There is a growing number of VPN-specific security threats and a need for Zero Trust security architecture in enterprise-level organisations, according to the latest VPN Risk Report from Zscaler.
The 2022 report surveyed over 350 IT professionals in North America at organisations with global workforces. Despite high awareness of VPN risks, remote work forced many companies to rely more heavily on legacy access methods during the pandemic.
At the same time, cybercriminals continue to take advantage of long-standing security vulnerabilities and increased attacks on VPNs. This year's Zscaler VPN Risk Report includes analysis of the state of the remote access environment, the most prevalent VPN risks, and the growth in adoption of Zero Trust.
"As evident in several high profile breaches and ransomware attacks, VPNs continue to be one of the weakest links in cybersecurity. Their architecture deficiencies provide an entry point to threat actors and offer them an opportunity to move laterally and steal data," says Deepen Desai, Global CISO of Zscaler.
"To safeguard against the evolving threat landscape, organisations must use a Zero Trust architecture that, unlike VPN, does not bring the users on the same network as business-critical information, prevents lateral movement with user-app segmentation, minimises the attack surface, and delivers full TLS inspection to prevent compromise and data loss," he says.
Zero Trust Secures Remote Access
While more and more companies have employees returning to the office, 95% of surveyed workplaces still rely on VPNs to support a combination of hybrid and distributed work environments that often span multiple geographies.
In addition to remote employees, large organisations often extend network access to other external stakeholders, including customers, partners, and contractors.
In many cases these users are connecting from untrusted devices on insecure networks, are granted far more freedom than necessary, and result in additional security risks.
According to Zscaler, unlike cumbersome, insecure VPNs, Zero Trust architecture improves organisational security posture without sacrificing the user experience. In addition, Zero Trust allows IT teams to keep the location of their network and applications secret, reducing the attack surface and threat of internet-based attacks.
Status Quo Falls Behind as VPN Risks Continue To Grow
The increase in the number of remote workers across industries has resulted in a sharp spike in cyberattacks that are tailor-made to target VPN users. As VPNs grant a greater degree of trust to users when compared to Zero Trust architecture, cybercriminals are more active in seeking to gain unauthorised access to network resources through exposed attack surfaces. According to the report, 44% of cybersecurity professionals have witnessed an increase in exploits targeting their business VPNs in the last year, demonstrating the risks associated with this technology when deployed to support remote users.
Legacy network security architectures are pervasive and deeply entrenched in corporate data centers, making it difficult to challenge the status quo and adopt new architectures. So it should come as no great surprise that nearly all of the organisations surveyed continue to use VPNs despite knowing they are being targeted by ransomware and malware.
Meanwhile, incumbent network security vendors have a vested interest in maintaining the remote access status quo. Organisations should be wary of legacy network access approaches that rely on cloud-based VPN, and examine vendors architectures to understand whether they will bring significant benefits in risk reduction and user experience.
"VPN technology carries the same fundamental shortcomings and risks in cloud virtual machines as it does on appliances, and should be avoided in favour of more modern approaches," says Desai.
VPN Alternatives Gain Traction
Ongoing risks from legacy VPNs have created a gradual shift towards Zero Trust Security, which provides greater control and flexibility for effective remote access management. Seventy eight percent of organisations surveyed for the VPN Risk Report indicated that their future workforce will be hybrid, creating an ongoing need for this type of security infrastructure in the enterprise.
Since the shift to remote and hybrid work environments, 68% of surveyed companies have indicated that they are accelerating their Zero Trust projects. Unlike VPNs, Zero Trust architecture treats all network communications as potentially hostile and requires tightening access using identity-based validation policies. This ensures IT and security teams can restrict users from off-limits applications and prevent malicious intruders from taking advantage of granted access to move laterally within the network.
Zero Trust security architecture also reduces network risk by eliminating the attack surface, masking activity from internet-based threats and connecting them directly to the applications and resources they need.