For the past few decades, a corporate virtual private network (VPN) was the go-to answer for connecting to work when away from the office. It was simple, affordable and relatively secure. But debate has been brewing for several years regarding whether or not the corporate VPN security is dead — or at least not the easy answer anymore. However, the discussion now has a new wrinkle (or cavern, to be honest), with remote work or hybrid work likely to remain for many companies even after the pandemic. And as the zero trust model gains support, many companies are wondering which option is better.

When everyone headed to their respective remote offices last spring, VPNs were the quick and easy answer. By using a corporate VPN, employees had a secure way to connect to the company networks and access systems, data and files remotely. But now that remote work is still the near-future answer for most companies and likely a permanent solution, it’s time to take a hard and honest look at building a secure remote workforce that works as a long-term solution. The first step is deciding if VPNs or zero trust should be the cornerstone of your company’s remote work policy.

How Effective Is a VPN?

VPNs were designed nearly two decades ago for connecting devices with on-premises networks. However, with today’s cloud-based infrastructure (public, private and hybrid), VPNs are attempting to protect an environment they weren’t built for, which can be inefficient and open doors for attackers. Instead of protecting a flat network with linear access, VPNs are now trying to protect the perimeter network.

Ask your employees about using a VPN, and you’re likely to hear that VPNs are slow and clunky. With so many workers increasingly taking advantage of the flexibility working from home provides, and working in locations across the state or country from their corporate office, the distance from the employee to a physical corporate server makes the connection even slower — more so when multiplied throughout your workforce.

Zoom meetings and other video platforms make this worse. VPNs often make it challenging for your employees to work together from their remote offices. Raise your hand if you’ve been in a brainstorming session where multiple people on your team become frozen in mid-thought.

But the bigger issue is VPNs simply aren’t consistently secure enough to protect against today’s increasingly refined threats, more so with a remote workforce. In 2020, cyber criminals launched vishing scams specifically designed to gain sensitive information through the VPN. With so many devices and locations involved, VPNs create a very large surface to protect. If an attack occurs, the potential damage is significant — because VPNs often give users access to the entire network.

VPNs also are time consuming, and they can be costly to manage. Admins must configure each new VPN by hand, which often means provisioning servers on-premise. And scaling VPN access means even more admin work for every VPN added. That’s not to mention the cost of paying for each VPN license.

Zero Trust in the Remote Work World

Zero trust network access operates by assuming that the device or user is not authorized for access, and then authenticating each connectivity request. This approach limits the surface area and provides the necessary scalability. Zero trust also provides visibility into every user and device that VPNs lack, which allows a greater level of protection — more so for personal devices. In addition, security experts collect behavior analytics to combine with artificial intelligence that can help proactively prevent future attacks. With working together being an increasing part of businesses, zero trust also allows you to securely provide as-needed access to partners, vendors, customers and contractors.

Because of the benefits that come with remote work, many companies shifted to zero trust over the past year. According to a report by Pulse Secure, 60% of enterprises reported that the pandemic and remote work sped up their zero trust strategy, while only 15% said the pandemic negatively affected their progress towards zero trust. The vast majority of enterprises using zero trust with the remote work environment reported at least some level of success. Of these, 50% of enterprises had success, and 44% rated their experience as somewhat successful.

Zero trust uses advanced user authentication, such as context, instead of only a username and password. With this, it can more easily detect malicious actors impersonating authorized users. With the perimeter security model of a VPN, users typically have complete access once let in. This increases the damage during an attack. Zero trust operates on the concept of least-privileged access. This means users can only access data, networks and applications for which they have a business need. Using microsegmentation with zero trust further limits the access and impact if an unauthorized user gains access.

Using Zero Trust and VPNs Together

The current security debate often focuses on which method to choose: VPN or zero trust. However, another option is to combine both technologies. This is most helpful in the short term while moving to a zero trust approach, which can be lengthy due to how complex the shift can be. Because VPN simply provides access to remote users, while zero trust is a holistic authentication approach, VPN can be used as an access method as part of zero trust. However, once the zero trust framework is rolled out, it’s much less time consuming to scale and grow the framework.

The pandemic changed the way work happens, and the change is likely permanent. By continuing to use technology designed for on-premise infrastructure, companies are both increasing their risk for security issues and hampering productivity. By moving to zero trust you position yourself to protect against today’s emerging threats and providing themselves with the ability to scale in terms of new users, applications, clouds and data.

Learn more on zero trust

More from Zero Trust

Effectively Enforce a Least Privilege Strategy

Every security officer wants to minimize their attack surface. One of the best ways to do this is by implementing a least privilege strategy. One report revealed that data breaches from insiders could cost as much as 20% of annual revenue. Also, at least one in three reported data breaches involve an insider. Over 78% of insider data breaches involve unintentional data loss or exposure. Least privilege protocols can help prevent these kinds of blunders. Clearly, proper management of access…

What CISOs Want to See From NIST’s Impending Zero Trust Guidelines

Cybersecurity at U.S. federal agencies has been running behind the times for years. It took an executive order by President Joe Biden to kickstart a fix across the agencies. The government initiative also serves as a wake-up call to enterprises lagging in getting zero trust up and running. Several organizations, including the Office of Management and Budget (OMB), the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) responded to the president’s order with detailed…

Cost of a Data Breach: Infrastructure

During the pandemic, businesses and consumers saw firsthand what happens when infrastructure fails. In 2019, the global critical infrastructure protection (CIP) market size was valued at $96.30 billion. It is predicted to grow to $154.59 billion by 2027, with a CAGR of 6.2%. On top of that, each time an organization in a critical sector is the victim of any type of cybersecurity incident resulting in data loss, the event counts as a critical infrastructure data breach. Let's take a…

Companies Without Zero Trust Could Lose $1M More During a Data Breach

In recent years, the mindset for cybersecurity has shifted. It isn't a matter of if a company has a breach, but rather when a company has a breach. With the increase in cybersecurity incidents, most if not all companies will be victims of a data breach at some point. However, the latest research shows that organizations using zero trust can save more than $1 million during a breach.  Record High Costs for Data Breaches According to the 2022 IBM Cost of…