IT Operations

The Case for Sunsetting the VPN

The remote-access technology that workers love to hate may have met its match with COVID-19

For decades, the virtual private network (VPN) has been a staple of daily life for professionals working outside of the office. Here’s another staple: Complaining about the VPN. 

End users grumble about the extra time VPNs add to logging on to the corporate network and suffer through slower internet access once they connect. Network administrators must field the help-desk calls from those angry users. Everyone seems to find VPNs inconvenient, unwieldy, and annoying.

And that was before the pandemic. Traditionally, most companies purchased just enough VPN capacity to serve about 10% of their employees at any one time—enough to ensure salespeople on their rounds, top executives, and others could get their work done when working away from the office.

But suddenly, everyone was working from home, and unless you could quickly get your hands on the on-premise hardware required to run traditional VPNs (known as VPN concentrators), companies were hard-pressed to keep workers supplied with secure, reliable connections. 

 Companies have had to increase their VPN capacity tenfold, and users are getting worse performance than ever.
Richard Stiennon

“What used to be an annoyance is now interfering with business getting done,” says Richard Stiennon, founder of IT-Harvest, a security analysis firm. “Companies have had to increase their VPN capacity tenfold, and users are getting worse performance than ever.”

Executives in a poll conducted by Tanium in June 2020, in fact, named overtaxed VPNs as the second-biggest security challenge they faced as they moved to more distributed workforces. (No. 1 was identifying new computing devices on the network, as remote workers logged on with their personal devices.) As a result, 40% said they were reducing their reliance on the technology going forward.

[Watch: Good security is IT done well]

One reason: Cybersecurity teams had to devote so much time to setting up secure connections for remote workers that they neglected other duties, Stiennon says. In the Tanium poll, 26% of the C-level executives said their companies had to deprioritize patching and other security activities during the first few months of the crisis. In 2021, as the pandemic wears on, many companies are exploring more secure, scalable alternatives.

Time for an upgrade

Fortunately, companies have an alternative. As more and more digital tasks are performed using cloud-based services—think Microsoft360, Slack, and Zoom—major providers have built capabilities that are faster, more automated, and more secure than VPNs. Increasingly, this makes VPNs obsolete, says Rob Sadowski, trust and security marketing lead at Google Cloud.

Having remote access built into the cloud is a better experience for the user and the administrators.

Alex J. Philips

“VPNs are just not the best fit for the extended workforce,” says Sadowski. “Having remote access built into the cloud is a better experience for the user and the administrators.”

Alex J. Philips, the CIO of Houston-based National Oilwell Varco, agrees. “VPNs are probably the No. 1 source of problems in my world,” he says.

The oil-well services company in 2016 retired more than a dozen of its VPN routers and moved to a cloud-based service that offered hundreds of access points around the globe. An engineer in Singapore, for example, could securely log on to cloud-based applications without having to use a VPN. The result was a better user experience, whether the employee was connecting to the company’s expense-tracking application or using such cloud-based services as Zoom or Slack.

Another benefit was scalability, says Philips. With the VPN, the maximum number of employees who logged on remotely was 2,000. When the pandemic hit, 9,000 workers were connecting at the same time. The cloud system handled them without a hitch.

[Read also: How Bank of America is scaling its digital future]

“Meanwhile, all these other companies were scrambling to buy more VPN capacity, at a time when global supply chains were shutting down and you couldn’t find more hardware,” he says. “If we’d still had our legacy VPN architecture, I don’t know what we would have done, but it would have been brutal.”

Cloud-based services offer their own built-in security features that don’t have the inherent vulnerabilities of VPNs. Google Cloud, for instance, developed an open-source technology called BeyondCorp so its own employees could log in safely from their home Wi-Fi, or any other unsecured network, without having to tangle with a VPN.

When New York City created its Cyber Command to create a common infrastructure for all of the city’s websites and services, officials chose Google Cloud, in part because it let them avoid using VPNs. “They have workers protecting the country’s largest city, and they need those workers to access critical applications and resources whenever they want,” Sadowski says.

Gaining trust in zero trust

Besides having essentially unlimited bandwidth, BeyondCorp follows an approach to security called “zero trust,” in which users have to prove their identity in multiple ways every time they log into enterprise systems, applications, and websites. One problem with traditional VPNs is that once users are admitted to a network, they have free rein to go wherever they like—including, conceivably, into sensitive customer and employee databases.

Recently, hackers gained access through a VPN to the network of a water-treatment company in Oldsmar, Fla., and nearly succeeded in injecting dangerous quantities of lye into the water system, according to press reports

A zero-trust system not only confirms the identity of every device, but also ensures that it has been configured properly and is not, for example, running old, unsupported software. It verifies the user’s identity, so that fired employees can’t log on. And it controls access to each application to make sure the user has permission to access it.

[Read also: How Tanium provides endpoint visibility for Google’s BeyondCorp] 

VPNs, first conceived by a Microsoft engineer in the mid-1990s, work by creating a temporary, encrypted “tunnel” between a corporate router and the employee’s PC. They were designed to give the user access only to applications on the company network, and they weren’t intended for today’s always-on connections. 

Demand for VPN solutions will not disappear quickly, of course. Not only have many companies chosen to buy more capacity rather than change to new approaches, but vendors including IBM have found ways to adapt their VPN offerings to make them more cloud-based.

Nonetheless, if working from home becomes the reality for millions of employees, network administrators will need to secure far more devices more efficiently—and not just the carefully configured PCs employees have worked on for decades. Secure access will be required for the home laptop, mobile devices, and whatever new clients emerge in the years ahead. This means a rich hunting ground for cyberthieves and hackers, since more devices mean more opportunities to steal passwords and other credentials.

Technology vendors are increasingly teaming up to solve this byzantine management problem. Tanium, for example, announced a partnership with Google in 2020, so that companies using our endpoint management system and BeyondCorp can continually inspect all traffic on a Chrome browser for malware and other threats.

“There’s a reason everybody loves to hate the VPN,” says John Pescatore, the director of emerging security trends at the SANS Institute. “You should be able to work the same way, whether you connect from your office, your home Wi-Fi, or from a parking lot or hotel room, without having to even know there’s a thing called a VPN.”

Peter Burrows
Peter Burrows is a long-time technology journalist and author who has written for Business Week, Bloomberg News, MIT Tech Review and other publications.