What is a corporate VPN?
Administrators cannot avoid the security risks inherent to legacy VPN systems - the weaknesses are built into how a VPN works. Designed for a simpler era of corporate computing, traditional VPN technology - or Virtual Private Network - is no longer a fit for today’s businesses. Cloud services, remote work, and BYOD policies make today’s corporate computing environment much more complex. However, Twingate’s Zero Trust approach to network access provides a superior alternative to corporate VPNs with usability, scalability, and security tailored for modern computing.
Traditional business VPN technology - and its inherent weaknesses - dates back to the origin of the commercial internet in the 1990s. The spread of computing technology created a need among small- and mid-sized businesses to connect their branch offices’ local network to their headquarters’ central computing resources. However, they could not afford the leased-line wide-area networks used by large enterprises. Internet-based VPN technology provided a cheaper alternative by creating a secure connection between multiple networks.
Around the same time, businesses began issuing portable computers and mobile devices to executives, salespeople, and other employees who worked away from the office. VPN technology eventually became the standard way to grant these employees remote access to the corporate network.
This new kind of internet-based networking came at a price. Unlike private leased-line WANs, internet connections were publicly visible and could compromise a company’s data security. What we now call “traditional” VPN evolved to meet business’s security needs by adopting more advanced encryption and other security measures.
Over the past three decades, traditional VPN technologies adapted to the changing corporate computing environment. However, the structures baked into the technology at the beginning did not change, which makes legacy VPNs increasingly insecure.
Since it was developed to link privately-owned networks each with a known IP address, VPNs operate within the trust-based paradigm of 1990s-era corporate networking. Trusted resources and devices connected to an internal network. Security strategies focused on defending the network’s perimeter from outside threats. Each VPN connection opened pathways using a variety of tunneling protocols to let one secure network connect with another.
This approach works well enough when connecting secure networks, but creates inherent security risks when applied to remote access. These two very different classes of connections do not face the same threats. Yet traditional VPN’s defining paradigm assumes the two are the same. Once a remote device is granted access, it has unlimited access to the entire network.
Administrators must defend the network by layering additional security measures such as isolating resources on separate subnets. This adds complexity to network maintenance. It also adds friction to the user experience as remote workers juggle different resource-specific VPN profiles.
Exposed VPN gateways
Despite creating “virtual” private networks, VPN security was always a physical solution. Hardware-based VPN gateways (or VPN server) must be integrated with the company’s network infrastructure. These VPN gateways become significant threat vectors if mismanaged. Some VPN gateways today are virtualized, but those are still plagued by the same security issues as physical ones.
Designed in a more optimistic internet age, VPN gateways broadcast their presence on the public internet. Simple scanning tools will identify information needed to penetrate the hardware’s security systems. Administrators must monitor VPN provider support sites constantly and deploy new security patches promptly. Far too often, overtasked IT departments delay patches, leaving critical security flaws in hardware exposed to the public internet.
Poor VPN user experience
User behavior also undermines the security of legacy VPN solutions. Each VPN gateway is a bottleneck for remote users’ network traffic. Suppose a California-based company’s salesperson in New York needs secure access to a resource hosted in North Carolina. All of the traffic between the salesperson and the resource must travel through the VPN gateway in California. Backhauling data through the VPN gateway degrades the user experience. Making matters worse, the limited capacity of each VPN gateway forces users to compete for bandwidth. Human nature being what it is, users will find other, less secure ways to get their jobs done.
The risks inherent to traditional VPN security were hard enough to manage during the 1990s era of corporate networking. Today’s always-connected world has made the traditional approach inadequate. A remote user may require VPN access to corporate resources from any public network, using any computer or mobile device.
Hybrid deployment models
The simple model of on-premises resources protected behind a secure perimeter no longer exists. Replacing it is a much more complex model. Proprietary resources now consist of on-premises assets, legacy data centers, co-located hardware, and cloud-hosted virtual networks. And with the rise of X-as-a-Service solutions, many mission-critical resources are not even owned by the company.
The salesperson-with-a-laptop model of remote access has also transformed. Managed devices are no longer limited to personal computers. Tablets, smartphones, and Industrial Internet of Things devices are now common elements of a company’s infrastructure. Bring-your-own-device (BYOD) policies let employees access resources using personal devices that administrators may not control.
This complexity is not limited to company employees. The modern workforce also includes a blend of suppliers, contractors, and third-party service providers. All of them need access to certain resources at different times in different locations from devices that may or may not be managed.
Although some companies embraced these changes, many could afford to adopt them slowly. But then the pandemic arrived and compressed a decade of change into a few weeks. Maintaining business operations without endangering employees required a company-wide shift to remote working. Remote employees began accessing company resources from home using their personal devices. After the initial scramble, administrators began applying more disciplined security practices but the new normal is fundamentally less secure. Throwing more enterprise VPN appliances at the problem will not provide a long-term solution.
The sudden shift to remote working forced businesses to face up to the new reality. Traditional VPN services cannot protect a perimeter that no longer exists. The legacy approach stands in stark contrast to how remote access to corporate resources should be secured today. Since threats can come from anywhere, a new security paradigm is required that traditional corporate VPNs do not support: trust nothing, verify everything.
Zero Trust Network Access (ZTNA) assumes that any user, any device, or any network can be compromised at any time. Rather than granting access through a gateway to a network or subnet, ZTNA controls access for each protected resource. Authorization happens with each access request and expires whenever the connection terminates. With this approach, an employee accessing a resource from an on-premises managed device gets treated no differently from a freelancer using a smartphone at an airport hotspot. And that resource can be running on a proprietary server, co-located in a server farm, or hosted in the cloud. ZTNA can also apply to any third-party X-as-a-Service solutions a company uses.
For early adopters, migrating from traditional VPN security to ZTNA-based security required expensive, drawn-out re-engineering of the corporate network. But a next-generation alternative to corporate VPNs from Twingate lets companies deploy ZTNA quickly and painlessly. Thanks to its modern approach to security, Twingate enhances network security while making life easier for people across the organization.
Benefits for administrators
The maintenance and security overhead imposed by legacy VPNs goes away, freeing administrators. Twingate is:
- More secure
- Resources are hidden behind access nodes rather than public endpoints.
- Access rules apply to all users, not just remote workers.
- Granular, least-privileged access to resources instead of network-level access.
- Easier to deploy
- SaaS-based controller and relay technology rather than gateway hardware.
- Software-only connectors deploy in any environment, whether on-premises or cloud-based.
- Lightweight client is installable by users without needing support from IT.
- More performant and maintainable
- Lower latency, faster user connectivity, and less network congestion.
- Logging and analytics for enterprise-wide visibility.
- Centralized administration with no infrastructure changes needed.
Benefits for end-users
Twingate makes security as easy as possible for end-users, eliminating the risks created when users work around the limitations of traditional VPN solutions:
- No backhauling
- Users connect more directly to resources rather than through gateway chokepoints.
- Split tunneling separates traffic to private resources from other activity.
- Consumer-grade client app
- Installs like any other app rather than requiring administrator assistance.
- Almost no user interaction required, unlike VPNs which often require users to select different VPN gateways and toggle them on and off
- Lightweight, always-on app has minimal impact on device performance.
Adopting ZTNA with Twingate’s alternative to corporate VPNs future proofs businesses for tomorrow’s computing environment. More resources will migrate from on-premises systems to the cloud. Remote working will be a permanent part of business life even as the pandemic fades. Adapting to these changes, Twingate is the next evolution of the corporate VPN, providing flexible, performant security to protect your company’s private data.dden behind access nodes rather than public endpoints.