Business VPNs - Recommendations and Alternatives
Business VPNs, or virtual private networks, were created in the 1990s as an affordable way to link company locations and workers over the internet. Flash forward three decades and business VPNs are still the most common security and remote access tools. But are they still the best option?
In this article, we will explain how business VPNs are used and why their origins make them poor choices for today’s networks. A modern alternative, Zero Trust Network Access, avoids VPN’s many weaknesses and delivers more effective remote access security.
A business VPN lets companies transfer data privately over the public internet to connect networks at company sites or to support employees’ remote access needs.
With site-to-site VPN, companies install VPN gateways at the perimeter of each site’s network. An encrypted tunnel between each gateway passes network traffic securely over the internet without putting proprietary information at risk.
A manufacturer, for example, may have several locations: the headquarters, manufacturing plants, and regional sales offices. Site-to-site VPNs link these locations to operate as one networked system.
A company’s secure network perimeter protects proprietary information and systems by blocking external connections. Remote access VPNs let the company’s users securely pass through this network perimeter when away from the office. Whether at home or on the road, the user’s device searches for and connects with a VPN gateway so the user can access the network as if they were in the office.
In the past, remote access VPNs mainly supported field employees and office workers who traveled extensively. More recently, VPN technologies let employees work from home when nobody was allowed in the office.
Business VPN technologies are not the same as the consumer VPN services you see advertised everywhere. They serve very different needs.
Consumer VPNs offer two main benefits: protecting personal data and hiding an individual’s online activity. Using public WiFi hotspots is safer when using a VPN to encrypt internet traffic. Users can also mask their location since their internet traffic appears to come from the VPN provider’s servers.
Business VPNs, on the other hand, do more than protect company data through encrypted connections. They are part of the company’s network infrastructure. For example, administrators can deploy VPN gateways to control which network segments remote users may access.
Site-to-site connections were the first uses of VPN. Before the internet, only large businesses could afford telephone companies’ dedicated lines to connect physically separated office sites. Creating a virtual network over the internet was a more affordable option. The private link merged two distant networks and let them operate as one.
With laptops making remote computing easier, VPN evolved to support remote access. Traveling employees could log into the company network as if they were sitting in the office.
VPN’s origin as a way of linking two company-owned networks embeds security and management flaws into the company’s network infrastructure.
The only thing VPN gateways control is access through the company’s secure perimeter to the protected network. Once through, the user can access any network segment and any resource. When hackers compromise a user’s device, they get the same access. Lateral movement techniques let the hacker roam across the network to distribute malware and exfiltrate company data.
VPN gateways publish their presence on the public internet. That is the only way VPN client apps can find the gateway. But if a client app can see the gateway, so can cybercriminals. Simple tools let hackers scan the entire internet within hours to find every vulnerable gateway faster than administrators can deploy patches.
Business VPNs use a hub-and-spoke topology which became a huge problem in early 2020. VPN gateways designed to support dozens of remote users suddenly had to support hundreds. Even if the appliance could handle the load, the pipes in and out could not support the bandwidth demands.
Latency is another challenge for business VPNs. No matter the ultimate destination, all user traffic passes through the gateway. Users accessing cloud resources experience significant backhaul latency as their data roundtrips through the gateway.
Sluggish connections are not new experiences for the salespeople and field engineers who have always used VPNs. It is a new experience for the office workers now struggling with home office connections. They simply do not get the same responsiveness from their systems.
The VPN experience also suffers in organizations that use segmentation to protect company resources. Network routing rules can make this transparent for users in the office. But the resources remote users access every day may lie behind different VPN gateways. This structure forces users to constantly switch VPN connections to get their work done.
Every aspect of VPN adds administrative overhead. Setting up a VPN must be done carefully to avoid inadvertently opening a security hole. VPN hardware must be monitored constantly to ensure users get performant connections. Since VPN integrates access control into the infrastructure, any change to the network requires new VPN configurations.
If that weren’t enough, business VPNs are so critical to daily operations that any downtime could significantly disrupt the company.
Work-from-home, cloud migration, cybercrime, and other trends make traditional VPN technologies a poor choice for any company. Business VPN has become less secure, more difficult to manage, and more expensive. Given these limitations, companies need a better option. Zero Trust Network Access is a modern approach designed to meet today’s networking challenges.
As its name implies, Zero Trust avoids the weaknesses built into VPN technologies by assuming nothing can be trusted implicitly. Every user, device, network, and resource could be compromised at any time so Zero Trust always assumes they are — until proven otherwise.
Zero Trust draws perimeters around each resource rather than entire networks. Every access request gets challenged, even if it comes from the office LAN. This micro-segmentation makes successful breaches less effective by blocking lateral movement.
Zero Trust shrinks your company’s overall attack surface. Ingress points do not publish their presence to the internet, effectively rendering protected resources invisible to hackers.
Zero Trust client apps run transparently in the background on user devices. Role-based rules tell the client which resources the user may access so routing can happen seamlessly without user involvement.
Zero Trust creates a direct, encrypted connection between each user and each resource. Access to cloud assets happens over the internet rather than through the private network. As a result, users experience more performant connections while traffic on company networks declines.
Zero Trust solutions are software-based so they can run on a company’s on-premises or cloud-based compute resources. The components of Zero Trust are easy to deploy to resources and user devices. And simple consoles let administrators on-board, off-board, and manage user accounts quickly.
Companies continue to use business VPNs despite the technology’s significant weaknesses. VPN is a known quantity making it an “easy” choice for companies of all sizes.
At one end of the scale, startups have few people juggling many priorities. Security and remote access are necessary but not mission-critical. Going with a business VPN gets it done and lets staff focus on more important tasks.
At the other end of the scale, established corporations have already invested in traditional architectures. Sticking with business VPNs sounds more appealing than an expensive, drawn-out restructuring project.
These short-term decisions have consequences. VPN technologies hold small companies back due to the cost of scaling at startup speeds. Established businesses have even more to lose when their business VPNs are inevitably breached.
The perception that Zero Trust is complicated and requires complete rearchitecting of the network keeps many companies dependent on VPN. What these businesses need is a simple, phased approach to Zero Trust that can work in parallel with their existing systems.
Twingate’s Zero Trust Network Access solution is already in use at global organizations and early-stage startups. Our simple, software-based approach lets you deploy Zero Trust within 15 minutes.
Rather than flipping a switch for the entire organization, you can start small. Focus on teams who suffer the most under VPN’s limitations or on resources that need the most protection. Twingate simplifies the provisioning and maintenance of remote access with benefits that include:
- Integration with your existing security stack
- No architecture changes required
- Simple administrative tools
- Transparent user experience
Making life easier for administrators and users goes hand-in-hand with making your company’s information assets more secure. Twingate hides every protected resource behind a software-defined perimeter to reduce your attack surface. Simplifying role-based access control makes this micro-segmentation easier to manage while minimizing the impact of successful breaches.
Business VPNs were effective solutions for their time. But the 1990s internet was a very different place. Remote working, cloud computing, ransomware, and the other realities of modern IT have made VPN technologies obsolete.
Twingate’s approach to Zero Trust removes the friction from remote access while improving security and making your networks more performant and easier to manage.
Contact Twingate today to learn more about replacing your business VPN with a better approach to security and remote access.