With the past 18 months seeing the rapid expansion of remote working, organisations have had to quickly adapt to new ways of operating, with a major part of this ensuring that remote workers remain secure while outside of the four walls of the office environment.
For many organisations, virtual private networks (VPNs) have been part of the solution. VPNs create an encrypted connection between an employee's device and the company's internal network, allowing them to access applications and data remotely as if they were in the office. For many, they have been the default method of accessing a corporate network remotely.
According to research by OpenVPN, 70 percent of employees surveyed believe that their company's VPN usage has expanded during the Covid-19 pandemic. And with remote working here to stay, this trend looks likely to stick around for a while.
But are VPNs adequately protecting organisations from the additional security risks that come with an increase in remote working and are they suitable for increasingly complex environments?
Built on the principles of zero trust, Zero Trust Network Access (ZTNA) requires users to be verified before they can access applications, with users given least-privileged access and applications they are not permitted to access hidden from view. Access and authentication technologies such as network access control (NAC) and multi-factor authentication (MFA) can be used in conjunction with ZTNA, providing an additional layer of security.
VPNs provide full access to an organisation's internal network working on the presumption of trust. In other words, once a user is inside the perimeter, they are granted full access to the corporate network, with the same level of access granted regardless of where the user is located. This means that in the event a user's credentials are compromised, they could potentially have access to the whole network.
ZTNA, however, works on the basis of granular access, with users given access on an application-by-application basis, and each access request must be authorised. Rather than operating on trust and assuming that everything inside the perimeter is secure, only after they are authenticated are users granted access.
VPNs also give remote users using their own devices the same level of access to corporate resources as organisation-supplied devices, without considering the additional security risks that come with this. Through ZTNA, however, organisations can set up device or location-specific access policies, with devices' security posture verified before access is granted, rather than IP-based access control.
While VPNs go some way to secure remote workers, organisations are now planning for the future, and implementing their post-pandemic security strategy. Those that have rushed to implement VPNs may now be considering whether they really offer the level of protection needed.
Put simply, legacy VPN technology may no longer meet the security needs of the modern enterprise and the increasingly distributed workforce, and organisations looking to ensure employees remain secure, while creating a positive user experience, should be looking elsewhere.
This post is sponsored by Fortinet