That’s certainly the case with the not-so-trusty-any-longer Virtual Private Network. At one time a boon allowing secure access to remote resources, the VPN has become a clunky relic of the past, with not even its most heralded advantage holding up too well these days. In its place have emerged alternatives which not only hit that all-too-important convenience factor square on the head, but also achieve improved security. Important when you want your traffic truly ‘private’ as opposed to merely giving that impression. Key among those alternatives is ZTNA – and I apologise in advance for yet another acronym!
First, a quick trip down memory lane. As you’re probably aware, the VPN emerged in the late 90s when a chap called Gurdeep Pall invented the Peer-to-Peer Tunnelling Protocol. Sure, a lot came along afterwards in terms of security, techniques, mechanisms and added protocols, but the point is that in internet terms, VPN is absolutely ancient. The principles of a modern VPN, too, remain essentially the same, as does the purpose: improving the security of the connection itself.
Of course, there’s no trouble with an enduring principle. Maths has stayed the same through the centuries. But when it is superseded, like an electric car over internal combustion, it’s time to move on.
Like a lot of ‘consumer’ technology today (yes, you’re bombarded with VPN ads on YouTube and everywhere else), the VPN started out as an enterprise solution, useful for connecting remote workers ‘dialing in’ to corporate assets. Now, it’s something used by everyday folk looking to bypass geolocked content providers like Netflix, or in a misguided attempt to maintain internet anonymity or avoid hackers altogether. Newsflash: a VPN does neither of these things. Along with consumerisation and popularisation has come something a little less salubrious: increased attention from hackers.
That brings us to the question of the enduring principle and its suitability for today. In other words, if the VPN is dead, who or what killed it?
The answer has a couple of facets, but the biggest one is simple obsolescence. VPN was great for a long time, but time being inexorable and all that it marched on and so has technology. On the one hand, what was ‘simple’ in terms of years gone by, appears awfully complex and clunky compared to modern alternatives. The VPN just doesn’t integrate well with modern systems. On the other, VPNs are increasingly unsuitable for protection against modern hacking methods.
Just punch ‘can VPNs be hacked’ into the search engine of your choice. The answer will be ‘yes’, even if it is hard to do so.
But we also know that with so many users – and a probable view from hackers that those using VPNs have something worth knowing or stealing – that VPNs are a huge target lately. Just this week, Fortinet issued a Common Vulnerabilities and Exposures (CVE) for a critical flaw in its VPN devices. Why? Because it’s not only researchers looking for those vulnerabilities. A quick look told us there are more than 3,800 of those devices in New Zealand alone; until patched, those things are radioactive.
As VPNs fade away (and no, the death won’t be fast…but it is coming), the next question becomes…well, what takes its place? The brief is for fast, secure, and direct access to private applications hosted anywhere. That access should reduce risk and simplify the IT manager’s work. It should also fit within what we expect as a modern user experience; none of the muck around associated with getting into the VPN, then.
As hinted at up front, the answer, broadly speaking, ZTNA. Zero Trust Network Access; more specifically, we are seeing considerable success within our client base with Netskope Private Access (NPA…sorry[again] for ZTNA). ZTNA provides secure remote access based on clearly defined access control policies; it also does so directly, rather than routing via a central point as a VPN does.
There are a couple of key phrases worth picking up on. Zero Trust is the first; readers probably know that this simply means what it says – nobody and nothing is trusted on the network. The second is ‘defined access control policies’. This means no one can access anything unless they are authorised to do so.
I’d encourage you to investigate the limitations of VPNs. While security is increasingly becoming the major issue, things like clunkiness and fitness for purpose warrant examination, too. And take a closer look at Netskope’s NPA – or get in touch. I’d be happy to bring you up to speed.