VPN use prevails despite interest in VPN alternatives
Despite claims that VPNs are on their way out of enterprise networks, to be replaced by alternative technologies, research suggests VPNs are, in fact, here to stay.
It's a question people have asked profusely in recent years, plastered across headlines as experts and pundits state how VPNs will soon be replaced by new technologies, such as zero-trust network access (ZTNA), software-defined perimeter (SDP) and Secure Access Service Edge (SASE). But trends and research affirm that the VPN remains alive and well.
The basis behind the claim that the VPN is dead is that, as the network environment changes, the technologies and tools network teams use to manage these networks must change, too. But, according to experts, the question is less, "Is the VPN dead in enterprise networks?" and more, "How are enterprises using VPN alternatives to support hybrid work?"
Research claims VPNs are dead -- but are they?
In June 2022, Zscaler and Cybersecurity Insiders conducted a "VPN Risk Report" study. Of the 351 security professionals surveyed, 95% reported their enterprises still used VPNs, but 65% said they planned to implement alternative technologies to replace VPNs. Almost three-quarters of respondents said their organizations were in the process of adopting or had already adopted zero-trust strategies. These stats appear to indicate ZTNA will eventually supersede VPNs, but further research shows the situation is more complex.
Findings from a December 2021 report from Enterprise Strategy Group (ESG), a division of TechTarget, indicated that adoption for ZTNA and other remote access VPN alternatives is increasing but not necessarily to replace VPNs. The study found that organizations with ZTNA strategies continue to use VPNs, while using ZTNA for specific use cases rather than full-fledged deployment. Almost one-third of respondents reported their organizations don't plan to expand ZTNA and will continue to use a VPN along with ZTNA.
VPN remains prevalent in enterprise networking
The demand for remote work during the COVID-19 pandemic increased VPN adoption, but enterprises used VPNs for decades prior to the expansion of work from home. Even with interest in ZTNA, widespread VPN usage will likely persist among enterprises, said Bob Laliberte, senior networking analyst at ESG.
It will take some time before organizations completely transition from VPNs to other alternatives, Laliberte said. One reason -- and perhaps one of the biggest -- why VPN has yet to become obsolete is because the technology still has use cases.
When enterprises needed to enable remote work, they scrambled to deploy VPNs -- a dependable technology with which network teams are familiar. However, large-scale deployment soon revealed performance and security gaps. It wasn't until enterprises needed to accommodate a large number of distributed workers that they began to consider remote access alternatives, said John Grady, senior cybersecurity analyst at ESG.
"We've known there are issues with VPNs for years," Grady said. "It wasn't until the access paradigm became inverted with more users being outside of corporate locations than in. With the availability of alternative technologies, the need and possibility of exploring other options became real."
For enterprises that had already invested in their VPNs, their interest in alternative technologies would take longer because they had already ingrained VPNs into their systems. Because of this integration, it would take time for those enterprises to transition to a new product, Laliberte said.
However, Laliberte added that other factors could push enterprises to switch from VPNs sooner. For example, if another service became obsolete or the networking environment required new provisions that VPNs couldn't support, organizations could transition to a remote access technology more adept to handle those requirements.
"If you invested and recently spun up a VPN at the height of COVID and you've got an asset you're trying to depreciate, then it might be, 'Once this asset is fully depreciated, we'll move over,'" Laliberte said.
Alternatives address what VPNs can't
Secure remote access is one of the most essential VPN capabilities, especially in the new era of remote and hybrid work. But some detractors argue that VPN alternatives, such as ZTNA, SDP and SASE, provide enterprises with secure remote access better than VPNs.
One criticism of VPNs is inadequate security: Users connected to a VPN gain access to the network and, in some cases, receive access to more information than necessary. Hackers who breach the VPN's security posture could obstruct the entire network's resources, which isn't uncommon. More than 40% of cybersecurity professionals told Zscaler their VPNs were targeted in a cyber attack.
"VPNs are visible on the internet, meaning they are accessible to attackers," Grady said. "When you couple this with the fact that vulnerabilities are regularly disclosed by VPN providers, it means attackers don't have to work particularly hard to find an entry point onto the network."
The interest isn't so much that VPN is bad. It's just the fact that where we access our applications is changing, so the architecture needs to shift.
Bob LaliberteSenior networking analyst, ESG
But enterprise interest in alternative VPN technologies might have more to do with new networking requirements these technologies support rather than potential security risks.
Many enterprises, for example, have implemented cloud-based network management tools within their architectures. Because ZTNA is a cloud-based application, enterprises can easily integrate it -- as opposed to a legacy VPN located in the data center -- along with other applications.
"The interest isn't so much that VPN is bad. It's just the fact that where we access our applications is changing, so the architecture needs to shift," Laliberte said.
ZTNA
ZTNA is largely considered the heir apparent to VPN's throne. Like VPNs, ZTNA uses encrypted tunnels to connect users to network resources. Unlike VPNs, however, ZTNA grants users access to specific applications rather than the entire network, and it requires users to identify themselves through authentication services, like multifactor authentication. ZTNA proponents tout that the technology provides a secure remote network access experience that improves upon the security capabilities of legacy VPNs.
Approximately 97% of respondents told Zscaler they believed their organizations were at risk of a cybersecurity attack due to their use of VPNs. But, despite having remote access alternatives, some enterprises still use VPNs as their primary technology, even as they use new technologies along with VPNs, Grady said.
Beyond strengthening security, enterprises might adopt ZTNA for performance improvements, as it reduces network hairpinning, Laliberte said. VPNs transit data through several location points, sending it from the data center to the cloud before reaching the end user. This process hinders performance, Laliberte said. ZTNA improves this capability by connecting data to a secure cloud location and, from there, transmitting traffic to its correct destination.
SDP
SDP is a security approach that uses a software-based boundary to hide infrastructure in the network perimeter. This makes the infrastructure inaccessible by unauthorized users outside of the network. Similar to ZTNA, SDP secures access to resources based on user or device identity. SDP is commonly combined with ZTNA to add an additional layer of security and reduce network attacks.
SASE
SASE is a framework that combines various networking and security functions into a single service. One function typically included within SASE is ZTNA. SASE may be a more advantageous alternative for enterprises in need of a single architecture that can monitor and manage network functions with enhanced security at a lower cost.
The 2021 ESG report indicated most organizations that have implemented SASE are also incorporating ZTNA into the framework. Approximately 38% of 614 respondents told ESG they had started to implement zero trust comprehensively. Of that 38%, more than 60% also said they had already started to implement SASE, and 29% said they planned to implement SASE within the next two years.
Another feature commonly included within a SASE framework is software-defined WAN (SD-WAN), which Laliberte said some organizations also deploy to avoid the problem of network hairpinning. A separate ESG report from November 2021 reported that 66% of 338 respondents use SD-WAN in their organizations, either extensively or limitedly. Almost 30% said they planned to deploy SD-WAN within the next year or two.
Is the VPN dead?
The answer to the question of whether VPNs are obsolete varies depending on who answers. Proponents of remote access alternatives argue VPNs are dying out. But some experts claim the VPN is here to stay, even as VPN alternatives begin to pick up steam. Use cases for new technologies like ZTNA and SASE exist, but use cases for VPNs continue to prevail as well.
"I'm always very careful about saying something's dead," Laliberte said. "They've declared [other technologies] dead, and those are technologies that still exist and still have specific use cases."
It's more likely that the use cases for VPNs will evolve to make room for other remote access technologies, which enterprises will use alongside VPNs.
