The recent crisis caused by Covid-19 has changed the way of doing business around the world. As a result, many people moved to work from home (WFH), which led to a massive rise in VPN traffic in these networks. The main goal of using a VPN is that it allows remote employees to connect to their working networks by creating a secure tunnel over a public network and thus, ensuring that data is encrypted and transmitted securely. According to recent studies published by major VPN providers, the global average usage of their VPN services has increased by 37% in the period between Feb-24 to Mar-22, the first phase of movement restrictions and WFH as a result of the outbreak.
Since the creation of the VPN in the mid-1990s, it has become the default choice for remote working, largely due to the lack of a better solution. Still, the massive increase of usage nowadays made security practitioners and network administrators struggle to cope with the challenges posed by heavily relying on the VPN.
Initially, remote working using VPN was designed to cater to a mobile workforce between 10-20% of the overall enterprise number of employees. Now, since most employees are working remotely simultaneously, WFH has created a massive load on internet bandwidth and other inbound devices in the enterprise network. Additionally, home networks and web access devices do not have the same level of security that the enterprise provides. Therefore, security practitioners are now promoting for other technologies to replace VPN. Three of the main alternatives for VPN are SD-WAN, NoVPN, and Zero Trust Network Access Networks.
Manager Cyber Response, SOC & Incident Response Services
KPMG in Saudi Arabia
The VPN depends on a router-centric model to distribute the control function across the network, and where routers route traffic based on the IP addresses and access-control lists (ACLs). The SD-WAN, however, relies on a software and centralized control function which can steer traffic across the WAN in a smarter way by handling the traffic based on priority, security, and quality of service requirements as per the business needs. The SD-WAN products are designed to replace the traditional physical routers with virtualized software that can control application-level policies and offer a network overlay. Additionally, SD-WAN can automate the ongoing configuration of WAN edge routers, and run traffic over a hybrid of public broadband and private MPLS links. This leads to creating an enterprise edge-level network with the following attributes:
a. Low cost: by relying more on broadband and less on MPLS
b. Less complexity: by automating the routing traffic within the network
c. More flexibility: by enabling the hybrid WAN feature to change network conditions automatically
d. Security: SD-WAN, by default, uses the IPSec protocol for encryption just the same as VPN
Another approach for securing the delivery of applications by enabling the rendering of applications remotely. This approach is simple, secure, and user-friendly. It is built by a server that can be installed within the company’s premises, allowing workers to remotely access the required applications, starting with the browser. Only the browser is accessible by remote workers. NoVPN then renders a remote session onto this browser, through HTML5. In other words, the company’s browser is rendered inside the end user’s browser, allowing users to browse the applications just as if they were inside the company’s network. Sessions are rendered through HTTPS, hence secured with multi-session concurrency support.
Organizations have started to gradually shift from VPN networks to ZTNA networks since late 2019. According to Zscaler’s 2019 Zero Trust Adoption Report, 15% of organizations have already started the process of implementing ZTNA. While Gartner published a study indicating that there will be a huge demand for ZTNA in the coming years, predicting that at least 60% of enterprises will move from the VPN model to the ZTNA paradigm. ZTNA is the answer to some of the major setbacks in a VPN. Unlike VPN, ZTNA allows authorized users access to specific applications, and they are not granted access to the entire internal network. Strict identity verification is implied on all users and devices trying to access resources on a private network, whether they are within or outside the network perimeter. Also, access is granted only based on the least-privilege access policy. Microsegmentation is another advantage of ZTNA to maintain separate access for separate parts of the networks. Multi-factor authentication (MFA) is another feature of ZTNA, which adds another layer of authentications that include a second trusted method of verification. ZTNA also applies controls on-device access to ensure that every device requests access is authorized. All of the previous controls help in minimizing the attack surface of the network
KPMG can help your organization in selecting the best way to assess your current WFH infrastructure and select the most appropriate transformation needed to elect one of the VPN alternatives.