Remote Access VPN vs. Zero Trust
A quarter-century ago, remote access VPNs solved an important business problem: how to keep remote workers connected to the company network. But that was a long time ago. VPN technology does not work with today’s distributed networks and workforces.
In this article, we will introduce the concepts behind remote access VPNs, explain why it no longer fits with the way we work today, and introduce Zero Trust’s modern approach to access control.
What is a remote access VPN?
A remote access VPN establishes encrypted internet connections between remote users’ devices and a protected network. The system consists of two components:
- A VPN client app on the user’s device.
- A VPN gateway at the edge of the network’s secure perimeter.
When the client connects to the gateway’s public internet address, an encrypted tunnel gives the user access to the network and its resources.
Over the past three decades, VPN has become the dominant form of remote access for businesses of all sizes because of the clear benefits it offered:
Productivity - Field engineers, salespeople, and executives experienced less downtime while on the road. In addition, having instant access to company resources made employees more responsive to customers.
Ubiquity - VPN’s popularity means businesses can choose among a wide field of solutions that fit their needs and budgets. The pool of IT workers with VPN-related experience is also much larger, making staffing easier.
Security - Encrypted tunnels let users connect to the company network from untrusted locations like hotels and coffee shops without risking sensitive data.
How do remote access VPNs compare to site-to-site VPNs?
VPN was first developed as a wide-area networking solution, not for remote access. Until the 1990s, connecting a company’s remote networks to their central computing resources meant paying telephone companies for expensive leased-line services.
The internet offered an affordable alternative, but how could companies send private data over public networks? Deploying VPN gateways in a hub-and-spoke topology created a virtual, private network across the internet and made remote sites part of the central network. Under the direct control of the company’s IT staff, this static architecture was relatively easy to deploy and manage.
Remote access capabilities came later but used the same structure as site-to-site applications. Each remote VPN client is a spoke connecting to the VPN gateway’s central hub. When users connect to the main office, their devices become extensions of the company network. From there, users can access that network’s resources.
Are remote access VPNs built for hybrid workforces?
A quarter-century ago, extending the site-to-site approach to remote access made some sense. The infrastructure and skill sets were already in place and the benefits were very real. But as the pandemic made crystal clear, legacy remote access VPN does not work anymore.
Back in the day, companies had direct control over their information technologies. Resources, devices, and networks were company-owned and company-managed. Only a relative handful of those devices connected remotely.
The workforce was also very different. Only employees could access the company network. Plus, the number of employees accessing the network remotely was limited to a narrow range of trusted roles.
Remote VPNs are not built for the way we work today
Things are more decentralized today. Resources, devices, and networks may not be owned by the company, managed by the company, or located on company property. More resources are either hosted on third-party cloud platforms or simply outsourced to SaaS providers. The very idea of a “secure perimeter” is becoming meaningless as the network’s boundaries extend far beyond the office walls.
Workforces are also more amorphous. Long-running trends like BYOD and work-from-home went exponential in 2020. Rather than having most user devices on-premises, most were connecting remotely. Instead of managing fleets of company-owned computers, companies were opening their networks to a more diverse mix of devices connecting from home routers.
The reason remote access VPN does not suit the way business works today is built into its fundamental design:
- Hub-and-spoke topology in a distributed world
- Gateways channeling every user’s traffic create bottlenecks that impact network bandwidth and latency.
- Each subnet requires its own VPN gateway, making networks expensive and difficult to scale while degrading the user experience.
- Only controlling remote access to managed networks
- Separate access control systems are needed for on-premises users.
- Cloud resources require their own unique access control systems.
Companies are realizing that, beyond the productivity issues, VPN makes them more vulnerable to security breaches. The problem comes down to trust. VPN gateways, for example, trust that only authorized users will access their public IP addresses. That visibility, however, makes VPN gateways easily discoverable by hackers who can exploit vulnerabilities.
The greatest risk, however, is from compromised user credentials. Trusting an authorized user, VPN gateways grant full access to whatever network they protect. Stolen user credentials grant hackers the same unfettered access — and let them appear to be the authorized user.
Remote access VPNs vs. Zero Trust for hybrid workforces
Zero Trust Network Access is a modern security paradigm based on the assumption that trust never exists. Not only can a breach happen, but it probably already has. Zero Trust requires the verification of every connection attempt no matter:
- Who the user is.
- What device they use.
- Where they connect from.
Zero Trust lets companies adopt distributed architectures more suited to modern networking. Rather than consolidating traffic through gateways, Zero Trust systems let traffic flow directly between devices and resources. This approach generates several benefits:
- Resources and devices can be anywhere on any network.
- Nothing is ever exposed to the public internet.
- Software-based, Zero Trust solutions are simple to deploy and manage.
- Routing and rules enforcement happen locally rather than round-tripping to central systems.
Modern Zero Trust access control also improves the performance of company networks while improving the user experience. Direct connections allow traffic to follow the most performant route. Traffic between remote users and cloud resources no longer traverses company networks. In addition, geographically dispersed users experience less latency and improved productivity.
Where is the industry headed?
While Zero Trust eliminates the inefficiencies imposed by legacy VPN technologies, security is the primary driver of its adoption across industries. The number and severity of cyber breaches increase every year as secure perimeters crumble. In the face of this threat, for example, the US government is rapidly shifting to Zero Trust architectures.
“Federal agency CIOs and IT leadership are leaning into this challenge,” Federal Chief Information Officer Clare Martorana said recently. “The zero trust strategy provides a clear roadmap for deploying technology that is secure by design and responsive to the needs of our workforce.”
Zero Trust is not limited to organizations as complex as the US government. Companies of all sizes can adopt Zero Trust access control to improve their security posture, increase productivity, and make their IT investments more agile.
Twingate’s modern Zero Trust solution lets large and small companies alike protect their most sensitive resources while enjoying benefits such as:
Protect resources, not networks - Mirco-segmentation was impractical with VPN, but Twingate’s solution lets companies shield every resource behind its own software-defined perimeter.
Invisibility on any network - With Twingate’s approach, an organization’s private resources disappear. Whether on the internet or a compromised network, hackers cannot see protected resources.
Transparent user experience - VPN undermines security compliance by making the user experience more difficult. Twingate’s client operates transparently with no user engagement.
Simple to deploy - Twingate customers have deployed Zero Trust across their organizations in as little as 15 minutes. No changes are needed to the network or any resource settings.
Simple to manage - Twingate’s administrator console turns permission management into a one-click operation.
Twingate does more than replace remote access VPN. Our complete access control solution applies to all users whether they are remote or on-site, employees or contractors. Twingate can protect any resource whether it runs on a local server or is hosted in the cloud. We can even extend multi-factor authentication to SSH and other services hackers use to escalate their privileges.
Twingate goes beyond remote access VPN
In a simpler information age, remote access VPN was a solution that matched the way business worked. Today’s world is more complex, dynamic, and distributed which is why businesses need a modern approach to network access control.
Twingate’s Zero Trust solution gives companies a more secure, flexible, and performant way to manage network access. Resources can be in the cloud or on-premises. Users can be anywhere in the world. Twingate makes it easy for companies to enforce granular access control policies based on least-privilege principles. And without the need to re-architect their networks, Twingate customers can reap the benefits of Zero Trust in minutes.
Use Twingate’s free Starter plan to experience how simple and easy Zero Trust can be. Or contact us for more information about how Zero Trust can work for your organization.
Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.
Announcing WebAuthn for Twingate Universal MFA
Twingate is excited to announce support for WebAuthn MFA, enabling customers to use biometrics and security keys for MFA.