Rethinking remote access: moving beyond the VPN

For years, the virtual private network (VPN) has been the go-to solution for secure remote access. Yet, as the digital landscape evolves, the very infrastructure that once offered protection is now proving to be a significant liability.

 

Legacy remote access VPNs are frequently becoming security risks themselves, attracting attackers and allowing unauthorised lateral movement within networks. More than half (56%) of organisations experienced at least one VPN-related security incident in the past year, with many experiencing multiple breaches, making VPNs a primary attack vector.

 

Against this backdrop, zero trust network access (ZTNA), a solution that grants access based on identity, context and application, rather than network location, is generally touted as the superior alternative for organisations looking to modernise their connectivity for a hybrid workforce. However, not all ZTNA solutions are created equal, and many fail to allow a complete VPN replacement.

 

That’s because replacing a VPN is rarely about swapping out one technology for another. It requires thinking through the different access scenarios an organisation needs to support, and ensuring these can be handled consistently without fragmenting the security stack. Here are five common use cases to keep in mind when assessing whether a modern access strategy can genuinely replace legacy VPNs, all without fragmenting your tech stack.

 

 

1. Support hybrid workers at scale

The rise of the hybrid work model has exposed the inadequacies of legacy VPN solutions. VPNs offer limited visibility into application activities, suffer from latency due to traffic backhauling, and grant broad network-level access, thereby expanding the attack surface through unrestricted lateral movements. Unpatched vulnerabilities in VPN concentrators can also act as major attack vectors.

 

To make sure your replacement remote access technology supports hybrid workers, look for a ZTNA solution that’s able to grant identity- and context-aware least-privileged access to private applications, because this will significantly minimise unauthorised lateral movements. Real-time visibility into detailed application traffic and user activities will ensure consistent policy enforcement regardless of the user’s location. This approach allows the secure establishment of pre-logon connectivity, easing the secure onboarding of new devices and enabling remote password resets, making sure only managed devices can access critical internal resources.

 

 

2. Improve connectivity during cloud migration

Digital transformation has led to a tipping point where more workloads reside in public clouds than in private data centres, making efficient connectivity to infrastructure-as-a-service (IaaS) a top priority for both on-premises and remote users.

 

Traditional VPN infrastructures route user traffic through private data centres before connecting to IaaS clouds, often using private networking technology or direct tunnels, leading to poor user experience, increased infrastructure expenses and complex network routing. The opportunity to improve these experiences is recognised by IT teams, who rate “better application performance” as a key driver in more than half (51%) of ZTNA programs.

 

While ZTNA is often positioned as a solution to this problem, that doesn’t mean it can automatically improve routing efficiency. It’s worth examining how traffic flows are architected in practice and whether unnecessary “hairpinning” is being introduced. Those solutions that prioritise direct, optimised paths to applications – alongside strong security controls – are more likely to deliver the performance improvements that hybrid and cloud-first environments demand.

 

 

3. Facilitate unmanaged device access

Organisations frequently need to grant secure access to corporate resources for external contractors, service providers, and partners, when it makes sense. Contractors bring their own devices, and employees expect seamless access using their personal devices.

 

This all presents the challenge of accommodating unmanaged device access without exposing resources to the likes of the public internet, for example. Requiring specific client software just for this use case can be impractical because users may be reluctant to install it on personal devices, and granting VPN access to unmanaged devices can lead to excessive access.

 

In these cases, some organisations should look to ZTNA solutions delivered as part of a consolidated security services edge (SSE) or SASE architecture. Enterprise browsers provide invaluable remote access options for unmanaged devices, and when selected from within a larger platform, they can be introduced without the need to duplicate operational effort around policy management.

 

 

4. Accommodate legacy applications

A crucial step in any technology upgrade is testing for compatibility. When deploying ZTNA, organisations often discover that some legacy applications are incompatible with most current ZTNA solutions. For example, some legacy applications rely on connectivity models, such as server-initiated traffic, that aren’t easily supported by modern ZTNA solution architectures, which typically assume endpoint-initiated traffic. These proprietary legacy systems also tend to demand significant time, resources, and careful planning for redesign and modernisation.

 

Therefore, before committing to a VPN replacement strategy, it’s important to understand how both legacy and modern applications will be accessed. Of course, the key here is to acknowledge that major changes to legacy applications may not be happening any time soon, but the secure access needs cannot wait.

 

So, embrace the need to extend the longevity of usable legacy applications without compromising security or access. Fast, reliable application access (regardless of where the applications are hosted) should be a core principle of any ZTNA strategy.

 

 

5. Support M&A integration

Mergers and acquisitions are fast-paced, high-stakes events that present unique challenges for IT, networking and security teams. The success of an M&A is often determined by how quickly the integration of the two merging networks can be completed.

 

Traditional methods are costly, time-consuming, and complex, often leading to IP conflicts and requiring address renumbering. In fact, 91% of organisations find third-party access and M&A integration very challenging using VPNs.

 

Here, ZTNA comes into its own, enabling organisations to quickly capture business value by connecting employees, contractors, and advisors to essential resources from day one. It eliminates the need for VPN setup and network merging, allowing for immediate and secure integration. Access is granted based on adaptive trust criteria, considering user identity, device security, and other contextual factors, which reduces the risk of lateral movement and exposure of sensitive information through selective access to applications and data.

 

 

Looking beyond partial VPN replacement

While legacy remote access VPNs were once cutting-edge, they now pose significant security vulnerabilities and degrade network performance and user experience. Many ZTNA solutions today offer only partial VPN replacement, leading to a complex mix of infrastructure that can be more complicated than the original setup.

 

When assessing modern alternatives, organisations may benefit from focusing less on individual products and more on whether their combined access requirements can be met in a coherent way. By recognising challenging scenarios early, like the use cases above, it becomes easier to design an access strategy that genuinely moves beyond the VPN, rather than simply adding another layer alongside it.

 

---

 

Colette Kitthering is Vice President for the UK and Ireland at Netskope

 

Main image courtesy of iStockPhoto.com and PonyWang