Virtual private networks (VPNs) are under attack and hackers may be winning the battle, using exploits that are becoming all-too-common. While many may argue that VPNs are salvageable and can be returned to their once-lofty status of protecting data, it’s a fact that more and more exploits are discovered daily.
Take, for example, two recently uncovered exploits that impacted Pulse Connect Secure and FortiOS SSL VPN. Although both Pulse Secure and Fortinet were quick to release fixes and patches to solve the problem, many enterprises were not so quick to deploy the fixes, giving the hacker community the opportunity to compromise networks. What’s more, additional exploits affecting other VPN vendors have been discovered in the wild, leading to many questioning the veracity of their VPN ecosystems.
While many of those concerns can be addressed with fixes and patches, the question remains: How long until the next vulnerability is uncovered and a VPN compromised? Exploits are on a growth trajectory and, according to researchers, attack vectors based upon VPN flaws have become the basis for most hackers to initial infiltrate a network.
In the near future, VPNs will face another challenge, one presented by quantum computing. Quantum computers will be able to break the encryption of sensitive data protected by today’s strongest security instantly, warned Arvind Krishna, director of IBM Research. Krishna is certain that within five years, there will be widespread commercial use of quantum computers.
While it is uncertain that the days of VPNs are numbered, cybersecurity professionals still should be thinking about better ways to secure traffic and protect critical data. VPNs will remain an important part of the cybersecurity ecosystem; however, they need not be the weakest link in the chain. Complementary technologies paired with improved best practices can bring additional strength to the tried-and-true virtual private networks that organizations have come to count on as those organizations transition to newer technologies.
One security technology that shows particular promise is ZTNA (Zero Trust Network Access), which is poised to eliminate the very problems that plague traditional VPNs. ZTNA is garnering much interest in the enterprise, with research house IDG forecasting 91% of enterprises plan to increase secure access expenditures over the next 18 months.
Players in the ZTNA arena include Pulse Secure and Zscaler, both of which have recently introduced platforms that bring ZTNA to enterprises. The importance of ZTNA is only bound to increase, backed by a Gartner prediction that 60% of enterprises will phase out most of their remote access VPNs in favor of ZTNA by 2023.
Pulse Secure launched a software-defined perimeter (SDP) solution to boost its ZTNA capabilities back in February. The company is aiming to help organizations reduce their reliance on traditional VPNs as a way to secure communications. Pulse Secure claims that its Pulse SDP product offers an SDP architecture backed by a dual-mode VPN, which leverages single-pane-of-glass secure access management. The product also unifies policy management and brings forth granular, stateful access enforcement across data center and cloud applications. Ultimately, SDP replaces VPNs by delivering security based on the user and applications, and not the IP address, regardless of location and device.
Zscaler is also pushing the ZTNA ideology, as evidenced by the company’s Zscaler Private Access family of products. The company has built secure access on the concept of software-defined perimeter (SDP) services, which provide seamless and secure connectivity to private applications. The primary security benefit here is that users are never placed directly on the network, and apps are not exposed to the internet. SDP services are driven by the need for organizations to embrace a zero-trust security model, which is also built for mobility and a cloud-first world.
Many other vendors are starting to look at the flaws associated with VPNs and organizations are starting to take notice of ZTNA and SDP-based solutions. It is no longer a matter of “if” VPN’s will become a technology of the past, but a matter of “when.”