Despite high awareness of VPN risks, remote work forced many companies to rely more heavily on legacy access methods during the pandemic. At the same time, cybercriminals continue to take advantage of long-standing security vulnerabilities and increased attacks on VPNs, according to Zscaler’s VPN Risk Report.
“As evident in several high profile breaches and ransomware attacks, VPNs continue to be one of the weakest links in cybersecurity. Their architecture deficiencies provide an entry point to threat actors and offer them an opportunity to move laterally and steal data,” said Deepen Desai, Global CISO of Zscaler.
“To safeguard against the evolving threat landscape, organizations must use a zero trust architecture that, unlike VPN, does not bring the users on the same network as business-critical information, prevents lateral movement with user-app segmentation, minimizes the attack surface, and delivers full TLS inspection to prevent compromise and data loss.”
Zero trust secures remote access
While more and more companies have employees returning to the office, 95 percent of surveyed workplaces still rely on VPNs to support a combination of hybrid and distributed work environments that often span multiple geographies. In addition to remote employees, large organizations often extend network access to other external stakeholders, including customers, partners, and contractors. In many cases these users are connecting from untrusted devices on insecure networks, are granted far more freedom than necessary, and result in additional security risks.
Unlike cumbersome, insecure VPNs, zero trust architecture improves organizational security posture without sacrificing the user experience. In addition, zero trust allows IT teams to keep the location of their network and applications secret, reducing the attack surface and threat of internet-based attacks.
VPN risks continue to grow
The increase in the number of remote workers across industries has resulted in a sharp spike in cyberattacks that are tailor-made to target VPN users. As VPNs grant a greater degree of trust to users when compared to zero trust architecture, cybercriminals are more active in seeking to gain unauthorized access to network resources through exposed attack surfaces.
According to the report, 44 percent of cybersecurity professionals have witnessed an increase in exploits targeting their business VPNs in the last year, demonstrating the risks associated with this technology when deployed to support remote users.
Legacy network security architectures are pervasive and deeply entrenched in corporate data centers, making it difficult to challenge the status quo and adopt new architectures. So it should come as no great surprise that nearly all of the organizations surveyed continue to use VPNs despite knowing they are being targeted by ransomware and malware. Meanwhile, incumbent network security vendors have a vested interest in maintaining the remote access status quo.
Organizations should be wary of legacy network access approaches that rely on cloud-based VPN, and examine vendors’ architectures to understand whether they will bring significant benefits in risk reduction and user experience. VPN technology carries the same fundamental shortcomings and risks in cloud virtual machines as it does on appliances, and should be avoided in favor of more modern approaches.
Ongoing risks from legacy VPNs have created a gradual shift towards zero trust security, which provides greater control and flexibility for effective remote access management. 78 percent of organizations surveyed for the VPN Risk Report indicated that their future workforce will be hybrid, creating an ongoing need for this type of security infrastructure in the enterprise.
Since the shift to remote and hybrid work environments, 68 percent of surveyed companies have indicated that they are accelerating their zero trust projects. Unlike VPNs, zero trust architecture treats all network communications as potentially hostile and requires tightening access using identity-based validation policies. This ensures IT and security teams can restrict users from off-limits applications and prevent malicious intruders from taking advantage of granted access to move laterally within the network.
Zero trust security architecture also reduces network risk by eliminating the attack surface, masking activity from internet-based threats and connecting them directly to the applications and resources they need.