07 April 2022
COVID exposes the shortcomings of over-reliance on VPNs
As work from home mandates scattered employees to the wind, the COVID-19 pandemic highlighted the dangers for businesses in over-relying on Virtual Private Networks to allow their staff to securely work remotely.
A distributed workforce significantly expands an organisation’s attack surface area, especially when staff may be working from home on consumer-grade devices over consumer-grade connections which rely on consumer-grade networking equipment.
In this scenario, VPNs have long been the tool of choice to offer secure access to remote workers. A VPN creates an encrypted tunnel between the end user’s device and the head office, wherever they are in the world, to protect that traffic from prying eyes.
While it creates a secure connection, one downside of this approach is that all of the end user’s internet traffic is routed through the VPN connection. Remote staff are essentially forced to digitally commute back into the office. This takes a significant toll in terms of speed, latency and application performance – when some employees may already be struggling with sub-par home broadband.
Reliance on VPNs during the pandemic also took its toll on businesses through the need for more capacity and licences to handle the larger number of simultaneous users. The concept of a VPN was never intended to support an entire workforce at once, says Kevin Bloch – former Cisco ANZ Chief Technology Officer and founder of corporate technology advisory firm Bloch Advisory.
A VPN is designed to let some external users tunnel back into the supposed safety of the office walls on an ad-hoc basis. Meanwhile, newer approaches like Secure Access Service Edge (SASE) converge Software Defined WAN (SD-WAN) with Zero Trust Network Access (ZTNA). This approach extends security out the edge for all users, Bloch told Orro’s recent ‘Seriously SASE’ virtual fireside event.
“That’s where the SASE approach is designed to far better meet the needs of both the business and end users than simply relying on VPNs.”Robert De Nicolo – Director of Cybersecurity at Cisco Systems, ANZ
The result is a significant performance boost by allowing end devices to securely connect directly to some cloud services, rather than routing all their traffic back through head office, Bloch says.
“This concept of SASE was coined because you and your devices are now the edge of the network, ensuring security regardless of your physical location,” he says.
“Rather than remotely accessing the corporate network, you’re now going directly to the cloud, which offers benefits in terms of performance and security.”
Traditionally, most organisations built their security architecture on the assumption that the majority of users were accessing resources from within the office, while connected to the local network. Technologies designed to offer secure on-premise access and enforce security compliance – such as network segmentation – are often not designed to extend that same level of granular security control to remote users connecting into the office via a VPN.
Relying on VPNs to grant staff remote access can mean there is no segmentation as they exit the VPN into the corporate network. This lacks the ability to apply different policies and limit access to segments of the corporate network, depending on the needs of the user and the security concerns of the business.
This is why SASE should be viewed as far more than simply a replacement for VPNs, says Cris Bailiff – CTO of managed security services provider eSecure.
“The key to SASE is the identity-based security aspect,” Bailiff says. “It’s that granular, dynamic security which is the real game changer compared to a VPN, especially combined with the improved performance that SD-WAN offers remote workforces.”
As a result of these combined benefits, 60 per cent of enterprises are predicted to phase out the use of VPNs in favour of ZTNA by 2023, according to Gartner.
This concept of SASE was coined because you and your devices are now the edge of the network, ensuring security regardless of your physical locationKevin Bloch – Founder Bloch Advisory
Today, most organisations want to provide staff with an “equitable application experience” which is high-quality, reliable and secure. The expectation is that this experience is delivered regardless of where the user is located or where the application resides, says Robert De Nicolo – Director of Cybersecurity at Cisco Systems, ANZ.
“If you’re trying to deliver this equitable experience, you need to consider the technology holistically,” De Nicolo says.
“That’s where the SASE approach is designed to far better meet the needs of both the business and end users than simply relying on VPNs.”