The disadvantages of VPNs for Enterprises

August 5, 2020

The COVID-19 outbreak led to a surge in business VPN usage in an extremely short timeframe. In fact, multiple regions saw VPN usage rise over 200% in a matter of weeks. In many cases, remote access VPNs enabled enterprises to get work from home initiatives off the ground quickly and keep their business running, despite offices being closed.

However, as they settle into the new normal, many enterprises are also learning that there are several VPN disadvantages as well. Scalability, performance, and security can all become challenges with remote access VPN. SDP (software-defined perimeter) provides enterprises with a solution to the disadvantages of VPN. By taking a software-defined approach to remote access and network security, SDP (sometimes referred to as ZTNA or Zero Trust Network Access) helps address these challenges in a way that is more sustainable long-term.

But what exactly sets SDP apart from traditional remote access VPN? Let’s find out.

Of course, VPN isn’t without its upside

Remote access VPNs provide enterprises with a means to enable remote work. A virtual or physical appliance within the WAN, the public Internet, and client software on employee PCs is often sufficient to support work from home initiatives. In many cases, this exact sort of remote access VPN configuration helped businesses keep the lights on when the pandemic hit.

VPN disadvantages

While it is true remote access VPN saved the day for some businesses, it’s also true that the increased usage has further magnified some of the biggest VPN disadvantages.

#1: Not designed for continuous use

The use case for remote access VPN was never to connect an entire enterprise to the WAN. Traditionally, enterprises purchased VPN solutions to connect a small percentage of the workforce for short periods of time. With a shift to large-scale work from home, existing VPN infrastructure is forced to support a continuous workload it wasn’t intended for. This creates an environment where VPN servers are subject to excessive loads that can negatively affect performance and user experience.

#2: Complexity impedes scalability

Enterprises may try to address the issue of VPN overload with additional VPN appliances or VPN concentrators, but this adds cost and complexity to the network. Similarly, configuring VPN appliances for HA (high availability) adds more cost and requires more complex configuration.
Further, because VPN servers provide remote access, but not enterprise-grade security and monitoring, they must be complemented by management solutions and security tools. These additional appliances and applications lead to even more configuration and maintenance. As each additional solution is layered in, the network becomes more complex and more difficult to scale.

#3: Lack of granular security

VPN appliances are a textbook example of castle-and-moat security. Once a user connects via VPN, they have effectively unrestricted access to the rest of the subnet. For some enterprises, this means non-admin users have network access to critical infrastructure when they shouldn’t. Further, this castle-and-moat approach increases the risk of malware spread and data breaches.
To add granular security controls to remote access VPN, enterprises often have to deploy additional security point-solutions, but this adds additional cost and complexity while leaving plenty of room for misconfiguration and human error.

#4: Unpredictable performance

VPN connections occur over the public Internet, which means network performance is directly tied to public Internet performance. The jitter and packet loss common to the Internet can wreak havoc on mission critical apps and user experience. Additionally, enterprises with a global footprint know that there are significant latency challenges when attempting to send Internet traffic across the globe, before we even take into account the additional overhead VPN tunneling adds.

#5: Unreliable availability

Beyond unpredictable performance, enterprises that depend on the public Internet for remote access get no availability guarantees. When public Internet outages mean lost productivity for your entire organization, the risk of depending solely on the public Internet can outweigh the rewards significantly.

How SDP addresses remote access VPN disadvantages

SDP, when used as part of a holistic Secure Access Service Edge (or SASE) platform, directly addresses VPN’s disadvantages and provides enterprises with a scalable and reliable remote network access solution.

SASE is a category of enterprise networking that converges network and security functionality into a unified cloud-native service. SDP, which is an important part of the SASE framework, is a modern approach to remote application access that has global performance optimization, threat protection, and granular access controls built in.

The idea behind SDP is simple:

Users securely authenticate (e.g. using MFA and encrypted network protocols)

Access rights are assigned based on profiles and specific applications

Risk assessment occurs continuously during each user session

Using Cato’s SASE platform as an example, with SASE and SDP, enterprises gain a remote access solution that:

  • Is built for continuous access. Cato’s globally distributed cloud-native platform is purpose built for continuous access. Enterprises don’t have to worry about overloading a single VPN appliance with cloud-native infrastructure. Additionally, performance optimization and HA are built into Cato’s global private backbone, eliminating many of the performance issues that created VPN’s dependence on the public Internet.
  • Delivers hyper-scalability. Enterprises don’t need to add more appliances to scale. SDP and SASE bring the hyper-scalability of the cloud to remote access.
  • Provides granular access control. SDP allows enterprises to design access controls at the application-level and based on user profiles. This leads to a significant reduction in risk compared to VPN’s network-level approach.
  • Proactively protects against threats. With SDP, network traffic goes through end-to-end packet inspection using a robust cloud-based security stack designed to detect and prevent malicious behavior. This occurs without the need to deploy and maintain additional security solutions.
  • Is backed by a 99.999% uptime SLA. Cato’s global private backbone consists of more than 50 PoPs interconnected by Tier-1 Internet Service Providers and backed by a 99.999% uptime SLA. In a time where entire workforces are remote, this guarantee of availability can make a world of difference.

All this comes together to make SASE and SDP an ideal remote access VPN alternative.

Want to learn more about remote work, SDP, and SASE?

Enterprises are learning remote access VPN may not be the right long-term solution as we adjust to the new normal. Many are also learning that SASE and SDP are ideal for enabling secure, reliable, and high-performance remote work that can scale.

If you’d like to learn more about how SDP and SASE can address the challenges of legacy VPN, download our eBook Work from Anywhere for Everyone. If you’d like to see the Cato SASE platform in action for yourself, contact us or sign up for a demo today.

Dave Greenfield

Dave Greenfield

Dave Greenfield is a veteran of IT industry. He’s spent more than 20 years as an award-winning journalist and independent technology consultant. Today, he serves as a secure networking evangelist for Cato Networks.