Once the staple for securing employees working remotely, VPNs were designed to provide secure access to corporate data and systems for a small percentage of a workforce while the majority worked within traditional office confines. The move to mass remote working brought about by COVID-19 in early 2020 changed things dramatically. Since then, large numbers of employees regularly work from home, with many going to the office sporadically (if at all).VPNs are insufficient for that remote working and hybrid landscape, and an overreliance on them to secure large numbers of employees working from home poses significant risks.Using VPNs at such a large scale has created a security nightmare for IT teams, widening the surface area for potential attacks, according to Matthew Gracey-McMinn, head of threat research at Netacea. Organizations doing so must not only recognize the shortcomings and risks of VPNs in the remote working era but also understand how alternative options can better secure their enterprises. There is no shortage of risks when it comes to VPNs, from the potential for critical vulnerabilities to limited ability to restrict network access beyond the VPN gateway to little-to-no security in the remote networks where client VPN connections originate.Because VPNs typically extend an organization’s network, if the network the user is on is insecure, there is greater potential for an attacker to leverage the home network vulnerability. Another issue is that VPNs provide encryption only for traffic passing between two points, requiring a standalone full security stack that must be deployed at one end of every VPN connection for traffic inspection.[ Related: Beware the risks of vulnerable VPNs: update, maintain, monitor, and protect ]Gracey-McMinn says most VPNs provide minimal security with traffic encryption and often do not enforce the use of multifactor authentication (MFA). “If a member of staff’s computer has been compromised while working at home, this could lead to a malicious actor gaining access to a company’s network via the VPN using staff credentials, which would grant them full trusted access, activity less likely to be detected by a security team due to not having a full security stack layer while working from home,” Gracey-McMinn says.This was observed in the Colonial Pipeline ransomware attack, in which attackers got access to the internal network by using compromised username and password credentials for an insecure VPN appliance. There have been instances of attackers targeting and exploiting known VPN appliance vulnerabilities including CVE-2021-20016 (affecting SonicWall SSLVPN) by the cybercrime group DarkSide, and CVE-2021-22893 (affecting Pulse Secure VPN) exploited by more than 12 malware strains.This trend has continued in the years since. Numerous VPN vendors including Fortinet and Pulse Secure (now Ivanti) have had to patch multiple severe vulnerabilities. Vulnerability management and patching are part of the cost of doing business, but they are certainly a major area of concern for focal services such as VPN gateways.[ Related: Optimizing VPNs for security: 5 key tasks ]Another significant issue is that of malware-infected and unpatched devices, when an attacker creates a remote connection with the device, and after the VPN is connected, the malware can impersonate the user, accessing all the systems it has access to.VPNs also have significant drawbacks from a usability and productivity standpoint, as they can reduce network speed because VPNs reroute requests through a different server. On top of that, other performance issues sometimes arise relating to the use of kill switches and DHCP.
Why switch to a modern VPN alternative
With the risks and shortcomings of using legacy VPN clearly established it’s important to invest strategically in a modern replacement, with some key factors to evaluate when considering an alternative remote access solution. Perhaps the most important is including zero trust principles: requiring strong authentication with each connection attempt, evaluating compliance, enforcing least privilege, and establishing confidence in each attempt to access company data or services.Another major focus area involved in modernizing enterprise remote access capabilities has to do with supporting modern management. Centralized management is an obvious first step. Being able to manage your remote access solution requires the ability to pivot rapidly. Automation capabilities such as patch management, policies (authentication, encryption, risk scoring, etc.), and integration with other components of your security stack mitigate modern risks and attack vectors. These management capabilities frequently come under the ‘software-defined’ label and are as much about your future business needs as they are the current threat landscape. Threats to your business are constantly evolving, and a level of maturity in your security stack will allow you to meet those threats on the proper footing.
Secure alternatives to VPNs
Whether it’s replacing VPNs altogether or supplementing them with other options, organizations must recognize and implement alternative security methods better suited to protecting mass remote working. Which and how many of these strategies a business may explore will vary depending on several factors such as posture and risk appetite. However, security experts agree that the following are most likely to be most universally effective for companies.
1. Zero trust network access
Zero-trust network access (ZTNA) is essentially brokered access to applications and data on the network. Users and devices are challenged and confirmed before access is granted.Zero-trust methods can perform the basic capabilities of a VPN, such as granting access to certain systems and networks, but with an added layer of security through least-privileged access, identity authentication, employment verification, and credential storage.As a result, if an attacker succeeds in infecting a system, the damage is limited to only what this system has access to. Networking monitoring solutions should be also part of the zero-trust model to detect suspicious behavior.Another benefit of authentication transactions occurring each time users or devices connect to an application or service is the event logging this enables and the context that this builds into your security stack. This contextual detail is useful both for authentication flows that evaluate the risk level of each attempt and for forensics in the case of an attack.
