Death Knell for the VPN?

Industry analysts, pundits and IT pros are sounding a death knell for virtual private networks (VPNs) in the enterprise -- or at least an obsolete knell.

Although VPN use surged early on during the COVID-19 pandemic in a remote-work explosion, VPNs were soon found to be lacking in the security department. As we reported in August 2020, a VMware Carbon Black Global Incident Response Threat Report found VPNs to be a weak spot: "With COVID-19 comes a surge in cyberattacks. Security teams are struggling to keep up. 53 percent of IR professionals we surveyed encountered or observed an increase in cyberattacks exploiting COVID-19. They pointed to remote access inefficiencies (52 percent), VPN vulnerabilities (45 percent) and staff shortages (36 percent) as the most daunting endpoint security challenges in this regard."

"I think that the conversation around VPN obsolescence points to the idea that things will become increasingly decentralized and we need something that can handle that decentralization better than a VPN can."

Brien Posey, Freelance Author, 20x Microsoft MVP, Commercial Astronaut Candidate

Virtualization & Cloud Review writer Paul Schnackenburg noted the remote work upsurge and potential security concerns in an article earlier that year, "Securing Remote Work Setups in the Age of COVID-19."

"Many businesses still use VPN technology for Work from Home (WFH) scenarios, particularly where a lot of company data still exists on-premises," he said. "But these VPN systems may have had to be scaled up from a small subset of staff that access them regularly to a much larger group of people. Make sure you pay particular attention to logging and reviewing this access as this could be a vector for attack."

Q&A with Paul Schnackenburg

Are VPNs really in decline?
Short answer, yes (see comments in main article).
Is the decline primarily due to Zero Trust or other things?
ZT comes afterwards -- once businesses realize that P2S VPNs aren't the answer they have to deal with how to provide access to (SaaS and On-prem) applications securely over the internet. Two technologies (in the MS sphere) that are big here are Azure AD Conditional Access and Defender for Cloud Apps (formerly Cloud App Security). The latter is a CASB and lets you put policies and control and monitoring around access to SaaS apps (catalogue at the moment is 27K+ services).
Have you noticed any concrete examples of this trend?
One of my clients had VPN access for staff (it's a small school), we disabled that about 3 years ago. No one has remote access to on-prem (except for me and I don't use VPN) but they all get by through storing their files in OneDrive for Business, and of course they have access to Teams and email from anywhere (Office 365).
What does the trend indicate for organizations in the new year? How will things be different for IT pros?
I think the big challenge will be Zero Trust. It's starting to come of age and crystalizing into what it actually means (rather than every single security vendor slapping the label onto their product. It's a different way of doing access and security and it'll take time and effort to change both the IT Pros themselves, as well as the end users.
What are pros/cons of a VPN approach vs. others?
For end users VPNs tend to be a big hassle. You have to do an extra step to connect (although there are versions that connect automatically, without end user action) -- if your WiFi or internet drops you have to reconnect. Whereas with SaaS services the experience tend to be much smoother, not to mention you get the fastest connection possible (bandwidth/latency) from wherever you are, compared to VPN which adds another encryption step, then sends the traffic back to on-prem for an overall slower experience. Worst case scenario: the VPN forces all traffic back to on-prem, then through the corp firewall, so it can be inspected for badness, then out to the internet, then the answer comes back, through the corp firewall again, encrypted again at the VPN router and then back to me in my home office. TERRIBLE end user experience -- try to do a Teams video call over that link.

VPN security vulnerabilities were further called out in a Teradaci study in November 2020, as detailed in the article, "Cybersecurity Study Sees Zero Trust Replacing VPNs."

"The pandemic has caused a fundamental shift in how people work, and the 'office' will never be the same," said exec Ziad Lammam at the time. "As a result of the enormous security concerns associated with unmanaged devices, as well as BYOD, organizations are changing how they think about securing their corporate assets. Expect to see companies move away from traditional VPNs to Zero Trust architectures to shore up their endpoints and protect their data."

