremely granular level, even if they’ve already provided valid username and password credentials.
Here’s an example. A properly authenticated member of the sales team would be granted access to Salesforce during normal business hours using a corporate-owned device in the city where they live. This wouldn’t be suspicious. But a person from engineering trying to access Salesforce in the middle of the night, perhaps from a different country, would certainly raise a red flag. Unlike traditional VPNs alone, the SDP solution recognizes legitimate users and can turn on a VPN tunnel on the fly.
VPNs will be around for years to come
This zero-trust framework is still a relatively new concept, governing the ways that security and access should work. Products based on SDP or Zero Trust Network Access (ZTNA) are still in their infancy, but they are starting to appear on the market. Like any new technology, it can be expensive and difficult to implement. In its 2019 Hype Cycle, Gartner put SDP/ZTNA just over the initial hype peak, meaning that it’s still up to five years away from providing real business value for early adopters.
Contrast that with VPNs technology, which is extremely mature and used by a majority of enterprises. Analyst firm Research and Markets estimates that VPNs will continue to see a CAGR of 15 percent until 2024. It’s also worth noting that companies wanting to move to a zero-trust framework will probably require several years of planning and evaluation, and possibly even longer for large, well-entrenched organizations that tend to be more cautious.
Is the VPN dead?
In summary, VPNs aren’t dead, but they are evolving. Traditional VPN solutions are likely to be phased out in favor of more flexible, scalable solutions. It will take many years for mature SDP products to replace them, and for large enterprises to fully embrace them. Users in the future will have the best of both worlds; protection on any device and any network, with an on-demand VPN connection that can be deployed back to the enterprise whenever it’s needed. The future looks bright for VPNs for many years to come.