2. Secure access service edge (SASE)
With a ZTNA model every user and device will be verified and checked before it is allowed access, not only at the network level but also at the application level. However, zero trust is only one part of fixing the problem and cannot monitor all traffic from one endpoint to the other.”SASE [secure access service edge] solves that issue. As a cloud-based model, SASE combines the network and security functions together as a single architecture service, which allows a company to unify their network at one singular point from one screen,” says Gracey-McMinn.SASE offers simplified management and operation, lower costs, and increased visibility and security with the extra layers of network functionality as well as underlying cloud-native security architecture.Fundamentally, SASE tools bring agility to your network and security management, which in turn makes implementing improved security that much easier. Much like zero trust, SASE involves integrating several key components of your network and security architecture. Services such as DNS security, SD-WAN (software-defined wide area network), FWaaS (firewall as a service) and others combine to make up the foundation of SASE.[ Download our SASE and SSE enterprise buyer’s guide today! ]
3. Software-defined perimeter
Often implemented within wider zero-trust strategies, a software-defined perimeter (SDP) is a network boundary based on software instead of hardware and is an effective replacement for classic VPN solutions. It allows the use of MFA to segment the network but also supports rules that enable restricted access to specific users.SDP also makes it easier to block access to resources once a suspicious behavior is detected, isolating potential threats, minimizing the damage caused in an attack, and maintaining productivity in case of a false positive, instead of fully disabling the device and making a user unable to do any meaningful work.The software-defined aspect of SDP also enables automation, allowing other tools within your network to interact with the SDP when risky behavior is identified and mitigating those risks in real time. The ability to react in machine time is increasingly critical as attacks become more sophisticated.
4. Software-defined wide-area networks
VPNs depend on a router-centric model to distribute the control function across the network, where routers route traffic based on the IP addresses and access-control lists (ACLs). Software-defined wide area networks (SD-WANs), however, rely on a software and centralized control function that can steer traffic across the WAN by handling the traffic based on priority, security, and quality of service requirements as per the organization’s needs.SD-WAN is of particular importance in an era where edge computing makes up a healthy portion of many corporate networks. Rather than having hundreds or thousands of sensors (many of which are deployed in less-than-secure locations) that require VPN connections or firewall rules, SD-WAN can manage these disparate connections dynamically.
5. Identity and access management and privileged access management
Solutions that incorporate a comprehensive verification process to confirm the validity of login attempts provide greater protection compared to traditional VPNs, which normally only require a password. With identity and access management (IAM), network managers can be sure each user has authorized access and can track each network session.IAM is not only a viable solution to secure applications and services as an alternative to VPN, but also foundational for many of the other solutions on this list. The streamlined management of identities and authentication policies strengthen every system that uses it for authentication, as does the ability to leverage risk-based authentication and MFA where appropriate.While this VPN alternative or paired option manages identity protocols allowing for more granular activity monitoring, it does not provide additional protections for privileged credentials. To securely manage the credentials for privileged accounts, privileged access management (PAM) is needed. PAM’s key benefits include advanced credential security like the frequent rotation of complex passwords, obfuscation of passwords, systems and data access control, and user activity monitoring.
6. Unified endpoint management tools
Conditional access via unified endpoint management (UEM) tools can provide a VPN-less experience through conditional access capabilities, whereby an agent running on the device will evaluate various conditions before enabling a person to access a particular resource, says Andrew Hewitt, senior analyst at Forrester. “For example, the solution may evaluate device compliance, identity information, and user behavior to determine whether that person can indeed access enterprise data. Often, UEM providers will integrate with ZTNA providers for added protection.”
7. Virtual desktop infrastructure or desktop-as-a-service
Virtual desktop infrastructure (VDI) or desktop-as-a-service solutions “essentially stream compute from the cloud (or from an on-prem server) so that nothing resides locally on the device,” explains Hewitt. Sometimes organizations will use this as an alternative to VPN, but there still needs to be checks at the device level along with user authentication to secure the access, he adds. “The benefit of this however is that no data can be copied from the virtual session onto a local client, unlike traditional VPN.”
8. Secure web gateways
Leveraging a secure web gateway (SWG) can be an easy way to secure web applications hosted on-premises or in a private cloud. While SWGs are one component of the SASE architecture, they can also be implemented independently of an overall SASE strategy to enforce policies revolving around authentication, URL filtering, data loss prevention, and can even protect against malware passing through the connection.SWGs typically either use a direct connection to the line-of-business apps or in some cases, a software agent can be installed within the local network to provide connectivity to your application or service. This flexibility can make SWGs an easy option to improve an organization’s security posture without requiring major changes to the architecture.
