Remote working and the death of the VPN

Person working at a desk
(Image credit: Shutterstock / LStockStudio)

The year 2020 was branded unprecedented as we navigated unknown situations and moved to the "new normal". Of course, IT teams couldn’t have predicted a pandemic, global lockdowns and the total upending of our day-to-day lives along with them.

There was one prediction that certainly did come through in 2020 – and that was our beliefs about the trajectory of the VPN (opens in new tab). Even before the move to remote working, the technology has been showing its age for some time.

VPNs were built for the network-centric world, where apps resided solely in the data centre and a security perimeter around the “castle” was all you needed. Even in 2019, many organisations were moving toward a perimeter-less model, where traditional network security based on the castle-and-moat approach, is no longer relevant. We predicted that, in the next few years, VPNs would be redundant.

About the author

Nathan Howe is Director of Transformation Strategy at Zscaler (opens in new tab)

VPN redundancy accelerates

We may have been right about the VPN being on its last legs, but off with the timeframe. To understand how the status of VPNs has deteriorated, we need to look at the evolution of remote working over the past year.

In 2019, many businesses’ infrastructure investment was not in enabling remote working (opens in new tab). The two primary goals were driving applications to the cloud to achieve cost benefits and competitive advantage and simplifying their IT in general. This, most commonly, was through investment in SD-WAN projects. This made sense at the time, but when lockdowns started hitting in March, business continuity plans were shown to be lacking, and their SD-WAN sites sat unused and gathering dust.

In March last year, businesses found themselves unable to handily support mass remote working, as there was a key shortage in network connections. More than one business I’m aware of was having employee’s VPN into the data centre to get internet access. This kind of solution was capable of handling 20%, maybe 30%, of the workforce, so scaling this to a full workforce was impossible. Reliable connections became a rare resource, and productivity suffered as a result.

As connectivity inevitably became the precious resource needed to ensure business continuity, pressure was put upon IT teams to enable more reliable connections. In an ‘ends justify the means scenario’, IT teams started bypassing security controls. They spun up cheap remote desktop and VPN solutions, empowering employees to use their personal devices to access the corporate network.

In the short term this meant a summer period of relative calm. Businesses’ connectivity stabilised, productivity rose, and board members breathed a tentative sigh of relief. However, the quick fixes and workarounds that had enabled this moment of respite had left cracks in security that have, in recent months, made themselves apparent.

VPN security issues come full circle

Back in mid-October 2020, the U.S. National Security Agency (NSA) released a list of the top 25 security vulnerabilities that Chinese hackers are exploiting to steal intellectual property, as well as economic, political, and military information. VPNs and remote desktop (opens in new tab) protocols (RDP) make up nearly half those vulnerabilities. Since the middle of last year, we’ve seen significant cyber incidents aimed at large enterprises’ remote access, particularly in the form of ransomware.

Now, VPN vulnerabilities are nothing new. The NSA and its UK counterpart the National Cyber Security Centre (NCSC), have been flagging vulnerabilities in VPNs for years. The difference now is that many businesses are relying on VPNs to ensure the continuity of their businesses. The attack surface is larger and the prizes for cybercriminals larger still. 

We recently conducted research into how European businesses are enabling secure remote access. Thirty per cent of companies are using remote access VPN solutions to provide access to business applications in data centres or the cloud. One-third are using RDPs. More modern approaches, such as zero trust and identity management (opens in new tab) trail behind at 17% and 19% respectively.

This, to put it mildly, is risky. Whilst we do not know for sure how our year or so working remotely will affect working practices in the future, it seems sensible businesses should be putting in place the infrastructure to enable secure mass remote working in future, whether from a business strategy perspective or should we face another epidemic or pandemic scenario.  

As mentioned, infrastructure investments in 2019 were often unsuited for the challenge’s businesses have over the last year of remote work. Business leaders couldn’t have anticipated the last 12 months, and now need to not get bogged down in sunk costs. It’s time to kill off the VPN, before its inadequacies cause serious harm to businesses.

  • Here's our list of the best proxy (opens in new tab) services right now

Nathan Howe, Director of Transformation Strategy at Zscaler, has 20+ years in security experience across a multitude of organisations including governments, enterprises and telco service providers.