Zero Trust Architecture
[Click on image for larger view.] Zero Trust Architecture (source: NIST).

However, while many other studies and blog posts have echoed similar thoughts lately, the demise of the VPN approach in favor of Zero Trust was heralded way back in 2019 by analyst firm Gartner, which predicted (pre-pandemic): "By 2023, 60 percent of enterprises will phase out most of their remote access virtual private networks (VPNs) in favor of ZTNA [Zero Trust Network Access]." With pandemic concerns kicking in since then, that estimate might have increased.

Certainly analysts, experts and pundits have since then picked up the pace on their VPN warnings, as evidenced by just a few examples:

  • Why VPNs Will Be Obsolete in 2021 -- Decmber 2020: "Virtual private networks (VPNs) are becoming more obsolete, largely due to web applications being internet accessible and as powerful as their thick client predecessors that required VPNs. Plus, they are already encrypted with strong and robust cryptographic protocols like TLS."
  • Is the VPN obsolete? -- October 2021: "Traditional remote access VPN is increasingly out of step with the distributed world of the cloud."
  • The VPN Is Obsolete. Here's What to Do Instead. -- July 2020: "Businesses that transition to a zero-trust security architecture find they have little use for their old virtual private networks."

To get expert opinions on all of this from IT pros on the front lines, I asked Virtualization & Cloud Review writers about their thoughts.

One of those writers is Brien Posey, a 20-time Microsoft MVP, former CIO, author and presenter, who said he had also heard about the purported demise of VPNs and wondered if it was true. "Even if user VPNs were to go away though, I suspect that point-to-point VPNs may remain in place for some time to come simply because they provide a secure, private tunnel between networks," he said.

"This can be really helpful when you have services running in different clouds and using something like TLS isn't an option. In any case, I think that the conversation around VPN obsolescence points to the idea that things will become increasingly decentralized and we need something that can handle that decentralization better than a VPN can."

Another writer, the aforementioned Paul Schnackenburg, also differentiated between different types of VPN connections: site-to-site and point-to-site. He has been working in IT for nearly 30 years and has been teaching for over 20 years, also running Expert IT Solutions, an IT consultancy in Australia.

He said site-to-site (or permanent) VPNs are still heavily used to connect sites over the internet from router to router. However, point-to-site (P2S) VPNs, which are client-to-corporate network connections, "are definitely in decline."

Schnackenburg shared his thoughts on that: "Main reason -- 10-15 years ago everything you needed was on-premises. SharePoint, Exchange servers, file shares and all LOB applications were all on-prem -- only way to get to them was to VPN back into the office network" he said. "Today, most of those applications are SaaS and you connect to them over the internet. Additional reason is capacity -- at the beginning of Covid lock-downs two years ago, many businesses sent staff home only to find that they were all connecting over links/systems only designed for ~10% of staff (traveling salespeople, executives etc.) and as a result, no one could work until capacity was added. Another reason is security -- when you do a client-to-corp office VPN, you have established a connection from network to network so malware/attackers on the home network can connect into the full corporate network (subject to network segmentation). Final reason is that many VPN devices have [poor] security (yes, major brands like Cisco and others) and are routinely exploited by attackers -- again if you can breach a VPN device you're 'on the network' and have full access to continue to move laterally."

See the Q&A sidebar with Schnackenburg for his other thoughts on the matter.

With Zero Trust often mentioned as the optimal replacement for VPNs more information on that is available in the on-demand webcast Moving the Endpoint from VPN to Zero Trust, which discusses:

  • Why Zero Trust demands more than a VPN when enabling the remote workforce
  • Where the VPN falls down as a security measure
  • How modern Cloud-based desktops transform the traditional endpoint into a productive workspace that meets Zero Trust needs

A simple internet search shows a ton more guidance is available on the same subject, from a variety of sources.

About the Author

David Ramel is an editor and writer for Converge360.


Subscribe on YouTube