Why VPN no longer has a place in a secure work environment

Remote working woman at home
(Image credit: Shutterstock.com / ImYanis)

Remote work is the new way of working and that’s not going away. In fact, according to 2022 research from Envoy, a workplace platform that helps teams manage hybrid work, more than 55% of employees surveyed in the UK say they’d look for a new job if their employer didn’t offer hybrid work. In light of this shift in the workforce, companies need to make sure their employees can easily, reliably, and securely access the data and applications they need to be productive from anywhere.

About the author

Kamal Srinivasan, SVP of Product, Corel.

Of course, this is not an easy task for companies. 49% of British employees use personal devices for work more often than before the pandemic, and many security complexities have arisen with BYOD (bring your own device). IT support teams and administrators are under more pressure to support a variety of devices ranging from company to employee to contractor – any device that touches the corporate network needs to have secure access.  

And with companies moving to the cloud or hybrid cloud and on-premises infrastructures, there is a real push toward a simple and secure means of accessing corporate data and apps from anywhere. So why is now the right time for companies move away from VPNs?

Solutions of the past 

In simple terms, VPNs for secure work are outdated. They can’t keep up with the needs of a flexible and widespread workforce and, they can’t supply the secure access that businesses need in today’s remote world.  

VPNs were of their time; they had their purpose. The centralized technology used in VPNs to give employees access to company data and apps worked well when everyone was in one place. They were designed for a small number of employees to connect to the corporate environment. Now, with the growing population of remote workers, VPNs often fall short leaving users less productive, and often they provide a poor user experience. And to effectively keep up with the demands of the remote workforce, IT administrators would need to add additional VPN servers wherever their employees are located. 

However, it’s important to acknowledge that VPNs are becoming relevant for privacy in the consumer space. There is a growing need for accessing content through VPN from various geographies.  

Security setbacks  

Issues arose with using VPN servers when workforces expanded and scaled up. VPNs were built around a model where IT administrators distributed the devices employees used so they knew the network, device, and person. But remote work changed everything.   

As the workforce expanded globally and added contractors along with the introduction of BYOD, IT administrators could no longer assume that the device connecting to the VPN could be trusted. Without knowing if they were updated or patched correctly, this could open the door for major security issues.  

Furthermore, the centralized nature of VPNs creates other security dilemmas. They become easy targets for hackers as they only need a user’s credentials or a compromised device to gain access to the entire network. 76% of VPN network intrusions involve compromised user credentials. Often, hackers will have access to VPNs for years before the organization discovers them. The process of patching can then take months and frequently systems are left unpatched and wide open to hackers. VPNs are notorious for being one of the main vectors of data breaches.   

Essentially, VPNs are no longer suitable for the modern-day remote workforce. Although there are occasions where VPNs could be used, there are still better, more efficient alternatives that provide a more seamless and secure user experience.   

Enter Zero-Trust  

Moving beyond VPNs, we find a far more secure and scalable model: zero-trust. More organizations are adopting the zero-trust security architecture. There has been an evident increase in recognition of the importance of such architecture, with 72% of organizations around the world either adopting or in the process of adopting a zero-trust security system. 

Organizations must intelligently and strategically choose what security solutions they need and apply those technologies in a manner that deals with the core issues that enable flexibility and choice of a decentralized IT. Zero-trust is that strategic focus that leverages available security solutions to deal with the fundamental issues that allow heterogeneous infrastructure and BYODs. 

Zero-trust evolved from the need for a more identity-centric approach to the adoption of mobile and cloud technologies. It tied dynamic authorization (entitlements) to the identity. Zero-trust particularly started moving to the center stage throughout the pandemic and picked up pace moving into the hybrid era. As cloud solutions and platforms grew, secure access became increasingly important. Zero-trust methods reduce the cost of a data breach by about $1.76 million. Zero-trust also reduces the blast radius of these data breaches by isolating applications. With remote work here to stay, businesses can’t afford to have weak security systems.   

Serving security  

Zero-trust does what VPNs never could, as they remove any implicit trust from the environment through a layered security approach. By default, zero-trust is a security model that denies access to data and applications and takes the “never trust, always verify approach”. Unless you have verified granular access, you can’t be granted entrance into corporate data. Moreover, unlike VPNs zero-trust architectures assume data access is not uniform. This enables regulated scenarios like healthcare or finance to easily implement zero-trust architectures without exposing sensitive data to everyone within the organization.  There are informed risk-based and contextual verifications across users and devices to gain access. 

Zero-trust advocates three simple principles:  

  1. All entities are untrusted by default 
  2. Least privileged access is enforced 
  3. Comprehensive security monitoring is implemented 

These principles are why zero-trust is more suitable for remote work. They securely enable the “anywhere, anytime” workforce through continuous and rigorous verifications to ensure that, although you can get privileged access anywhere, it is not open to anyone.  

One door closes, another opens  

Essentially, VPNs are no longer suitable for the modern-day remote workforce. Although there are occasions where VPNs could be used, they cannot match up to the better, more efficient alternatives that provide a seamless and secure user experience.   

As the workforce evolves and adapts, zero-trust is undoubtedly the way forward in the remote world of work. Businesses simply cannot risk data breaches with such colossal repercussions. The ability to work from anywhere on any device is revolutionary and harnessing this opportunity for creating a safe and secure working environment is key.  

Zero-trust should be a business mindset. Strategically assessing all applications and systems to ensure that they maintain no trust policies will help to keep your company’s data safe and secure while maintaining a seamless and efficient user experience.

We've featured the best VPN service.

Kamal Srinivasan, SVP of Product, Corel.