Moving Beyond Remote Access VPNs

The COVID-19 pandemic drove rapid, widespread adoption of remote work. Just a few years ago, many organizations considered remote work inefficient or completely impossible for their industry and business. With the pandemic, remote work was proven to not only work but work well. However, this rapid shift to remote work left little time to redesign and invest in remote work infrastructure and raised serious information security concerns. As a result, many companies attempted to meet the needs of their remote workforce via remote access VPNs with varying levels of success.

This is part of a guide series about Access Management.

What is a Remote Access VPN and How Does it Work?

A remote access virtual private network (VPN) is a solution designed to securely connect a remote user to the enterprise network. A remote access VPN creates an encrypted tunnel between a remote worker and the enterprise network. This allows traffic to be sent securely between these parties over untrusted public networks.

VPNs in general are designed to create an encrypted tunnel between two points. Before sending any data over the connection, the two VPN endpoints perform a handshake that allows them to securely generate a shared secret key. Each endpoint of the VPN connection will use this shared encryption key to encrypt the traffic sent to the other endpoint and decrypt traffic sent to them. This creates the VPN tunnel that allows traffic to be sent over a public network without the risk of eavesdropping.

In the case of a remote access VPN, one end of the VPN connection is a VPN appliance or concentrator on the enterprise network and the other is a remote worker’s computer. Both sides will perform the handshake and handle the encryption and decryption of all data on the VPN connection, and a user will have access to resources similar to if they were in the office.

Why Companies Need to Move Beyond Remote Access VPNs

The reason why Remote access VPNs were widely adopted in the wake of COVID-19 was because companies had existing VPN infrastructure and were simply comfortable with the technology. However, these VPN solutions have numerous limitations, including:

• Continuous Usage: Corporate VPN infrastructure was originally designed to occasionally connect a small percentage of the workforce to the enterprise network and resources. With the need to support continuous remote work for most or all of the organization’s employees, remote access VPNs no longer meet business requirements.
• Limited Scalability of VPNs: Existing VPN infrastructure was not built to support the entire workforce, making it necessary to scale to meet demand. Attempting to solve this issue using additional VPN appliances or concentrators increases the complexity of the enterprise network and requires additional investment in security appliances as well.
• Lack of Integrated Security: A remote access VPN is designed to provide an encrypted connection between a remote worker and enterprise systems. It does not include the enterprise-grade security inspection and monitoring that is necessary to protect against modern cyber threats. Relying on remote access VPNs forces companies to invest in additional, standalone security solutions to secure their VPN infrastructure.
• Security Granularity: A remote access VPN provides access similar to a direct connection to the enterprise network. These VPNs provide unrestricted access to enterprise resources in violation of the principles of least privilege and zero-trust security. As a result, a compromised account can provide an attacker with far-reaching access and enables the unrestricted spread of malware.
• Performance and Availability: VPN traffic travels over the public Internet, meaning that its performance and availability depend on that of the underlying Internet. Packet loss and jitter are common on the Internet, and latency and availability issues can have a significant impact on the productivity of a remote workforce reliant on remote VPNs for connectivity.
• Geographic Limitations: VPNs are designed to provide point-to-point connectivity between two locations. As companies become more distributed and reliant on cloud-based infrastructure, using VPNs for remote access creates complex VPN infrastructure or inefficient traffic routing.

Remote access VPNs were a workable secure remote access solution when a small number of employees required occasional remote connectivity to the enterprise network. As telework becomes widespread and corporate networks become more complex, remote access VPNs no longer meet enterprise needs.

Enterprise Solutions for Secure Remote Access

VPNs are the oldest and best-known solution for secure remote access, but this certainly doesn’t mean that they are the best available solution. The numerous limitations and disadvantages of VPNs make them ill-suited to the modern, distributed enterprise that needs to support a mostly or wholly remote workforce.

Today, VPNs are not the only option for enterprise secure remote access. Gartner has coined the term Secure Access Service Edge (SASE) to describe cloud-native solutions that integrate SD-WAN functionality with a full security stack.

Zero trust network access (ZTNA) is one of the security solutions integrated into SASE and serves as a superior alternative to the remote access VPN. Some of the advantages of replacing remote access VPNs with SASE include:

• Scalability and Flexibility: SASE is built using a network of geographically distributed, cloud-based Points of Presence (PoPs). This enables the SASE network to seamlessly scale to meet demand without the need to deploy additional VPN and security appliances.
• Availability and Redundancy: SASE nodes are built to be redundant and to identify the best available path to traffic’s destination. This offers much higher availability and resiliency and eliminates the single points of failure of VPN-based remote access infrastructure.
• Private Backbone: SASE PoPs are connected via a secure private backbone. This enables it to provide performance and availability guarantees that are not possible for Internet-based VPNs.
• Integrated Security: In addition to ZTNA, which enforces zero-trust access controls, SASE PoPs integrate a full stack of network security solutions. This enables them to provide enterprise-grade security without the need for additional standalone security solutions, inefficient routing, or security chokepoints.

If you’re looking to deploy or upgrade your organization’s secure remote access infrastructure, a remote access VPN is likely not the right answer. Cato’s SASE-based remote access service provides all of the benefits of a VPN with none of the downsides. To learn more about SASE and how it can work for your business, contact us here.

See Additional Guides on Key Access Management Topics

Together with our content partners, we have authored in-depth guides on several other topics that can also be useful as you explore the world of access management.