How to Choose an Enterprise VPN | Twingate
Over the past three decades, VPN technologies have become core elements of network architectures. But VPN is brittle, difficult to manage, and less secure. Even the most sophisticated enterprise VPNs suffer from these inherent weaknesses.
This article will introduce you to the enterprise VPN, its strengths, and what to consider when selecting an enterprise VPN provider. You should also consider the challenges enterprise VPNs create — challenges that go away with modern Zero Trust secure access solutions.
Enterprise VPNs securely connect geographically separate network endpoints. Created as a cheaper alternative to leased-line WAN services, VPN connected companies’ remote networks to their central computing resources across the public internet. In this site-to-site model, VPN gateways sat at the edge of each location’s protected networks. The gateways connected through secure, encrypted tunnels that prevented inspection or interception of sensitive data.
Soon after, another use case emerged: remote access. Remote access VPN applied its site-to-site model to let traveling users access company resources through the secure perimeter. The VPN gateway treated the VPN client as another trusted network. Once connected, the user gained access to mail servers, databases, and any other resources on the network.
Today’s enterprise VPN solutions, also known as cloud VPNs or VPNs-as-a-Service, serve the same purposes using cloud-based architectures. The enterprise VPN provider maintains a network backbone that terminates in a dozen or more points of presence (PoPs) worldwide. Field offices or remote users connect to their nearest PoP. Once authenticated, their traffic travels across the provider’s private network to the company’s network endpoint.
Enterprise VPNs offer several benefits over traditional VPN infrastructures:
- Security: Rather than enforcing access control rules after users connect to a VPN gateway, the rules are enforced at the PoP.
- Integrations: Enterprise VPN providers offer integrations with cloud platforms and service providers to extend their coverage beyond a company’s on-premises networks.
- Efficiency: Enterprise VPN providers take responsibility for managing and maintaining their infrastructure, freeing company IT teams to focus on other tasks.
These benefits make enterprise VPNs increasingly attractive options for CTOs frustrated with the labor and expense required by hardware-centric VPN technologies.
Choosing the wrong enterprise VPN provider could lock a company into a system that undermines network performance or inhibits business growth. Consider these four things when selecting an enterprise VPN:
Self-evaluation is an important first step. Any enterprise VPN must support the way the company works today. Some key questions to ask:
- How are resources split between on-premises assets, cloud-hosted platforms, and cloud X-as-a-Service (XaaS) providers?
- How permanent are work from home policies? Which users will return to an office-centric work mode? Which users will continue working remotely?
- How many non-employees need access to company resources? What security exposure does integration with customers and suppliers create?
- What is the balance between managed user devices and user-owned devices? In BYOD scenarios, how much access will administrators have to user-owned devices?
These questions and others will map a company’s needs to the right VPN solution. Asking the same questions about where the company plans to be next year or five years from now is just as important. Eliminateany enterprise VPN providers that cannot evolve with the company from consideration.
Some providers began as network equipment manufacturers ,while others offered cloud-native solutions. Whatever their origins, the providers’ VPN designs will not fit every company’s needs.
Solutions that hew too close to hub-and-spoke topologies concentrate user traffic, reduce network throughput, and increase latency. Additionally, the size of a provider’s PoP network may not match a company’s needs. With small networks, any promised performance gains vanish beneath everyday internet congestion.
VPN plays a fundamental role in a company’s infrastructure. Vendor selection must factor in how well the technology integrates with that infrastructure. Some questions to ask:
- How much of the current security stack must be replaced?
- What changes need to be made to resources and networks?
- Can any user device run the VPN client?
Security compliance depends directly on the user experience. The more a user must engage with the VPN client, the less likely they are to follow proper security hygiene as they may be inclined to turn the VPN off due to latency. An enterprise VPN must make life as easy for the user as possible.
Ease of use is just as important for administrators. Security best practices call for narrowly-defined, role-based access policies and network segmentation. With the wrong enterprise VPN, both will be difficult to deploy and manage.
