September 10, 2019
Is your company depending on VPNs to access documents, files, and applications remotely? Unfortunately, legacy VPN products no longer meet the security requirements of today’s global enterprise. Many employees often proactively install commercial VPNs that are not provided or sanctioned by their companies, to protect their devices and data. Unfortunately, these well-intentioned efforts can pose an even greater security risk for their company than doing nothing at all. Several researchers found that VPNs quite often do not deliver on their security promises. After evaluating 62 commercial VPN providers, the data showed that many VPNs leak user traffic, may proxy traffic to other servers, and often misrepresent the physical location of their vantage points, hosting data on servers located in countries not revealed to users.
Another group of researchers found security flaws in popular enterprise VPNs from Palo Alto Networks, Pulse Secure, Fortinet and others which can compromise global corporate networks and facilitate the theft of valuable data. Let’s break down why VPNs are falling short.
VPNs do not enforce corporate device security and compliance requirements
Any device can be infected with malware outside the corporate perimeter and expose the network to potential attacks when accessing company data. When employees and partners access a resource, can you assess the security status of their devices before they log in? It matters because one compromised device can wreak havoc on your network and data.
VPNs expose your network
VPNs provide access not only to an intended resource but may also grant access to the entire company network. If this is the case, it is difficult to have visibility into who has access, and to what resources. An organization could unwittingly give the keys to its digital kingdom to an unintended individual, creating significant breach risks.
VPNs do not support attribute-based access
Role-based access is an important tool for security teams, but it does not provide enough coverage to assure trust. VPNs don't support attribute-based access, and cannot provide critical information on a user's identity or a device's security state or location, to ensure secure access and resource protection.
VPNs are not fast enough
VPNs don't enable continuous connectivity, creating connections that aren't stable and may hinder employee productivity. VPNs are plagued by continuous disconnects, which force application-layer timeouts causing employees to waste time waiting for VPN reconnects and app reloads, costing organizations money and time.
Switching between multiple VPNs is complicated
When using a traditional VPN, you must switch between VPN configurations to access multi-site environments. However, connecting to multiple infrastructure sites without switching access profiles, which most VPNs do not support, is more productive and efficient.
VPNs do not protect your device
VPNs don't protect from web-based attacks such as credential theft, phishing, drive-by downloads, or malvertising, which are the most significant cybersecurity threats for enterprises. An employee or partner with a compromised device can still use a VPN to access the corporate network without raising an alarm.
Like many technologies, VPNs served an important role in the evolution of secure access. However, the connectivity and security demands of the global startup and enterprise ecosystem require stronger defenses to support connected teams, partners and businesses.