Virtual private networks (VPNs) have long been the go-to tool for businesses to connect remote employees to their networks securely. The recent surge in remote work has only amplified this, with 84 percent of organizations using VPNs predominantly for remote employee access. However, only a fraction of organizations use VPNs to handle unmanaged devices, pointing towards an overlooked vulnerability.
The findings come from Zscaler’s 2023 VPN Risk Report, based on an online survey of 382 IT professionals and cybersecurity experts conducted in June 2023. The report explores the complexities of VPN management, user experience issues, increasing cyberattack risks, and overall impact on security. What follows is a summary of the key findings.
With 70 percent of users relying on VPNs daily for regular business activities, these services' quality and reliability are crucial. That said, common problems persist with VPNs, such as slow connections (reported by 25 percent of the survey respondents), dropped connections (21 percent), and inconsistent user experiences across different platforms (16 percent).
Interestingly, despite a high frequency of VPN use and ongoing cybersecurity threats, users rank VPN security as a less significant issue. On the user satisfaction front, a sizable 72 percent of IT professionals are unhappy with their VPN experience, emphasizing the need for more reliable and user-friendly remote access solutions.
The report also uncovered that businesses face challenges managing VPN infrastructure. According to 22 percent of the respondents, the most significant issue is achieving a balance between VPN performance and user experience. Troubleshooting VPN connectivity and keeping up with software patches are also notable concerns. Only 9 percent of IT professionals identified increasing VPN infrastructure costs as a major issue.
On the security front, 88 percent of the respondents said they are worried that their VPN might be a potential security risk. Adding to the apprehensions, 90 percent expressed concerns about third-party access via VPNs. Given that third parties may not follow the same strict cybersecurity standards, they could unintentionally open a door for cybercriminals to infiltrate an organization’s network. A cumulative 35 percent were “very” or “extremely” concerned, indicating that third-party VPN access is a major source of worry.
With their history of vulnerabilities and continuous patching, VPNs can expose an organization to various cyber threats. Survey respondents identified phishing and ransomware attacks as the most likely to exploit VPN weaknesses. Furthermore, it was found that 45 percent of organizations have suffered one or more attacks on their VPN servers in the last year due to VPN software vulnerabilities.
Shifting from VPNs to Zero Trust Network Access
In response to these concerns, 90 percent of organizations prioritize adopting zero trust, a security model grounded in “never trust, always verify.” This includes aspects like robust multi-factor authentication procedures, ongoing validation of traffic, network compartmentalization, minimal-privilege access, and continuous surveillance. A staggering 92 percent of organizations are either in the process of implementing (27 percent), planning to implement (42 percent), or contemplating a zero trust strategy. Organizations that aren’t adopting zero trust risk falling behind and becoming more vulnerable to cyber threats.
The shift from VPNs to Zero Trust Network Access (ZTNA) marks a pivotal change in modern cybersecurity strategies, with 40 percent of organizations transitioning to ZTNA. For those contemplating this shift, it’s essential to evaluate ZTNA solutions that meet their specific needs. Organizations that are unable to fully transition can instead adopt hybrid models, combining the strengths of ZTNA while utilizing their existing VPN infrastructure.
In the report, Zscaler makes several recommendations to help organizations successfully transition from traditional VPNs to a contemporary zero trust architecture. First, organizations should evaluate their infrastructure, which begins with an in-depth analysis of the current VPN setup. Then, they should select the appropriate zero trust solution, preferably one that’s both cloud-native and software-defined. They should also be applying the least-privilege access principle to provide users with the necessary access to resources tailored to their roles.
It’s important to prepare for future growth by choosing a solution that can adapt to the business as it expands. The report found that approximately 11 percent of organizations have scalability issues with their VPNs. A cloud-based solution, for example, can help organizations effectively manage their growing needs. Meanwhile, regularly revising and renewing security policies can ensure that the business is up-to-date on security guidelines.
Additionally, organizations should provide secure access for all users by implementing a solution that allows safe access for remote staff, third parties, and unmanaged devices. Lastly, organizations should adopt a strategy that involves continuous monitoring to spot and address potential issues. Proactive threat detection and response are essential elements of zero trust.
In conclusion, while VPNs continue to be a mainstay for remote network access, their limitations and vulnerabilities have led to growing interest in more secure and reliable alternatives like ZTNA. As cybersecurity threats continue to evolve, businesses must prioritize assessing their current infrastructure, enhancing user experiences, and exploring modern security models to stay ahead of the curve.
Zeus Kerravala is the founder and principal analyst with ZK Research.
Read his other Network Computing articles here.