Beyond the Zero Trust Hype: Is VPN Responsible for the Big Switch?


VPNs have been used widely by enterprises and Internet users to create private networks, secure and encrypt communications, mask IP addresses, and protect online identities. By the end of 2021, the VPN industry is projected to hit $31.1 billionOpens a new window . However, as recent experience demonstrates, VPNs are not exactly foolproof, and organizations are slowly switching over to more secure alternatives to secure communications, such as zero trust.

Since 2005, the cloud has been gaining ground as the technology of choice to host massive amounts of data, enable analytics, reduce latency and redundancy, run applications, and save costs of storing, processing, and governing data. 96% of organizations globally use a cloud serviceOpens a new window to host their data and applications. Of late, organizations have been using a mix of cloud-based and on-premise technologies to save on costs and enable seamless operations. However, an explosion of tools has resulted in a patchwork of solutions, giving hackers a chance to exploit weak points in enterprise networks.

Every organization puts a premium on protecting intellectual property, internal data, employee communications, and its applications. VPNs are being used widely as they provide an impenetrable mask that offers both security and anonymity.  

NortonOpens a new window explains that a VPN essentially creates “a data tunnel between a local network and an exit node in another location, which could be thousands of miles away, making it seem as if you’re in another place. This benefit allows online freedom, or the ability to access your favorite apps and websites while on the go.” Data in transit between locations is scrambled using encryption and the user’s IP address is replaced by the VPN’s, ensuring that even the Internet service provider is unable to view a user’s browsing history.

Aside from these, VPNs offer various other benefits, such as enabling people to work from remote locations, browse safely even when using public Wi-Fi, avoid geographical limitations when accessing online services like Netflix, avoid bandwidth throttling by ISPs, and in the case of VPNs with no-log policies, avoid tracking through DPI (Deep packet inspection) or through port numbers.

Learn More: 5 Practical Everyday Uses of VPNs You Should Know

The Stone Walls Are Crumbling

Despite these benefits offered by VPNs, the technology suffers from serious issues that threaten to compromise the basic needs of Internet users — privacy, anonymity, and data security. VPN products offered by well-known companies like Fortinet, Cisco, NordVPN, Pulse Secure, and D-Link have been found featuring security vulnerabilities. Some of which, not including vulnerabilities in NordVPN, enabled malicious actors to carry out various kinds of hacking attacks.

For instance, the CVE-2018-13379 vulnerability in FortiGate VPN servers was exploitedOpens a new window by hackers earlier this year to deploy the Cring ransomware. The victims included several industrial organizations in Europe, one of whose processes were temporarily disrupted. Multiple vulnerabilities in the Pulse Connect Secure (PCS) VPN appliance, including a remote code execution vulnerability, were also actively exploitedOpens a new window to target private networks.

In December last year, security researchers at Digital Defense also discovered three critical zero-day vulnerabilities in D-Link VPN routers whose exploitation could result in root command injection and execution. The researchers warned that exploitation of these flaws could enable an attacker to observe and modify the network traffic of local and VPN clients.

The discovery of these exploitable vulnerabilities has quickly and worryingly attracted the attention of hackers. According to managed security service provider Nuspire, attacks against Fortinet’s SSL-VPN and Pulse Connect Secure VPN rose by 1,916% and 1,527%, respectively, in Q1 2021. Threat actors carried out these attacksOpens a new window to infiltrate networks, exfiltrate information, and deploy ransomware. 

Enter ZTNA 

The routine exploitation of critical vulnerabilities in leading enterprise VPN products has certainly made organizations nervous, especially when ransomware attacks are causing losses in millions of dollars. The natural outcome of the dwindling faith in the capabilities of VPNs is a recent surge in the adoption of the zero-trust approach, best known through its avatars Zero Trust Access (ZTA) and Zero Trust Network Access (ZTNA).

Gartner says that by 2023, 60% of enterprises will phase out most of their remote access VPNs in favor of zero-trust network access (ZTNA). It also says ZTNA is better-suited for a multi-cloud environment, and by 2022, 80% of business apps opened up to ecosystem partners will be accessed through ZTNA.  

The research firm notesOpens a new window that ZTNA improves flexibility, agility and scalability, enabling digital ecosystems to work without exposing services directly to the Internet, reducing risks of distributed denial of service attacks. It recommends that organizations should go beyond using IP addresses and network locations as a proxy for access trust. They should also phase out legacy VPN-based access for high-risk use cases to negate the ongoing need to support widely deployed VPN clients. 

It also recommends that organizations should use ZTNA for application-level access only after sufficient user and authentication. ZTNA provides adaptive, identity-aware, precision access and introduces clientless identity and device-aware access to enable unmanaged devices to access applications securely.

“ZTNA, which is also known as software-defined perimeter (SDP), creates an identity and context-based, logical access boundary around an application and a set of applications. The applications are hidden from discovery, and access is restricted via a trust broker to a set of named entities. The broker verifies the identity, context, and policy adherence of the specified participants before allowing access. This removes the application assets from public visibility and significantly reduces the surface area for attack,” Gartner adds.

