What’s keeping security professionals up at night these days? The answer may surprise you.
Today, a new survey [the second annual] conducted by Cybersecurity Insiders and commissioned by Zscaler found that cybersecurity professionals can agree on one thing: VPNs are putting their organizations at risk of an attack.
And there’s good reason for them to be concerned.
VPNs are nearly as old as the internet itself. But this early form of remote access technology has been exposed to significant vulnerabilities in recent years. In 2021, malicious cyber actors routinely and aggressively exploited unpatched VPNs according to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
VPNs have essentially become sitting ducks, and the bad guys have taken notice.
Old habits die hard
For nearly three decades, companies have relied on remote access VPN. Built on the castle-and-moat security model, the VPN worked well when applications lived in the data center. Fast forward to today’s cloud and mobile-first world where people and applications have moved outside the perimeter – while remote access security remains tethered to the corporate network.
The challenges caused by legacy network and security architecture are pervasive and long-standing, particularly when they’ve been deeply rooted in corporate data centers and business processes like the VPN. That may explain why 95% of companies continue to use VPNs despite knowing they are popular targets for cybercriminals to exploit.
A VPN is the internet’s front door to your network
VPNs are an attractive network access vector to attackers because they help them gain initial access into the corporate network and spread laterally to breach resources or disrupt operations like the Colonial Pipeline attack in 2021. By design, VPNs give users full network IP protocol access. Bad actors can exploit this protocol or leverage it for reconnaissance. Attackers can use it to probe networks and data centers, where they can steer threats like ransomware, malware, web application attacks, and DDoS attacks to high-value targets.
Security professionals have witnessed an increase in exploits targeting hybrid and remote workers, and 71% of them fear that VPN may jeopardize their ability to secure their networks.
The VPN is too trusting and too costly
According to the survey, organizations face two main challenges with their current VPN:
1. Putting users on the network. VPN requires giving employees and third parties direct access to the corporate network. The moment a user tunnels into the network via VPN, they are viewed as “trusted” without knowing whether they have earned sufficient trust and are granted lateral access.
2. High costs and even higher complexity. The cost of a full VPN gateway appliance stack becomes more expensive as latency and capacity limitations require organizations to replicate the stacks at each of their data centers. In fact, the majority of companies (61%) have three or more VPN gateways, making it more difficult to manage and scale.
The status quo is failing, zero trust is shaking it up
Most security professionals (71%) believe VPNs pose an unacceptable level of risk to their organization, and are seeking safer, zero trust-based alternatives. According to Cybersecurity Insiders, 80% of organizations are adopting or have adopted zero trust this year, up 12% from last year.
Find out why companies are replacing VPNs with ZTNA
By 2025, at least 70% of new remote access deployments will be served by ZTNA as opposed to VPN, up from less than 10% at the end of 2021, according to Gartner.
At Zscaler, we’ve helped thousands of organizations such as National Oilwell & Varco, Sanmina, and West Fraser migrate from their legacy VPN to our next-generation zero trust network access service called Zscaler Private Access.
If you are looking for a way to progressively augment or replace your on-prem or cloud-hosted VPN, this page might prove useful. Until then, stay on top of patching vulnerabilities in your VPN and check out these must-read resources: