IT professionals are seeing an increase in exploits targeting their VPNs, a report jointly-authored by two cybersecurity firms has found.
Business VPNs remain a popular way to provide secure access to company servers from remote locations, but other, more secure ways to construct secure network infrastructure are emerging.
Are VPNs done for? Probably not just yet, but novel ways to facilitate secure access to company networks are certainly becoming more common.
IT Pros Report Rise in Attacks
According to the 2022 VPN Risk Report carried out by Cybersecurity Insiders and Zscaler, 44% of cybersecurity professionals witnessed an “increase in exploits targeting their VPNs”.
It’s not surprising either, considering the size of the attack surface – 61% of companies have three or more VPN gateways, and 38% have more than five.
The more gateways you have, the more complex and ultimately expensive your network architecture is to maintain.
The survey also found that 71% of cybersecurity professionals are “concerned that [a] VPN may jeopardize the ability to keep the environment secure”.
VPNs Aren’t Impenetrable
In essence, business VPNs extend company networks, in order to let people in various locations access sensitive resources.
But this also means that if the network is insecure, there are more ways a hacker can access and subsequently exploit it. VPNs also can’t really do anything about a malware-infected device on a company network.
Plus, the way VPNs encrypt traffic (it is encrypted between two objects connected to the network, such as a server and a device) means that a full, distinct security stack has to be deployed at every endpoint to inspect traffic, which is a resource-heavy activity.
What’s more, VPN credentials, like login credentials for any other software, can be stolen and subsequently used to orchestrate an entire network attack.
What Are the Alternatives to VPNs?
Another illuminating finding from the report was that almost two-thirds (65%) of IT professionals say they are considering the adoption of VPN alternatives.
It’s not wholly surprising, though, considering the prevalence of well-known exploits and the fact they can often reduce network speeds due to connection rerouting through different servers.
Zero-Trust Network Access (ZTNA) is an alternative that’s becoming increasingly favored by businesses. According to the report, 80% of companies are in the process of adopting it.
In ZTNA, devices are constantly challenged (in the spirit of “zero trust”) before access to company servers is permitted.
It involves processes like employment verification and can help enforce maxims like the Principle of Least Privilege, which states that employees should have access to only the minimal amount of programs, files, and data needed to perform their jobs.
Secure access service edge (SASE) – cloud-based network infrastructure that combines networking and security services of which ZTNA can form a part – is also being explored by an increasing number of companies.
Are VPNs Done for?
Not so soon. A good, reliable business VPN, despite the increased threat, is still good to have as part of your security infrastructure.
Make sure employees are using a password manager, however (especially for their VPN login information) so that the risk of credential compromise is mitigated.
Alternatives to VPNs aren’t without issue, it must be said. Consumer VPNs, for instance, have “alternatives” advertised all the time that shouldn’t be trusted. Users searching for alternatives to consumer VPNs, for example, are sometimes pointed towards Smart DNS services.
Although Smart DNS services will help you spoof your location, they don’t encrypt your traffic, so using them for anything other than streaming movies from around the world is risky, especially if you live in a country governed by an authoritarian regime.
So, although moves to ZTNA and the SASE model do sound like an upgrade, only time will tell if they’ll replace VPNs completely.
