Digital Business

VPNs: Not dead yet, but they’re getting there

Aug 09, 2023
Zscaler 2023 VPN Risk Report

VPNs continue to be a deeply problematic element in today’s enterprise security architectures. That’s the most salient finding from Zscaler’s 2023 VPN Report, created in conjunction with Cybersecurity Insiders and published earlier this month.

To some degree, the report describes fallout from the COVID era. Post-pandemic, remote work remains very attractive to employees but many employers still rely on hastily-implemented arrangements for providing “safe” remote access. They have yet to make the jump to a modern security architecture designed to mitigate security threats and improve the user experience for their remote workforces.

Too often, organizations continue to lean on VPNs as an enabling technology even though they are increasingly vulnerable to, and targeted by, malicious actors including organized criminal and state-sponsored groups.

Survey respondents report that attackers are making use of five major groups of attacks: phishing, ransomware, malware infections, zero-day exploits, and distributed denial of service attacks (DDoS). While it’s easiest for bad actors to obtain authentication credentials, or fool users into transmitting or revealing sensitive information, more damaging attacks like ransomware are increasingly prevalent.

Nearly half of survey respondents (45%) report VPN-centric attacks occurring in the last calendar year. In fact, 12% of respondents report having been targeted more than five times, which is to say roughly every other month.

While most organizations are aware of the need to evolve beyond VPNs as an access mechanism, not as many have succeeded. A stunning 88% report still being concerned that VPNs jeopardize their ability to maintain a secure environment. Even more (90%) worry about being attacked via third-party-owned VPNs through the supply chain. 

Complicating this already-dark scenario is the fact that many security providers obscure the reality that their services are VPNs. Sometimes they shift back-end VPN tech to the cloud and rename or rebrand it so customers do not realize they are using problematic technology. So even when trying to transition away from VPNs, unwitting organizations can wind up with another VPN operating under a new name.

Yesterday’s security can’t do the job today or tomorrow

Why are VPNs so problematic? In a nutshell, they expand the attack surface of the organizations that use them.

VPNs simply function as tools for granting access to (usually corporate) networks. They provide no network segmentation/microtunneling, which can be used to limit users only to the specific applications required to perform job duties. Instead, by enabling the connection, VPNs grant access to the entire network and all its resources.

VPNs perform no real-time traffic analysis, and hence cannot help security managers determine what kind of information is flowing out of the organization, how mission-critical that information is, and whether it even corresponds to a user’s job role. Once authentication is complete, VPNs are context-blind and unable to recognize a breach, let alone shut it down and mitigate its impact.

There are additional issues with VPNs beyond a company’s own users and networks. For instance, there’s the awkward question of possible breaches stemming from third parties like contractors or business partners who use VPNs to access company apps and data the same way your users do. 

It’s one thing to try to lock down your infrastructure and secure your users, but what about these external players, whose infrastructure, policies, and technology you can’t possibly control? If their security is suboptimal, attackers may compromise these third parties and use them as a staging platform to cross-contaminate your network.

According to the 2023 VPN Risk Report, this scenario is a major concern for a remarkable 90% of survey respondents. Those who continue to rely on VPNs as an essential platform for remote access have little choice but to continue provisioning VPN credentials to such third parties, cross their fingers, and hope for the best.

Virtual pain in the neck

Then we come to the sheer inconvenience of VPNs which, after more than twenty years of evolution and global deployment, still often don’t deliver what anyone could call a satisfying user experience.

Survey respondents suggest that a third of employers report a “poor” user experience from company VPN access. Usually, this is because VPNs are too slow to meet user needs, too unreliable (leading to random disconnections), or they don’t work at all. In such cases, users cannot log in or, if they can, they still can’t access what they need because integration between the VPN and company infrastructure is inadequate or unpredictable. So even if the stars line up, and a solid VPN connection is made, it’s still not enough to get the job done.

How is this situation likely to develop going forward? Well, if we imagine users will continue to demand remote work as an option, and employers will continue to offer it to stay competitive, it’s easy to see all these problems are likely to get worse going forward — much, much worse – unless something changes, and soon.

Why zero is the most important number in cybersecurity history

Fortunately, the silver lining to this dark tale is obvious, including to survey respondents. In one of the most emphatic findings of the entire report, 92% of respondents recognize the need to adopt a zero trust approach to safeguard assets and data.

That’s up 12% from the 2022 report, and more than two in three respondents (69%) are already in the planning stages of making the transition away from VPNs.

The reasons for this rapid shift are evident:

  • Zero trust never assumes a network is secure; it assumes all transactions, of all types, must be strictly authenticated and validated using best-in-class methodologies.
  • Zero trust connects users only to the apps and data they need – never to an entire network or subnetwork.
  • Zero trust also secures machine-to-machine and app-to-app transactions the same way, dramatically reducing the odds of lateral movement or exploration in the unlikely event a host or service is compromised.
  • Zero trust provides real-time traffic analysis capable of recognizing sensitive information and information which is inappropriate for a given user’s job role – even if the information is encrypted.
  • Zero trust also hides the existence (including the IP addresses) of company services and resources from the public internet, reducing the potential attack surface visible to malicious actors to zero.

Let’s hope that the executive summary of the 2024 VPN Risk Report says there will be no reports in future years because VPNs are no longer in widespread use, and zero trust principles have been adopted almost universally.

It may be a feeble hope, but I’m encouraged by the fact that 92% of respondents do know zero trust is the way to go. I want to believe.

What to read next 

2023 VPN Risk Report by Cybersecurity Insiders

An attacker’s view of a work-from-anywhere world