VPN Alternatives for Remote Access
Shortcomings of VPNs for Remote Working
Companies large and small have come to rely on virtual private networks (VPNs) as the solution for securing traffic between the corporate network and remote devices. But as working from home and remote access have evolved from nice-to-haves to the norm, VPNs have come to shoulder a heavier burden than they were designed for. IT managers do well to stay mindful of the shortcomings of VPNs for remote work.
User Experience
A VPN connection links client devices to a secure network, typically a corporate data center. The goal is to provide the same level of network access the user enjoys while on campus, but the reality is that users have to deal with slow connections and increased network latency.
VPNs also require that users log in and authenticate their client to the network periodically. This is necessary to keep the network secure, but it also has the effect of making remote connections inherently less productive than working in the corporate office.
Visibility
As VPN services and connections proliferate, the network becomes more extended, more complex and harder to monitor effectively. Besides the links between individual users and the data center, remote offices connect larger groups of remote users in ever-growing constellations of point-to-point connections. The result is a trade-off between network visibility for IT managers and access for devices.
Security
VPNs by default are designed to provide network-level access. This means they expose more of the network to threats, especially in scenarios where a user’s credentials are hijacked and used by nefarious actors. This leaves corporate data, applications and other sensitive material vulnerable to attack. VPNs also typically rely on open ports to establish connections. This provides attackers a handy exploit route as they often target open ports to gain access.
The highest priority for any VPN solution is secure remote access over a public network, but even that is not a given. Enterprise-grade network security depends on functionality that leverages multifactor authentication (MFA) and encrypts data in transit; not all VPNs enforce those functions.
Also, the home network has become part of the security equation. Corporate IT managers cannot push upgrades and patches to privately owned computers, switches and routers, so they cannot ensure security on the remote end of the connection.
Another concern is the point-to-point nature of VPNs, which results in traffic being encrypted only between those points. The workload of inspecting traffic over every VPN connection grows burdensome as the number of connections increases, and the trend toward hosting those workloads in the cloud adds to the burden.
Secure Alternatives to VPNs
In a world of hybrid workforces and hybrid network environments, work has become an activity instead of a place. With apps and remote users everywhere, the need for new, secure VPN alternatives has become more urgent. Consider the following approaches.
Zero Trust Network Access (ZTNA)
As the typical enterprise attack surface has grown, Zero Trust network access(ZTNA) has emerged as a way of protecting apps and data by preventing lateral movement, preventing Layer 7 threats and simplifying policies around least-privileged access.
Zero Trust is a strategic approach to cybersecurity with the goal of eliminating implicit trust across digital interactions with continuous validations at every stage of those interactions. It facilitates this through strong authentication and authorization, typically by routing each request for access to applications through an access broker. If the user is entitled to use the requested application, then the broker enables access and allows the user to communicate directly with the application.
ZTNA solutions apply to users, applications and infrastructure:
- Users – strong authentication of user identity, application of least-privileged access and verification of user device integrity
- Applications – implicit trust with various components of applications when they talk to each other, with continuous monitoring at runtime
- Infrastructure – control of infrastructure-related elements such as routers, switches, cloud, IoT devices and supply chain
Advanced ZTNA, or 2.0, solutions ensure users have only the access they need to perform their tasks while continuously verifying the trust level granted and inspecting all traffic for threats.
Secure Access Service Edge (SASE)
As remote access and software as a service (SaaS) have grown, so has the trend toward sending traffic to a variety of internet-based and other cloud services rather than to the data center. SASE has evolved as a way to meet the need for security and access control with uninterrupted access for remote users.
SASE blends the reach of the wide area network (WAN) with the protection of enterprise-caliber security. The solution is delivered in a single, cloud-based service model that a company can use to unify their network, consolidate their security and simplify their operations.
SASE addresses the problem of fragmentation in the security landscape, which convinced many enterprises that the key to cybersecurity was implementing multiple “best-of-breed” products and technologies from multiple vendors on-premises. SASE is based on the alternative view that, as with data and applications, the future of network security is in the cloud.
Most notably, SASE offers the flexibility of a cloud-based infrastructure. This helps companies more easily implement security services such as threat prevention, DNS security, sandboxing, credential theft prevention, web filtering and next-generation firewall policies.
Software-Defined Wide Area Network (SD-WAN)
In a traditional architecture, the WAN relies on physical devices like routers to connect remote or branch users to the corporate network and data center. The flow of data among sites is determined by rules and policies written for each network device and typically followed a hub-and-spoke design, where the data center was the hub and any remote or satellite offices were the spokes. The process of managing the rules and policies governing site-to-site connectivity is time consuming and prone to errors, so the software-defined WAN has evolved to move the control and management of data flow from hardware to centralized software.
That allows network administrators to write new rules and policies, and then configure and deploy them across the entire network at once. Compared to VPNs, SD-WANs are known for lower cost, higher performance and greater reliability. They offer features like quality of service (QoS) and application routing, embracing the cloud in a way that’s impossible on a VPN.
The Benefits of VPN Alternatives
Most companies turn to VPNs to solve the security problem of wide area network access, so it's best to evaluate the benefits of VPN alternatives in that light:
- ZTNA: With an ever-expanding attack surface as applications and services are distributed across hybrid cloud and on-premises environments, simply connecting to enterprise networks over a VPN is no longer secure. The unlimited access and high volume of connections in most companies introduces the new security risks of unsecured Wi-Fi and unpatched, vulnerable devices. ZTNA goes beyond the encryption of VPNs to limit the attack surface by providing least-privileged access while inspecting all traffic for threats and protecting all applications.
- SASE: VPNs are a single element in the enterprise cybersecurity toolbox, best suited to on-premises IT architectures. SASE consolidates multiple security and networking features, including ZTNA, and delivers them in a way suited to future-oriented cloud architectures.
Which VPN Alternative Is Right for You?
There are various solutions on the market that you can consider for replacing your VPN. Palo Alto Networks Prisma Access is the only cloud-delivered security solution that delivers ZTNA 2.0. It is purpose-built to provide continuous trust verification, continuous security inspection and consistent protection for data and all apps. It also delivers cloud scale, data plane isolation and Autonomous Digital Experience Management (ADEM) to ensure the best user experience.