Reliance on VPNs for remote access is putting enterprises at significant risk as social engineering, ransomware, and malware attacks continue to advance, exposing businesses to greater risk, according to a new report by Zscaler.
More than 95 per cent of organisations surveyed are now leveraging a VPN service for secure remote access, up from 93 per cent last year, the report said, adding that there are almost 500 known VPN vulnerabilities listed on the CVE (common vulnerabilities and exposures) database.
“It is unsurprising that VPN is no longer able to keep up with the hybrid and remote access requirements of today," said Ananth Nag, senior regional vice president at Zscaler, whose product line includes Zero Trust Exchange, a cloud-native security platform. "VPNs were created at a time when network topologies were vastly different when there was a single corporate network everyone was accessing."
More than 350 IT professionals at organisations with global workforces were surveyed for the report.
Since the shift to remote and hybrid work, 44 per cent of the organisations have witnessed an increase in exploits targeting their VPNs, and 71 per cent are concerned that VPN networks will jeopardise their security measures, the report said.
Majority of companies have three or more VPNs
The size and complexity of an organisation typically drive the complexity of remote access infrastructure and management proportionally. A majority of companies (61 per cent) surveyed have three or more VPN gateways, and 38 per cent have more than five.
Each gateway requires a stack of appliances, often including the VPN, internal firewall, internal load balancer, global load balancer, and external firewall. “The more gateways an organisation has, the more expensive secure remote access becomes and the more complicated it is for IT to administer and manage,” the report noted.
About 74 per cent of organisations report that applications run in data centres, while 49 per cent use private clouds, 45 per cent use Microsoft Azure, 44 per cent use Amazon Web Services (AWS), and 22 per cent use Google Cloud Platform (GCP).
Single infected device can infect entire network
About 97 per cent of organisations say they understand that their VPN is prone to cyber attacks and exploits, but still use the technology, the report said.
“Breaches show that it only takes one infected device or stolen credential to put an entire network at risk, which is why cyber criminals are targeting users by accessing through a VPN,” the Zscaler report noted.
“Today applications are moving to the cloud, a network the enterprise does not control," Nag said. "Users expect to seamlessly work off-network and from any device, anywhere. Remote access VPNs worked well in the network-centric world, but in the age of cloud and mobility, where there are virtual perimeters around the user, device, and application, they lack applicability.”
Companies shift to zero trust
Ongoing risks from legacy VPNs have created a gradual shift toward zero trust security architecture, with 80 per cent of companies actively planning or implementing a zero trust model, the report said.
Zero trust architecture, unlike VPNs, does not bring the users on the same network as business-critical information, prevents lateral movement with user-app segmentation, according to Zscaler.
"The strategy of gaining access permission at the outset followed by virtual internal freedom no longer meets organisations' needs," Nag said.