I recently hopped on the Endpoint Enigma podcast to talk about virtual private networks (VPNs) and how they’ve been extended beyond their original use case of connecting remote laptops to your corporate network. Even in this new world where people are using personal devices and cloud apps, VPN continues to be the go-to solution for remote access and cloud access. After my conversation with Hank Schless, I was inspired to put some additional thoughts about VPN on paper.
When most organizations were forced to shift to remote work last year, they needed a quick-fix solution that would enable their remote employees to securely access work resources. For many, this solution came in the form of VPNs. However, VPNs were not designed for the bring your own device (BYOD) and cloud app use cases.
While VPNs are able to provide remote access, it may come as a surprise that they fall short when it comes to security. This is because VPNs were built for when only a small portion of your workforce wanted to work from home. They also place too much trust on the device and the user. But now, as work from anywhere continues, it is important to rethink how to provide access for your entire organization in a secure manner.
What are the challenges of a remote-first workforce?
When they first debuted twenty years ago, VPNs were the de-facto method for connecting remote workers to an organization’s data center when laptops became common. Back then, computers still used modems and services like iPass for connectivity. A VPN ran over top of services like iPass to create a “private network” and keep the transmission secure.
But since then, the technological landscape has changed dramatically. In several ways, they were built to solve yesterday’s problems.
Now, the widespread adoption of cloud applications means the way we store and access work data is completely different. On any given day, I’ll connect to an internal development system, access documents on Google Workspace, send Slack messages to coworkers and use Zoom to attend meetings. I can perform all of these equally easily on my smartphone and my laptop.
Many Lookout customers may have a similar experience that also includes accessing applications on AWS or Azure, such as SAP S/4HANA. As we work remotely, we’ve become accustomed to seamlessly accessing what we need wherever it is and to work from any device of our choosing.
Another significant challenge brought on by this new environment is that organizations do not have the required visibility into their complex IT environments. Unlike back in the day, where you’d only be using work-issued devices on company-managed networks, employees are accessing work resources using devices, networks and software that your IT team has no control over or may even be unaware of. This has significantly increased the attack surface of your organization.
Why are VPNs inadequate for the modern work environment
One of the biggest issues with VPNs is that they provide full network access to whoever and whatever is connected. And it’s not just the device connected, everything that’s on that device’s network is also given access. So whether it’s a piece of malware, or a compromised account, there’s nothing to stop them from moving laterally across your infrastructure and causing harm.
VPNs also have a bad track record when it comes to user experience. When direct access to the cloud is available everywhere, expecting your employees to first sign into a VPN to go to these cloud applications puts a road bump into their workflows. Think of it like forcing someone to travel from Boston to New York City via Los Angeles — inefficient. If you’ve ever experienced slow page loading times or snail-paced downloads while on a VPN, then it is likely due to your traffic being forced to take an inefficient route.
What’s the alternative?
To address these new problems and for the reasons discussed above, VPNs don’t cut it when it comes to giving your remote workers secure access to what they need. Secure access technologies like Zero Trust network access (ZTNA) or cloud access security broker (CASB) pick up where VPNs leave off.
These secure access service edge (SASE) technologies give granular access to only the applications and data that your workers need while continuously monitoring user and device behavior to dynamically adjust access based on risk. This means that the risk of lateral movement is dramatically reduced, the connectivity between the user and the app is efficient, and the security of the connection goes well beyond encrypting traffic between two points.
ZTNA provides seamless connection to your apps without putting your data at risk
After all these years of connecting your workers to your organization, they deserve their praise where it’s due. But the problems they were made to address back then are no longer relevant. Your organization is now facing the challenge of enabling your workers with the freedom and flexibility to work with applications in the cloud from anywhere while safeguarding your data. Moving away from technology like VPNs to next-generation alternatives like ZTNA is a good start.
If you’d like to learn more about why it’s time to move on from VPNs, I recommend checking out my chat with Hank Schless on Endpoint Enigma. I also wanted to point out that Zero Trust doesn’t just apply to on-premise software, you need to ensure that your entire organization, from endpoint to cloud has the ability to provide dynamic access.
Visit our ZTNA page to learn more about how you can replace your VPN. You should also take a look at the Lookout Secure Access Service Edge Solution to learn how you can safeguard your organization from endpoint to cloud.