9. Cloud access security brokers
Cloud access security brokers (CASBs) are another component of SASE that can be deployed independently to supplement or replace the need for a VPN. CASB enables enforcing security policies (authentication requirements, encryption configuration, malware detection, managed/unmanaged device access, etc.) between end users and SaaS applications. While this use case doesn’t fit the definition of a VPN replacement in terms of requiring access to on-premises corporate resources, it does replace some of the enterprise controls traditionally only available by funneling users through a central control point, which is a common VPN use case.[ Download our editors’ PDF cloud access security broker (CASB) enterprise buyer’s guide today! ]
Vendors invest in non-VPN approaches to hybrid security
Security vendors are investing in many of the non-VPN, hybrid security approaches outlined above, including the following offerings.
Microsoft Entra Suite
In July 2024, Microsoft released Entra Suite, building on their existing Entra ID (formerly Azure AD) portfolio to include Microsoft Entra Private Access (their ZTNA solution) and Microsoft Entra Internet Access, an SWG offering, along with three other services focused around managing and securing identities. Entra Suite enables admins to enforce conditional access policies across a wide range of workloads and to enable best practices such as least privilege throughout your enterprise.
AWS Verified Access
In May 2023, AWS announced the release of AWS Verified Access, enabling customers to provide VPN-less, secure access to their corporate applications. Built using AWS Zero Trust principles, Verified Access aims to help customers reduce the risks associated with remote connectivity. It allows IT administrators and developers to define fine-grain access per application using real-time contextual signals, including identity and device posture, along with giving customers the ability to manage policies for each application in one place, AWS said.Verified Access supports integration with AWS Web Application Firewall (WAF) to protect web applications from application-layer threats and the passing of signed identity context to application endpoints, according to AWS. AWS said use cases include:
- Securing distributed users by evaluating each request in real-time against predefined security requirements to facilitate secure access to applications.Managing corporate application access with access policies using security signal input like user identity and device security status.Evaluating access requests and logging of request data, accelerating analysis of and response to security and connectivity incidents.
Netskope ZTNA Next and Endpoint SD-WAN
In April 2023, Netskope committed to 100% legacy VPN retirement with the release of ZTNA Next “, a fully integrated service that aims to provide a clear path to complete replacement of remote access VPNs for all application access use cases. The vendor said it reduces the digital attack surface, enhances security posture with zero trust principles, and boosts remote worker productivity with a seamless and optimized application access experience.Netskope also released Netskope Endpoint SD-WAN, claiming an “industry-first” software-based SASE offering converging SD-WAN and Security Service Edge (SSE) capabilities. It claimed that organizations can use Netskope Endpoint SD-WAN to reduce the cost and complexity of hybrid working, simplifying connectivity, eliminating the sprawl of multiple clients and point products, and preserving network performance at scale.Key benefits of Endpoint SD-WAN include unified architecture and consistent context-aware policy, providing every remote user, device, and site with simple, secure, high-performance access to hybrid and multi-cloud environments, according to Netskope. It also features AI-driven operations, high-performance connectivity for critical voice, video, and data applications, and optimized user experience.
Inside-Out Defense
At the same time, cybersecurity vendor Inside-Out Defense emerged from stealth with the launch of a new privilege access abuse detection and remediation platform. The SaaS, agentless platform supports all environments and applications, complementing existing identity and IAM, PAM, and custom identity solutions, the firm said.Inside-Out Defense said the platform’s key features include:
- Privilege abuse remediation by detecting access abuse behaviors in real-time and providing in-line remediation of malicious privilege access through a kill switch.A 360-degree profile of malicious access requests, their context, and intent, offering a real-time view of the organization’s access posture.Coverage across the organization’s environments includes infrastructure (cloud and on-premises), applications (SaaS, managed, unmanaged), APIs, and human/ non-human users.
Palo Alto Networks Prisma
In March 2023, cybersecurity vendor Palo Alto Networks announced new SD-WAN features in its Prisma SASE solution for IoT device security and to help customers meet industry-specific security compliance requirements. Prisma SD-WAN with integrated IoT security enables accurate detection and identification of branch IoT devices, Palo Alto Networks stated. It allows customers to enable security controls from within the familiar cloud management for Prisma SASE without the need for additional appliances and sensors to be deployed in the network to gain visibility into IoT devices and prevent threats.Prisma SD-WAN provides extra visibility into intra-branch traffic, allowing Prisma Access to provide a rich and accurate IoT inventory while ensuring IoT devices are egressing application traffic from the branch on encrypted SD-WAN fabric to Prisma Access where they are inspected to ensure zero-trust, Palo Alto Networks said.[Editor’s note: This article, originally published on 11 October 2021, has been updated with other VPN-less options in May 2023 and November 2024.]
First seen on csoonline.com
Jump to article: www.csoonline.com/article/571379/7-vpn-alternatives-for-securing-remote-network-access.html
