Why VPNs are being left behind in 2021

Disruptions caused by the COVID-19 pandemic have been felt within organisations around the world. Many are still coming to terms with the significant changes they have had to make in order to keep activity humming.

Large numbers of staff are still working remotely, and likely will continue to do so; a proportion unlikely ever to return to office life. Many transactions that were previously conducted face-to-face are now completed digitally.

Organisations have had to make major alterations to their IT systems to support this shift. Designed to support predominantly office-based staff, they now have to be architected to cope with new workforce patterns and requirements.

In the past, many remote workers were provided with access to centralised corporate resources via a virtual private network (VPN) link. VPNs provide a secure tunnel across the public internet that allows users to enter a central IT infrastructure and make use of applications and stored data.

IT teams quickly found it was very challenging to scale their VPN capabilities to deal with large numbers of remote workers in light of the worldwide changes we’re seeing today. They were, and continue to be, faced with the prospect of investing significant amounts on new concentrators and scaling up internet connections to deal with a dramatic rise in traffic.

The challenge was compounded when remote workers needed to access cloud-based resources. Traffic from their home computer had to travel to the company data centre before being sent to the cloud. Return traffic had to go back through the data centre before being sent out to the user. The result was significantly degraded service levels and frustrated users at the same time as organisations faced hidden vulnerabilities.

A better approach to remote access

Growing numbers of organisations are realising there is a better approach to the remote working challenge. Many are planning to ditch their VPNs altogether in 2021 and embrace a totally different strategy.

The strategy, known as Zero Trust, shifts the focus from securing networks to securing devices, applications and databases. The identity-focused strategy relies on users being authenticated and only having access to the apps and data they need to complete their roles.

The benefit of this approach is that it significantly reduces an organisation’s attack surface. As each VPN link is a potential opening for attack, decommissioning them can limit the ways in which cybercriminals can gain access to an organisation’s infrastructure.

A Zero Trust strategy also overcomes the challenge of accessing cloud resources. Rather than needed to be diverted through a corporate data centre, user traffic can go directly to and from the cloud platform.

Zero Trust also overcomes another significant security challenge called lateral movement. This occurs when a cybercriminal gains access to a network resource and then moves laterally to other resources during the attack. Because a user has to be authorised to connect with each resource, lateral movement is no longer possible.

Zero Trust also brings benefits for those staff who are actually working from the office. Using the same identity protocols as their remote colleagues, they no longer need to worry about having to be tied to a secure network. They can essentially work on the internet and be approved to access the resources they need throughout the day.

The death of the VPN

Faced with these clear benefits, and the fact that remote working will remain a dominant force well into the future, 2021 will be the year that many organisations unplug their VPNs for good.

Some may opt to make a gradual transition to a Zero Trust architecture while others will push to move the entire organisation to this new way of operating. Regardless of the approach chosen, all can expect to enjoy significant business benefits in the months and years ahead.

Steve Singer is Regional Vice President and Country Manager - Australia and New Zealand for Zscaler.