An enterprise VPN provider that aligns with everything a company needs could still become an obstacle to business performance. Even the most advanced provider is adapting a thirty-year-old technology to fit today’s distributed network environment. These are the common failures of enterprise VPNs:
VPN is based on a distinction between internal and external that no longer exists. Today, resources are not confined to company facilities, and administrators may have little control over user-owned devices. Users are just as likely to be freelancers as employees.
In the case of cloud integrations, enterprise VPN providers may support Azure, AWS, and other large cloud platforms. However, they cannot support every XaaS provider. Companies must add duplicative fixes that make networks more complex for every gap in a VPN’s coverage.
The VPN paradigm’s hub-and-spoke topology, especially with hardware-centric solutions, significantly penalizes network performance. VPN gateways support a limited number of simultaneous users. Gateways also concentrate remote traffic through networks even when that traffic is destined for cloud resources.
The resulting hit to network throughput and latency makes it harder for users to work efficiently. And when business performance suffers, IT departments take the blame.
Another consequence of VPN design is the integration of access control with network infrastructure. Any change to a VPN gateway can require changes elsewhere in the network. Likewise, any changes in the network can require changes to VPN gateways and client apps.
VPN systems are among the top vectors for cyberattacks. Because every VPN gateway publishes its presence on the internet, hackers can exploit any unpatched device to penetrate the protected network. Hackers also target user VPN credentials through social engineering attacks to gain access to the network.
What makes these attacks so effective is VPN’s permissive nature. Originally meant to connect two trusted networks, VPN gateways grant full access to the networks they protect. VPN’s permissive access lets hackers move laterally through the network undetected.
Businesses are adopting a modern approach to secure access called Zero Trust In response to VPN’s growing weaknesses. Discarding the old concept of secure perimeters and trusted users, Zero Trust assumes that nothing is ever secure. Any user, device, network, or resource could be compromised at any time. Zero Trust solutions challenge every connection request, authorizing access on a least-privilege basis, and revoking permissions as each session ends.
When implemented through software-defined perimeters (SDPs), Zero Trust solutions significantly limit companies’ risk exposure. Hiding resources behind SDPs makes them impossible to see from the internet — or even from a compromised network. Challenging every connection attempt impedes lateral movement and makes hackers easier to identify. As a result, the attack surface of Zero Trust networks is much smaller than that of VPN networks.
Twingate’s software-based Zero Trust solutions solve many of the issues VPN technologies create.
- Unified solution: Twingate lets companies control access for all users, devices, and resources within a single system.
- Performant networks: Twingate’s direct, encrypted connections send user traffic along the most efficient routes, relieving private networks from traffic destined for cloud assets.
- Responsive scalability: Not dependent on network infrastructure, Twingate can scale up and down instantly with a company’s business needs.
- Easy administration: Simple, unified consoles let administrators manage user permissions quickly.
- Improved security: Twingate tightens privileged access by extending Zero Trust to SSH and other network tools.
Unlike early Zero Trust implementations that required significant re-engineering, Twingate solutions are much easier to deploy. No changes to the underlying network or resource settings are needed. Twingate is compatible with a company’s security stack — and will co-exist with traditional VPN systems.
Twingate’s design supports phased deployments. A company can start with teams and resources with the greatest need for secure, unified access control. Over time, a company can extend its Twingate Zero Trust system throughout the organization.
Today’s enterprise VPN solutions are saddled with the inherent weaknesses of a thirty-year-old technology. At best, they only mitigate the performance, manageability, and security issues VPN technology creates.
Twingate’s modern, Zero Trust solution is designed for today’s distributed networking environment: users can be anywhere with any device, resources could be scattered across physical and cloud locations. Twingate shrinks the attack surface and constrains lateral movement — in the process, improving network performance and the user experience.
Contact us to learn more about how Twingate’s secure access solution can be deployed in as little as 15 minutes. Or try our free 5-user Starter plan to take Twingate for a spin.