Despite known security issues, VPN usage continues to thrive

VPN usage is still prevalent among 90% of security teams who have highlighted cost, time, and difficulty as reasons to not move forward with ZTNA adoption, according to a new survey conducted by Sapio Research. Furthermore, 97% say that adopting a zero trust model is a priority, with 93% of organizations having committed a budget to enhance their VPN or move toward ZTNA within the next year or two.

The last two years have shifted how we work, producing a new remote workforce that was essentially created overnight. As highlighted in this study, this has resulted in most workers – in this case 51% of respondents – using a combination of corporate and personal devices to connect to business applications and resources.

Personal devices often used by less security-conscious family members. This creates a very risky environment as personal devices are easy targets for threat actors especially since IT teams cannot fully monitor activity on these devices. Additionally, personal devices are often used by other family members – particularly children – which make them even more susceptible to malware and other viruses.

Despite known security issues, VPN usage continues to thrive, with 90% of respondents currently using a VPN in some capacity for secure remote access. When access is permitted on a personal device, it creates a risky situation for not only the user, but the entire organization. VPNs lack many of the application-level access controls and integrated security that are common in ZTNA solutions. As a result, cybercriminals will often target VPNs because a single set of compromised credentials can provide all of the access needed to carry out a data breach, ransomware incident, or other attacks.

“As this study shows, VPN usage continues to be prevalent, often viewed as ‘good enough’ for remote access among organizations simply because that is what they have always used,” said Jayanth Gummaraju, CEO of Banyan Security. “What this doesn’t account for is the poor administrative and end user experience, not to mention that on-premises access must be handled with separate, siloed tools. We have plenty of evidence to show that legacy VPNs no longer adequately protect nor provide consistent and easy access to corporate resources for today’s ‘work from anywhere’ workforce.”

Key drivers for ZTNA

A majority of the respondents (97%) stated that adopting a zero trust model is a priority for their organization, where 44% said they have plans to roll out zero trust but are in the early stages, while 53% said they have already begun to roll out zero trust solutions.

For organizations who have begun to roll out ZTNA solutions, the survey revealed that secure remote access (48%), improving the end user experience (34%) and eliminating exposure to VPN vulnerabilities (34%) were the top three drivers in their decision to choose ZTNA. Unlike VPNs, ZTNA provides access on a case-by-case basis, which is decided based on user, device, and application-level access and security controls.

What’s holding VPN users back from making the switch?

Over two thirds of organizations (69%) believe implementing a ZTNA strategy would require a large undertaking. Aside from the general familiarity and comfortable usage of their traditional VPN solution, organizations stated that cost/budget constraints are the biggest barriers (62%) for VPN users to adopt ZTNA.

Thirty percent of VPN owners said that it would be difficult to implement ZTNA infrastructure in their current security environment; however, 82% of respondents stated they would likely implement ZTNA if there was an easily deployable, inexpensive option. Apathy also appears to be one of the biggest barriers preventing VPN owners from adopting ZTNA solutions with 46% of respondents stating that modern, secure remote access is not a priority at this time.

“While it is good to see that awareness of ZTNA solutions amongst IT security professionals continues to grow, the actual implementation of a ZTNA architecture is still considerably low, with just over 17% of respondents having truly begun to roll out a ZTNA strategy,” continued Gummaraju. “As we look toward a future where remote and hybrid work are the standard for most organizations, it’s encouraging to see that IT teams are looking beyond VPNs at more comprehensive zero trust network access solutions.”