VPNs persist amid the rise of ZTNA, other VPN alternatives

Is the VPN really dead?

Although some critics say the VPN is obsolete, enterprises continue to use the technology to enable remote access. Research shows widespread use is dwindling, however.

In June 2023, Zscaler and Cybersecurity Insiders published a "VPN Risk Report" study. Of the 382 IT professionals surveyed, 84% said their enterprises used VPNs primarily to enable remote access. More than a quarter of respondents said they were in the process of implementing a zero-trust strategy.

An approximate 18% said their organizations planned to adopt zero-trust strategies, while 24% said their organizations would implement it within the next year. Another 23% said their organization was considering zero trust but without a set schedule for implementation. While these stats appear to indicate ZTNA will supersede VPN use, further research shows the situation is more complex.

A February 2024 report from TechTarget's Enterprise Strategy Group (ESG) surveyed 447 IT professionals to examine how organizations plan to allocate their budget for specific technologies in 2024. The survey revealed that, while enterprises have an increased interest in ZTNA, enterprises still use VPNs. Approximately 40% of respondents said their organizations planned to invest in ZTNA, which ranked as the top technology companies plan to use to improve network security. VPNs ranked fourth on the list with 28%.

VPNs remain in use

Even with growing interest in ZTNA, widespread VPN usage will likely persist among enterprises, said Bob Laliberte, principal analyst at theCUBE. One reason is it will take time before organizations completely transition from VPNs to other alternatives. A big reason why VPNs aren't yet obsolete is the technology still has use cases.

When enterprises needed to enable remote work during the COVID-19 pandemic, they scrambled to deploy VPNs -- a dependable technology with which network teams are familiar. However, large-scale deployment soon revealed performance and security gaps. Enterprises that needed to accommodate many distributed workers began to consider remote access alternatives, said John Grady, senior cybersecurity analyst at ESG.

"We've known there are issues with VPNs for years," Grady said. "It wasn't until the access paradigm became inverted with more users being outside of corporate locations than in. With the availability of alternative technologies, the need and possibility of exploring other options became real."

Enterprises that have already invested in their VPNs might take longer to transition to alternative technologies because they've already ingrained VPNs into their systems. This integration makes it a longer process for those enterprises to transition to a new product.

However, Laliberte said other factors could push enterprises to switch from VPNs sooner. For example, if another service became obsolete or the networking environment required new provisions that VPNs couldn't support, organizations could transition to a remote access technology more adept to handle those requirements.

Alternatives address what VPNs can't

Although enterprises continue to use VPNs, alternative technologies have gained traction in recent years. Secure remote access is one of the most essential VPN capabilities, especially in the era of remote and hybrid work. But some detractors argue that VPN alternatives provide enterprises with secure remote access better than VPNs.

One criticism of VPNs is inadequate security: Users connected to a VPN gain access to the network and, in some cases, receive access to more information than necessary. Hackers who breach the VPN's security posture could obstruct the entire network's resources.

"VPNs are visible on the internet, meaning they are accessible to attackers," Grady said. "When you couple this with the fact that vulnerabilities are regularly disclosed by VPN providers, it means attackers don't have to work particularly hard to find an entry point onto the network."

In addition to security flaws, end users also sometimes struggle with connectivity issues when connected to a VPN. According to Zscaler's report, respondents reported a number of issues related to VPN connectivity, including the following:

• Slow connection speed.
• Connection drops.
• Inconsistent UX across different devices and platforms.
• Complex authentication process.
• Inability to connect to VPN or access applications.

"As enterprises struggle to accommodate the number of workers who need to access corporate resources remotely and recognize the security risks associated with VPNs, they've increasingly begun to explore alternatives," Grady said.

Many VPN alternative technologies also support new networking requirements that VPNs can't. For example, many enterprises have implemented cloud-based network management within their architectures. ZTNA is a cloud-based application, which means enterprises can easily integrate it -- as opposed to a legacy VPN located in the data center -- with other applications.

"The interest isn't so much that VPN is bad. It's just the fact that where we access our applications is changing, so the architecture needs to shift," Laliberte said.

ZTNA

Critics of VPNs largely consider ZTNA the heir apparent to VPN's throne.

Like VPNs, ZTNA uses encrypted tunnels to connect users to network resources. Unlike VPNs, however, ZTNA grants users access to specific applications rather than the entire network, and it requires users to identify themselves through authentication services, like multifactor authentication (MFA). ZTNA proponents tout that the technology provides a secure remote network access experience that improves upon the security capabilities of legacy VPNs.

