Are VPNs still the best solution for security?

Cybersecurity professionals rely on VPNs to secure remote endpoints with an organization’s home network. One expert suggests there is a better, simpler and safer approach to accomplish the same thing.

Secure VPN Connection. Virtual Private Network or Internet Security Concept.

Image: Getty Images/iStockphoto

It’s almost old news to say that COVID changed everything, and remote workforces are here to stay. As to what’s changing, organizations are reevaluating their investments and modifying work environments so that they have as small an attack surface as possible. This means the use of legacy, on-premise solutions and the VPN infrastructure that is required for them to operate are no longer viable. 

More about cybersecurity

Automox’s 2021 State of IT Operations survey suggests one reason for the lack of viability is the increased difficulty in managing endpoints as more employees work remotely (80% of the survey participants). “That comes as no surprise with the majority still using a mix of legacy IT tools that no longer meet the needs of today’s dynamic and changing environments,” explained Jay Prassl, founder and CEO of Automox, during an email interview. “In addition, cybersecurity pros were unprepared for the sudden shift to remote work which caused a cybersecurity nightmare.” 

“It is critical that companies take a proactive stance to security and implement a long-term remote security strategy,” continued Prassl. “The popular narrative that corporate VPNs are trusted and secure couldn’t be further from the truth – distributed endpoints are some of the easiest targets for attackers, and gaining entry to a company network is as easy as an employee committing an unintended error.”

SEE: IT expense reimbursement policy (TechRepublic Premium)

To back his claim, Prassl cites Verizon’s 2021 Data Breach Investigations Report, which mentions that 85% of cyberattacks last year involved human interaction. Adding additional affirmation, one of the criteria for being included in the Gartner Magic Quadrant for Unified Endpoint Management requires solutions to work independent of VPNs. Prassl added, “This is a strong signal the industry is moving away from tools like VPNs, in favor of more effective processes.”

What will replace VPNs? 

Next, Prassl offered the following examples of current cybersecurity challenges and how to rectify them.

First example: A fully remote startup employs on-site servers. The business is successful, and the number of servers quickly increases from a dozen servers to more than one hundred. The organization buys more space and hires more people to manage new servers. It’s a never-ending and expensive spiral. 

Instead, organizations could adopt cloud or cloud-native solutions, which provide the following benefits:

  • Better scalability, real-time visibility, and control over distributed IT environments.
  • Less work required to deploy, manage, and maintain the organization’s infrastructure. 
  • More cost-effective to scale as a business grows, especially if they are looking to become fully remote. 

Second example: Typically the traditional IT-management strategy requires one of two things: On-site direct connectivity or VPN connectivity. However, in a distributed-workforce environment, not all employees may connect to the VPN every day, meaning the IT team can have unmanaged corporate endpoints for some time before they check in again to receive updates.

Organizations could implement tools such as cloud-based patch management, Mobile Device Management (MDM), Endpoint Detection and Response (EDR), antivirus software, endpoint encryption, and secure email gateways, which offer the following benefits:

  • Simplifying deployment of cloud-based solutions to a remote workforce using lightweight agents.
  • Improving visibility and control, allowing IT teams to manage the devices remotely.

Third example: Suppose a CEO’s laptop is hacked. Cybercriminals could have full access to the company’s sensitive data for a long period of time without being detected. 

Organizations could employ a zero-trust architecture as the foundation of the organization’s cybersecurity platform, which provides the following benefits: 

  • Limits the potential damage and consequences of invasive cyber attacks, complex phishing scams, and embarrassing data breaches.
  • Reduces user permissions and access to data so that not even CEOs will have access to all of the organization’s data, only the data they need.  
  • Implements network segmentation and monitors network activity, in order to protect sensitive data and respond to breaches quickly. 

VPNs can be difficult for users as well as IT and cybersecurity departments. A lot of people would likely be willing to move to a platform that would be easier to use and implement, as well as being more secure.

Also see