Learn More: Your VPN Infrastructure Might Not Be as Secure As You Think

ZTNA offers more granular security controls

According to Paul BischoffOpens a new window , privacy advocate at Comparitech, ZTNAs are catching on among enterprises who want more granular access control for remote employees than that offered by a VPN. Although VPNs are fairly secure, if a user compromises their login credentials, then an attacker can gain access to an organization’s entire network, including any data and applications stored on it. 

“A ZTNA gives users access on an app-by-app basis, reducing the attack surface. Whereas a VPN just checks for an IP address and the right credentials, ZTNAs can perform more checks to verify the user. It’s also useful for organizations that host applications on different networks, whereas a VPN can only connect to one network at a time. Note that some enterprise VPN solutions do have application access control, but this is still managed on the network level,” he says.

Similarly, Chris HaukOpens a new window , consumer privacy champion at Pixel Privacy, points out that while the primary role of a VPN is to allow two trusted parties to communicate with each other, it offers little in the way of controlling the access a user has to resources. 

On the other hand, “ZTNA allows authorizing users on a granular level, making it easy to control what apps and services a user has access to. This reduces the available attack surface, providing added security against attacks over a VPN. ZTNA also allows organizations to host and connect to apps on multiple networks, while a VPN can only connect to a single network at a time,” Hauk says.

Tasos LogothetisOpens a new window , the DevOps Director at Obrela Security Industries, says that zero-trust networks (ZTNs) aren’t really new but have been around a long time and are here to stay. “They have multiple advantages over conventional VPNs and are better suited to modern technologies. All new-age applications utilize ZTNA architecture and cooperate with ZTNs and VPNs without any problems. In addition, most cloud and multi-cloud environments also operate with ZTNA,” he says.

“As it is common practice in the IT world, changes happen only when new needs arise, or when it is time to renew outdated hardware and software. Based on that concept, when a company plans the next update/upgrade of their infrastructure, they will most likely choose ZTNA as the next network remote access methodology. The timeline for this is subject to the upgrade plans of each company.” 

Speaking with Toolbox, Marijus BriedisOpens a new window , the CTO at NordVPN, said that even though the design and the architectural idea isn’t new, ZTA and ZTNA are gradually gaining traction in the cybersecurity world. “I totally agree with the statement that the corporate world will be moving towards this. When remote work is becoming the new normal, the solution looks really appealing.”

Learn More: 5 Things To Think About When Shifting to Zero Trust

Why VPN Isn’t the Villain in the Story

Data privacy expert Ilia KolochenkoOpens a new window , who is now the CEO of ImmuniWeb, says that despite the benefits ZTNA offers, VPN and other “legacy” technology will probably remain with us for at least a decade. This is because very few organizations may readily say that their cloud infrastructure is secure and properly configured. 

“Adoption of new technologies is always a time-consuming and painful process, conjugated to an outdated and obsolete technology stack that will co-exist in parallel for a while. In the near future, many organizations will likely shift their network architecture to a zero-trust model, however, VPN and other “legacy” technology will probably remain with us for at least a decade,” he says.

He, however, adds that VPN technology isn’t really the villain in the story. “VPNs are not insecure per se: most of the successful attacks against VPNs exploit improper implementation of the former, weak passwords or over-permissive firewalling policies, or simply leverage already stolen credentials or backdoored user machines. 

“Therefore, just removing VPNs will not solve the root cause of data breaches, stemming from lack of IT assets visibility, insufficient security training, inconsistent or incomplete security strategy and shrinking post-pandemic security budgets.”

According to Briedis, VPNs can play a superlative role in securing enterprise devices and data if organizations adopt and implement strong account management and password policies. “The password policy and account management are perhaps the most important parts of every organization’s security. The easiest way to solve issues around these two is to make a 2FA mandatory for all accounts. It will increase administrative costs, but it’s necessary to add a second layer of protection too. To have a better vision and to better understand what is happening in the organization’s infrastructure and its network, it is a must to implement session logs. Furthermore, I would also recommend having the IDS/IPS systems installed to catch traffic anomalies,” he says.

Briedis says that it is true that organizations aren’t doing enough to keep their VPN servers free of vulnerabilities, and therefore, blaming the technology itself isn’t fair. “Generally, this indicates poor organizations’ vulnerability management process or even its absence. Is Microsoft responsible for users that are not updating their Windows? I don’t think so. Could vendors “push” the users to update more frequently? Absolutely.”

Learn More: Why Adaptive Authentication Should Be a Core Component of Zero Trust Networks

Bottom Line

A zero trust architecture represents an evolution in the practice of securing online identities, devices, and access to data and organizational resources, scoring over traditional VPN when it comes to enabling watertight security. However, switching over to ZTNA isn’t as easy as it seems, for many legacy applications and servers may not lend themselves well to the new approach. 

While the transition to zero trust may take a whileOpens a new window for most organizations, considering many SMBs may not be familiar with the concept in the first place, organizations can still make the most of robust VPN solutions to secure their assets. Briedis says that the one-size-fits-all approach doesn’t work in the VPN industry. 

When choosing a VPN solution, Briedis advises that organizations should consider speed, reliability, and the cipher technology the provider is using, look into how the product evolved and where it is now in the market. “However, the main question should be the following: can I fully trust the provider that my organization is using? Besides, a good VPN should work 24/7 and so should its customer service,” he adds.

Let us know if you enjoyed reading this article on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!