The Demise of the VPN will Come Sooner Rather than Later

Around this time every year, businesses start to make predictions for the year ahead. This year, however, has been marked by upheaval—a pandemic that has resulted in incalculable loss, global lockdowns, and the disruption of our day-to-day lives—situations no one anticipated. Our predictions for the year, in hindsight, almost seem quaint in comparison to the realities of 2020.

But one prediction for 2020 that did come to pass was around the trajectory of VPNs. Even before the move to remote work, VPN technology had been showing its age for some time. VPNs worked well in the network-centric world, where apps resided solely in the data centre and a security perimeter around the “castle” was all you needed. Even in 2019, many organisations were already moving toward a perimeter-less model, where traditional network security based on the castle-and-moat approach was no longer relevant. We predicted that, in the next few years, VPNs would be redundant. We may have been right about the VPN being on its last legs but off a bit on the timing. 

VPN redundancy accelerates

In 2019, businesses didn't invest their infrastructure budget in enabling remote work. The two primary investment areas were driving applications to the cloud (to achieve cost benefits and competitive advantage) and simplifying IT in general. For most organizations, that meant investing in SD-WAN projects. These investments made sense at the time. But when lockdowns started hitting in March, business continuity plans proved to be lacking, and those sites with SD-WAN sat unused and gathering dust. 

In March of this year, businesses found themselves unable to handily support en-masse remote work, as there was a critical shortage of network connections. I know of multiple organisations that had their employees connecting to the data centre via VPN to get internet access. This kind of solution could handle 20%, maybe 30%, of the workforce, so scaling to handle all employees was impossible. Reliable connections became scarce, and productivity suffered as a result. 

As connectivity inevitably became the precious resource needed to ensure business continuity, IT teams felt pressured to enable more reliable connections. In an ends-justify-the-means scenario, IT teams started bypassing security controls, spinning up cheap remote desktop protocol (RDP) and VPN solutions, and also empowering employees to use their personal devices to access internal corporate resources. 

In the short term, this meant a summer of relative calm—connectivity stabilised, productivity increased, and board members breathed a tentative sigh of relief. However, the quick fixes and workarounds left cracks in security. 

VPN security issues come full circle

In mid-October, the US National Security Agency (NSA) released a list of the top 25 security vulnerabilities that Chinese hackers have been exploiting to steal intellectual property, as well as economic, political, and military information. VPNs and RDPs make up nearly half of those vulnerabilities. Since the end of summer, significant cyberattacks, especially those involving ransomware, have targeted these approaches to remote access in large enterprises.

VPN vulnerabilities are nothing new. The NSA and its UK counterpart, the National Cyber Security Centre (NCSC), have flagged vulnerabilities in VPNs for years. The difference now is that organisations aren’t just relying on VPNs to connect a handful of workers; VPNs have become central to business continuity. Their widespread use makes a company’s attack surface larger, and the prizes for cybercriminals larger still.  
 

We recently researched how European businesses are enabling secure remote access. Thirty percent of companies use remote access VPN solutions to provide access to business applications in data centres or the cloud. One-third are using RDPs. More modern approaches, such as zero-trust (17%) and identity and access management (19%), trail behind. 

Relying on these outdated solutions is, to put it mildly, risky. No one knows for sure how the recent work-from-home mandates will affect work practices in the future. But it seems sensible for businesses to prepare for large-scale remote work in the future—to maintain flexibility in the face of another type of crisis or simply as a smart business strategy.  

As I mentioned at the outset of this piece, the infrastructure investments of 2019 often proved to be unsuited for the challenges businesses faced this year. Business leaders couldn’t have anticipated the year we’ve had, and now needn’t get bogged down in sunk costs. It’s time to retire the VPN for good before its inadequacies cause further harm to businesses.