Identity, Distributed Workforce, Zero trust

Most businesses plan to move away from VPNs, adopt a zero-trust access model

Share
Remote working amid the pandemic is a contributing factor to increased investments. (Photo by Erin Clark/The Boston Globe via Getty Images)

Growing security risks have prompted companies to move away from virtual private networks (VPNs) in favor of a zero-trust model.

Most organizations, 72 percent, plan to ditch VPNs, according to Zscaler's 2021 VPN Risk Report, which found that 67 percent of organizations are considering remote access alternatives.

“It’s encouraging to see that enterprises understand that zero-trust architectures present one of the most effective ways of providing secure access to business resources,” said Chris Hines, director, zero-trust solutions, at Zscaler. “The more secure approach is to completely leave network access out of the equation by taking the users securely and directly to the applications by brokering all user-to- app connections using a cloud-delivered zero trust access service instead.”

After a shift to work from home in 2020, it’s clear that some businesses will remain remote-only, while others are adopting a hybrid of remote and in-office workspace, said Timur Kovalev, chief technology officer at Untangle. The remote work trend, along with an expanding distributed workforce, has complicated network security at many businesses. And, with more people working from home, attacks targeting VPNs have increased, Kovalev said, leading companies to investigate zero-trust strategies.

VPNs have failed to meet this work-from-anywhere moment, said Dor Knafo, co-founder and CEO of Axis Security. Beyond operational challenges, he said applications are vulnerable running over VPNs because they are inherently open networks. That aggravates existing security issues, expanding vulnerable attack surfaces to a broader set of potentially hostile users, including unbonded third parties.

“Adding to the security problems, VPNs are overly permissive, providing too much access, too much implicit trust in the user once they have been authenticated,” Knafo said. “Cloud-based zero trust network access solutions separate the untrusted user from the open network and the vulnerable application, reducing the threat surface and risk of attack. ZTNA also allows for continuous security monitoring with granular visibility over user behavior, an essential component of a zero trust strategy."  

Calling zero-trust "one of the latest cybersecurity trends to protect digital environments based on the key principle that instead of first making services available and then locking down access to those services," Kovalev said access isn't granted unless it’s specifically and deliberately given. “It’s a simple and clear concept, but as with other more recent trends, the ‘how’ can vary depending on the way each vendor implementing the concept chooses to do so," he said. "For example, zero-trust can be achieved in ways such as adding two-factor authentication and other verification methods, or by using an Identity Provider so that all authentication and authorization gets centrally managed.”

The Zscaler report also found:

  • 93% of companies surveyed have deployed VPN services, despite 94% of those surveyed admitting that they are aware that cybercriminals are exploiting VPNs to access network resources.
  • Respondents said that social engineering (75%), ransomware (74%), and malware (60%) are the most concerning attack vectors and are often used to exploit users accessing VPNs.
  • Looking at the future need for zero trust services, the report said 77% of respondents say their workforce will be hybrid, with greater flexibility for users to work remotely or in the office.

An In-Depth Guide to Identity

Get essential knowledge and practical strategies to fortify your identity security.