For the past few decades, a corporate virtual private network (VPN) was the go-to answer for connecting to work when away from the office. It was simple, affordable and relatively secure. But debate has been brewing for several years regarding whether or not the corporate VPN security is dead — or at least not the easy answer anymore. However, the discussion now has a new wrinkle (or cavern, to be honest), with remote work or hybrid work likely to remain for many companies even after the pandemic. And as the zero trust model gains support, many companies are wondering which option is better.

When everyone headed to their respective remote offices last spring, VPNs were the quick and easy answer. By using a corporate VPN, employees had a secure way to connect to the company networks and access systems, data and files remotely. But now that remote work is still the near-future answer for most companies and likely a permanent solution, it’s time to take a hard and honest look at building a secure remote workforce that works as a long-term solution. The first step is deciding if VPNs or zero trust should be the cornerstone of your company’s remote work policy.

How Effective Is a VPN?

VPNs were designed nearly two decades ago for connecting devices with on-premises networks. However, with today’s cloud-based infrastructure (public, private and hybrid), VPNs are attempting to protect an environment they weren’t built for, which can be inefficient and open doors for attackers. Instead of protecting a flat network with linear access, VPNs are now trying to protect the perimeter network.

Ask your employees about using a VPN, and you’re likely to hear that VPNs are slow and clunky. With so many workers increasingly taking advantage of the flexibility working from home provides, and working in locations across the state or country from their corporate office, the distance from the employee to a physical corporate server makes the connection even slower — more so when multiplied throughout your workforce.

Zoom meetings and other video platforms make this worse. VPNs often make it challenging for your employees to work together from their remote offices. Raise your hand if you’ve been in a brainstorming session where multiple people on your team become frozen in mid-thought.

But the bigger issue is VPNs simply aren’t consistently secure enough to protect against today’s increasingly refined threats, more so with a remote workforce. In 2020, cyber criminals launched vishing scams specifically designed to gain sensitive information through the VPN. With so many devices and locations involved, VPNs create a very large surface to protect. If an attack occurs, the potential damage is significant — because VPNs often give users access to the entire network.

VPNs also are time consuming, and they can be costly to manage. Admins must configure each new VPN by hand, which often means provisioning servers on-premise. And scaling VPN access means even more admin work for every VPN added. That’s not to mention the cost of paying for each VPN license.

Zero Trust in the Remote Work World

Zero trust network access operates by assuming that the device or user is not authorized for access, and then authenticating each connectivity request. This approach limits the surface area and provides the necessary scalability. Zero trust also provides visibility into every user and device that VPNs lack, which allows a greater level of protection — more so for personal devices. In addition, security experts collect behavior analytics to combine with artificial intelligence that can help proactively prevent future attacks. With working together being an increasing part of businesses, zero trust also allows you to securely provide as-needed access to partners, vendors, customers and contractors.

Because of the benefits that come with remote work, many companies shifted to zero trust over the past year. According to a report by Pulse Secure, 60% of enterprises reported that the pandemic and remote work sped up their zero trust strategy, while only 15% said the pandemic negatively affected their progress towards zero trust. The vast majority of enterprises using zero trust with the remote work environment reported at least some level of success. Of these, 50% of enterprises had success, and 44% rated their experience as somewhat successful.

Zero trust uses advanced user authentication, such as context, instead of only a username and password. With this, it can more easily detect malicious actors impersonating authorized users. With the perimeter security model of a VPN, users typically have complete access once let in. This increases the damage during an attack. Zero trust operates on the concept of least-privileged access. This means users can only access data, networks and applications for which they have a business need. Using microsegmentation with zero trust further limits the access and impact if an unauthorized user gains access.

Using Zero Trust and VPNs Together

The current security debate often focuses on which method to choose: VPN or zero trust. However, another option is to combine both technologies. This is most helpful in the short term while moving to a zero trust approach, which can be lengthy due to how complex the shift can be. Because VPN simply provides access to remote users, while zero trust is a holistic authentication approach, VPN can be used as an access method as part of zero trust. However, once the zero trust framework is rolled out, it’s much less time consuming to scale and grow the framework.

The pandemic changed the way work happens, and the change is likely permanent. By continuing to use technology designed for on-premise infrastructure, companies are both increasing their risk for security issues and hampering productivity. By moving to zero trust you position yourself to protect against today’s emerging threats and providing themselves with the ability to scale in terms of new users, applications, clouds and data.

Learn more on zero trust

More from Zero Trust

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Does your security program suffer from piecemeal detection and response?

4 min read - Piecemeal Detection and Response (PDR) can manifest in various ways. The most common symptoms of PDR include: Multiple security information and event management (SIEM) tools (e.g., one on-premise and one in the cloud) Spending too much time or energy on integrating detection systems An underperforming security orchestration, automation and response (SOAR) system Only capable of taking automated responses on the endpoint Anomaly detection in silos (e.g., network separate from identity) If any of these symptoms resonate with your organization, it's…

Zero trust data security: It’s time to make the shift

4 min read - How do you secure something that no longer exists? With the rapid expansion of hybrid-remote work, IoT, APIs and applications, any notion of a network perimeter has effectively been eliminated. Plus, any risk inherent to your tech stack components becomes your risk whether you like it or not. Organizations of all sizes are increasingly vulnerable to breaches as their attack surfaces continue to grow and become more difficult — if not impossible — to define. Add geopolitical and economic instability…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today