VPNs are very useful for securing connections when employees log in from hotels, airports, and cafes, but that's not really happening much these days, is it?
The technology was designed for a time when the number of people requiring remote access was relatively few, the perimeter was still a thing, and cloud data centers and SaaS applications weren't ubiquitous.
"This technology has not really changed in almost two decades," Beau Oliver, VP at Booz Allen Hamilton, said in an interview with DCK. "VPN is a critical piece but not a full cybersecurity puzzle for remote workers and access."
VPNs have a scalability problem. When your entire workforce shifts to home offices, it can take time and money to get the appliances and bandwidth needed to support them. Alternative solutions, like SASE (secure access service edge), are based in the cloud and can scale up or down with the push of a button.
VPNs have a performance problem. By routing all traffic through the data center, companies wind up picking up the cost for bandwidth-intensive cloud applications, such as video conferencing. Cloud access security broker (CASB) systems, also part of the SASE stack, connect users directly to their cloud apps, with no impact on enterprise data centers.
And VPNs have a security problem. Once a user is authenticated, they have access to the entire network or network segment, and traditional VPNs won't notice that the user is also logged in from a different country or accessing systems they never normally access. Identity and access management systems and zero-trust architectures – also part of the SASE stack – restrict access at a granular level and protect against suspicious behaviors.
The US National Security Agency put out an alert this summer warning about VPNs’ security vulnerabilities: "VPN gateways tend to be directly accessible from the Internet and are prone to network scanning, brute force attacks, and zero-day vulnerabilities."
In April the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency issued an alert about a Pulse Secure VPN server vulnerability.
In October CISA and FBI put out an alert about attackers using VPN vulnerabilities, among over vectors, to attack government networks, critical infrastructure, and elections organizations.
Some enterprises have accelerated their digital transformation plans this year, which include implementing alternatives to the outdated VPN technology.
According to a recent report by Forrester, sponsored by Cloudflare, 46 percent of companies have experienced latency and slow connections to workforce applications as a result of VPNs, and 76 percent plan to accelerate their shift to zero-trust security framework. In fact, 34 percent of global IT security teams already had zero-trust in place or were in the process of implementing it.
In a similar survey by security vendor Tanium, 22 percent said that VPN problems overwhelmed IT departments. Failing VPNs can make patching problematic and force IT teams to abandon the idea of routing employee traffic through corporate security controls. As a result, 38 percent said they plan to invest in zero-trust and reduce their reliance on VPNs.
VPN Tech Still Has a Lot of Life Left In It
The VPN might be long in the tooth, but enterprises aren't going to stop using them altogether any time soon.
The global VPN market was $508.8 million in 2019, up 1.7 percent from the year before, said IDC analyst Christopher Rodriguez. "It's a lot smaller than what people expect," he told DCK. And the growth has been slow, which is to be expected with normal customer expansion and replacement sales.
This year, though, the latest projections put the expected market size at $543.2 million, up 6.8 percent from last year. And next year will see double-digit growth, he predicted – up 10.8 percent, to $602 million.
"We don't have the VPN market dropping off tomorrow, or next year, or three years out, or five years out," he said.
Even though VPNs were designed for a different world, when a company is in a crisis, it tends to go with technology that’s most familiar. "We know how to deploy these things," Rodriguez said.
Plus, even though companies may be moving to newer technologies, there are also older systems to support. "The hard reality is that many organizations end up being very heterogeneous and relying upon many different types of applications, including many legacy applications that require legacy VPNs for access.”
That's the most common reason Rodriguez hears for why companies still keep VPNs around. "And it is the reason why VPN and SD-Perimeter solutions will continue to co-exist for some time to come."
When something works, companies are reluctant to make changes.
And they may be right.
"Declaring VPNs dead would be premature, negligent, and simply not reflective of reality," said Jason Myers, principal at Booz Allen Hamilton. "VPNs are here to stay."
The problem isn't with the VPNs, he told DCK, but that too many organizations see them as a silver bullet.
"They assume they can simply have users install VPNs and their enterprise will stay safe from attackers," he said. But the VPN should not be used on its own. Organizations should also have endpoint security tools in place, for example.
Companies that throw out their VPNs wind up having to put their trust in unproven technologies and implementations, he said. For example, enterprises with zero-trust infrastructures are still seeing insider threats, remote management of compromised devices, and advanced zero-day injections. These new zero-trust networks "in reality lack proactive defenses, reliable AI and ML, and actionable auditing."
In a recent poll by 451 Research, now part of S&P Global, 83 percent of respondents said VPNs met their security requirements during this period of increased remote work.
"Bottom line, to me, most people are very satisfied with their VPNs," said S&P Global analyst Garrett Bekker. When the pandemic hit, the easiest way for many companies to respond was to add more VPN licenses or more appliances, he told DCK.
"But once they got past that initial phase, then let’s step back and think about this," he added. "What are we doing in terms of digital transformation, cloud migration, and does continuing to spend money on VPNs still make sense?"
This means that in the long term zero-trust approaches will be taking away more and more of the VPN business, he said.