Is the VPN nearing the endangered species list?

It’s time to replace the traditional VPN and regain trust of your endpoints with a more secure and easier approach to remote access. VPNs have typically been the go-to solution for access to internal applications, with one-third of access requests to corporate networks coming from outside the firewall. 

However, VPNs come with security drawbacks, including the increased risk of unauthorised remote access to sensitive data. Typically, they grant access at the network level, meaning every user with VPN rights can access the same applications that any other user can, which is a risky practice. 

With more requests for access coming from outside of the corporate network, the question is, can organisations really trust the users who are logging on? 

Perimeter-based security 

For years, organisations have centred their cybersecurity policies on the use of VPNs for perimeter-based security – something that has a hard and crunchy shell, yet a soft and chewy inside. Although penetrating the perimeter is difficult, it is not impossible, and once a device or user is inside, they are often given full trust. This is where the problem lies. 

VPNs typically provide a trusted user with full access to all applications on the corporate network, meaning the entire network is put at risk. This approach no longer adds up when it comes to gaining visibility and control over the devices and users accessing the network. 

Working remotely

A growing proportion of employees now work more flexibly and remotely, on their own laptops; tablets; or mobiles; either from home, in public spaces, or whilst travelling. These fluid working practices, and the ability for teams to collaborate from wherever they are based, brings benefits in terms of productivity and staff morale. 

However, as working remotely becomes more common, a mutual risk every organisation faces is the vulnerable endpoint – a challenge exacerbated by the rapid rise in the number of unmanaged devices accessing the corporate network. IT administrators often do not have access to, control of, or even visibility into what personal devices are accessing their network, and therefore cannot monitor software updates or security. One particular customer discovered 2,200 unmanaged devices were accessing on-premise and cloud applications, apart from the 800 devices the company had previous knowledge of in their environment.

At the very least, endpoints should be up to date on the operating system and plugins they need to use. Many, however, are not. Users who do not upgrade software are a serious security headache for the enterprise.  

Instead of trying to control, or limit, various endpoints remotely accessing the corporate network, it makes more sense for IT administrators to adopt a solution which enables them to monitor and control which applications users actually need. 

The traditional deployment of the VPN simply allows access to all applications on the corporate network. This approach to remote access creates unnecessary security risks; where every user with VPN rights can generally access the same applications that any other user can. 

An alternative to the traditional VPN

The best type of security solution is one that allows IT administrators to restrict, or only allow, user access to certain applications. This would implement tighter control of the corporate network, drastically reducing the number of endpoints with total access. This type of solution focuses on trusted access for both the user and their device, rather than allowing ‘blind’ access to the network for anyone with a VPN password or token – both of which can be abused easily by malicious users. 

With this new approach, users can securely access internal applications on the corporate network from any device, using any browser, from anywhere in the world, all without the need to install or configure remote access software on a device. Users would also no longer need to worry about managing VPN credentials or installing extra software – that they then have to remember to update – on their devices. 

Having a solution which goes beyond basic perimeter security, providing IT teams with the ability to mark devices as trusted with a legitimate endpoint certificate, would allow administrators to determine which devices can access which applications. Only devices that are marked with this certificate will be able to access applications made accessible by IT administrators. These ‘hygiene’ tests, as well as authorisation and two factor authentication, are carried out no matter where the device or user is.

Another benefit of using a solution that doesn’t rely on the use of the VPN is that it provides security teams with precise policies and controls. Administrators can define and enforce rules on who can access what applications, as well as under what conditions. It is possible to define access policies by user group and per application to increase security without compromising the end-user experience, or even by the user’s geographical location at that particular point in time. For example, if there are no employees located in South America, all access from that continent can be blocked. Specifying different policies per network application ensures only the right users and devices are granted access.

For organisations, not only does moving away from the VPN generate tighter cyber security controls but, also by opting out of the traditional approach to VPN, they will save on VPN-associated costs. Providing full network access to users who do not need it, is not cost effective. 

Granting remote access is essential for normal business operations, however, it comes with  heightened security risks. The good news is that new solutions are enabling organisations to balance flexible working practices with security policies that reflect the way we work today. 

Moving on from the VPN does not mean getting rid of the perimeter altogether, as it is still an essential part of effective security. However, it does mean tightening security on the inside so the perimeter isn’t the only thing keeping attackers at bay. Raising the level of security on the inside so it looks more like the outside provides better visibility and a tighter set of controls over what an organisation’s users and endpoints are accessing, regardless of where they are. 

Ruoting Sun, Product Marketing Manager, Duo Security
Image source: Shutterstock/ Supphachai Salaeman