Why it’s Time to Ditch VPNs and Move to Zero Trust Network Access Solution

By Shannon Enix, Product Marketing Manager, Rackspace Technology

A woman looking at the legacy VPN login on her desktop computer

Securing an enterprise organization has become more complex as businesses shift to modern architectures, cloud-based applications, remote workforces and IoT trends. And now, unfortunately, cyber threat actors are looking to exploit the large number of employees who work remotely, and the resources/data they utilize, through increased phishing activities and attempts to intercept sensitive information as it’s transmitted outside of a company’s network.

Once upon a time, a Virtual Private Network (VPN) offered a simple way to connect remote users to corporate networks for brief periods of time. However, as workforces became more distributed, remote user session lengths increased, proper access to specific resources became more complex, and the required resources no longer sat within the organization’s own network boundaries — the flaws in this approach became evident to organizations, from sluggish performance and increased security risks to scalability concerns.

As remote access needs continue to grow in both size and complexity, organizations are increasingly shifting away from traditional VPN implementations and toward more secure remote access solutions. Zero Trust network access, or ZTNA, creates secure boundaries around specific applications, private IPs and hostnames, replacing default-allow-all VPN connections with default-deny policies that grant access based on identity, role, and context.

In 2020, approximately 5% of all remote access usage was predominantly served by ZTNA. Due to the limitations of traditional VPN access and the need to deliver more precise access and session control, that number is expected to jump to 40% by 2024.

 

The Challenges of Legacy VPNs

For decades, VPNs have enabled organizations to connect/tunnel their remote users to corporate networks with some measure of privacy and security. Instead of accessing sensitive information over the public Internet, where any attacker might snoop or steal data, VPNs allow users to safely access internal resources via an encrypted connection.

“Legacy VPNs are not designed for roaming users or mobile devices which makes the new way of working more troublesome for many remote workers,” said John Moran, Security Solutions Architect at Rackspace Technology®. “They’re also not built to support a high number of concurrent users which makes scaling to meet high demands next to impossible.”

While VPNs provide a basic level of privacy for remote users, they were not designed with security or scalability in mind. Traditionally, organizations have used VPNs to connect a few remote users to the corporate network for short periods of time. As remote work becomes more prevalent, however, VPN issues begin to multiply:

  • Users experience sluggish performance. If the VPN infrastructure does not have the capacity to handle the traffic throughput and concurrent connections created by their workforce, users experience a slowdown in their Internet connection. Additionally, when VPNs are located a great distance from both the user and the application server they are trying to access, the resulting travel time creates latency.
  • Corporate networks are left vulnerable to attack. VPNs typically use a castle and - moat model, in which a user is given unfettered access to all corporate resources once they connect to a network. With no built-in method of restricting access to critical infrastructure and data, organizations are forced to configure costly, complex security services like next-generation firewalls and network access control — or left vulnerable to malicious lateral movement, resulting in larger data breaches.

 

Replacing Legacy VPN with Zero Trust Network Access

Zero Trust security circumvents many of the challenges inherent to VPNs. It is based on the principle that no user or device inside or outside of a network can be trusted by default. To reduce the risk and impact of data breaches, internal attacks, and other threats, a Zero Trust Network Access approach:

  • Authenticates and logs every login and request, successful or denied
  • Requires strict verification of all users and devices, and even re-authentication to more sensitive business critical data
  • Limits the information each user and device can access based on identity, role and context
  • Adds end-to-end encryption to isolate applications and data within the distributed network
  • Inspects web traffic for known malware streams
  • Isolates web browsing into a seamless off-user-device browser to reduce local infections

Securing and scaling remote access should be a seamless process, one that doesn’t layer clunky security solutions, create performance tradeoffs, or incur unnecessary costs. Rackspace Technology and Cloudflare® empowers teams to handle all remote access use cases, with the following benefits:

  • Easy, no-risk onboarding for users and administrators. Cloudflare easily integrates with existing identity providers and endpoint protection platforms to enforce Zero Trust policies that limit access to corporate applications and resources.
  • Flexibility for client-based and clientless ZTNA deployments. Cloudflare provides clientless support for connections to web, SSH, VNC, (and soon, RDP) applications, and client-based support for non-HTTP applications and private routing to internal IPs (and soon, hostnames).

As your business decides where employees will work in the future, your security controls must meet them where they are. Implementing a new security strategy or solution can add stress to an already overloaded team, which is why we provide on-boarding assistance, configuration and 24x7x365 expert security support.

For a more robust comparison of the three remote access approaches download the white paper: Can Zero Trust Network Access (ZTNA) replace your VPN?

Protect Your Global Workforce with Zero Trust