VPNs and zero trust security don't mix - Zscaler report
Virtual private networks (VPNs) may have become a mainstay of remote access security in the last 12 months - and for the last 30 years - but exploding popularity of VPNs has also led to an explosion in VPN vulnerabilities.
According to Zscaler and Cybersecurity Insiders, VPN services remain a popular choice for remote security, even though IT administrators are aware of the security risks.
The 2021 Zscaler VPN Risk Report found that 93% of organisations surveyed have deployed some kind of VPN, yet 94% know that VPNs are a popular target for cybercriminals.
Seventy-five percent of respondents say that social engineering is a concerning attack vector, followed by ransomware (74%), and malware (60%).
While organisations understand that VPNs present serious security risks, three quarters say that they are concerned about VPN security. Of those, 67% say they are looking at alternatives to the traditional VPN for remote access requirements.
Many organisations (72%) are adopting a zero trust model, and 77% say their workforce will become a hybrid (in-office and remote) going forward. That means users need the flexibility to be able to work anywhere.
VPNs may not be the solution, according to Zscaler, because VPNs and zero trust frameworks are largely incompatible.
The company explains, “These incompatibilities, largely due to VPNs inherent need for access to the network, and need to be exposed to the Internet, have increased the enterprise attack surface allowing threat actors to exploit these legacy models based on their inherent trust of users.”
Seventy-two percent of organisations are thinking the same thing: they are concerned that VPN may jeopardise IT’s ability to keep their environments secure, the report notes.
As a result, organisations should consider security alternatives to VPNs - because zero trust will be crucial to the future of remote access.
Zscaler’s zero trust solutions director Chris Hines says it is encouraging to see that organisations understand how zero trust architectures can provide secure access for businesses.
“As organisations continue on their journey to cloud and look to support a new hybrid workforce, they should rethink their security strategy and evaluate the rising cybersecurity threats that are actively exploiting legacy remote access solutions, like VPN,” he explains.
“The more secure approach is to completely leave network access out of the equation by taking the users securely and directly to the applications by brokering all user to app connections using a cloud-delivered zero trust access service instead.”