A September 2023 report from ESG surveyed 374 network professionals about their approaches to secure access. The report found that 57% of respondents had comprehensive plans to implement zero trust in their organizations. Another 38% said they had begun to implement zero trust, while 5% said they were planning to implement it.

ZTNA is still a relatively new technology, but it's more likely that organizations will start to adopt ZTNA as zero trust continues to develop and mature.

"Tools like ZTNA could only support web apps at first," Grady said. "Now, there are some that can support nonweb apps as well, so they're better able to support a broader remote access strategy."

Enterprises might also adopt ZTNA for performance improvements, as it reduces network hairpinning, Laliberte said. Hairpinning describes the process in which VPNs transit data through several location points, from the data center to the cloud, before it reaches the end user. ZTNA helps by connecting data to secure cloud locations and transmitting traffic to its correct destination.

SASE

SASE is a cloud architecture that combines various networking and security functions into a single service. The networking portion of SASE includes a software-defined WAN (SD-WAN) architecture, which enables distributed workers to connect to a secure network that professionals manage with a centralized management controller. In addition to secure connectivity, SD-WAN also prevents the hairpinning problem of VPNs.

ZTNA is also typically included as part of the security component of a SASE framework. Enterprises often use ZTNA as a steppingstone toward SASE to establish a secure remote access strategy, Grady said. SASE can support zero-trust initiatives, with the accelerated adoption of zero trust serving as a driver for SASE adoption.

SASE might be a more advantageous VPN alternative for enterprises in need of a single architecture that can monitor and manage network functions with enhanced security at a lower cost. SASE is also a viable tool for secure remote access: Rather than having users connect directly to the corporate data center through a VPN, SASE connects users to company applications and resources via a cloud architecture.

SASE supports remote access because it routes traffic to points of presence, inspects it and then routes it back to user locations. When SASE includes identity-based ZTNA policies, it can help secure the network edge, while providing access to authorized users and devices.

SDP

SDP is a security approach that uses a software-based boundary to hide infrastructure in the network perimeter. This makes the infrastructure inaccessible to unauthorized users outside the network. Similar to ZTNA, SDP secures access to resources based on user or device identity. Organizations commonly combine SDP with ZTNA to add an additional layer of security and protect against potential network attacks.

Like most VPN alternatives, SDP isn't based on implicit trust. Instead, SDP creates a segmentation of the network for an authorized user. The segmentation only includes the resources that network administrators permit the authorized user to access, and only the authorized user can connect to the segment.

IAM and PAM

Identity and access management (IAM) is a framework of security policies and technologies organizations use to manage access to business applications and resources. IAM includes security features that support ZTNA, such as single sign-on, MFA and identity federation, the latter of which enables professionals to verify user identity and permit or deny access to applications.

Unlike VPNs, which provide users with unrestricted access to the corporate network, IAM ensures only authorized users with the proper permissions can access the necessary resources. In addition, organizations can deploy IAM in the cloud, which means network teams can also integrate it with SASE for a more comprehensive network security approach.

Privileged access management (PAM) is a version of IAM that applies to privileged users. With PAM, network professionals can set up provisions to let specific types of users access certain applications and resources.

Have VPN alternatives killed the VPN?

The answer to whether VPNs are obsolete varies based on who answers. Proponents of remote access alternatives argue the VPN is dead, replaced by alternatives like ZTNA and SASE. But others claim the VPN is here to stay, even as VPN alternatives begin to pick up steam.

"I'm always very careful about saying something's dead," Laliberte said. "They've declared [other technologies] dead, and those still exist and have specific use cases."

The VPN's major use case is it provides users with remote access, which was beneficial during the COVID-19 pandemic. Now that remote and hybrid work has become a mainstay in office environments, enterprises are looking at other ways to enable remote access.

"More organizations might be using VPNs today, but going forward, more organizations are planning to use ZTNA," Laliberte said.

While VPNs aren't likely to go away, alternatives can provide network teams with a more comprehensive security approach. For example, ZTNA, SD-WAN, SDP, IAM, PAM and others can contribute to a zero-trust security approach, which can then serve as the security component of a SASE architecture.

"In order to defend an organization, it requires a lot of layers of depth," Laliberte said. "There isn't any one thing that's a magic bullet. It's about how to look at each environment and figure out how to get all the employees, access and applications fully protected."

Editor's note: This article was originally published in Oct. 2022 and was updated to reflect changes in technologies and trends.

Deanna Darah is associate site editor for TechTarget's Networking site. She began editing and writing at TechTarget after graduating from the University of Massachusetts Lowell in 2021.