7 VPN alternatives for securing remote network access

Once the staple for securing employees working remotely, VPNs were designed to provide secure access to corporate data and systems for a small percentage of a workforce while the majority worked within traditional office confines. The move to mass remote working brought about by COVID-19 in early 2020 changed things dramatically. Since then, it has become the norm for large numbers of employees to regularly work from home, with many only going to the office sporadically (if at all).

VPNs are insufficient for the remote working and hybrid landscape, and an overreliance on them to secure large numbers of employees working from home poses significant risks. “VPNs originally helped companies manage a few employees or third-party contractors who needed remote access to certain systems while working remotely,” Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, tells CSO. He adds that it has also led to negative impacts on employee productivity and user experience, all adding to increased friction.

“Using VPNs at such a large scale could never have been predicted, and it has created a security nightmare for IT teams as it widened the surface area for potential attacks,” says Netacea’s head of threat research Matthew Gracey-McMinn.

“With the COVID-19 pandemic, most companies were forced to quickly adapt to a full remote work environment, and some of those did insecurely, just deploying generic VPN solutions to enable their employees to access the same systems from their homes and blindly trusting their devices,” says Appgate security researcher Felipe Duarte.

With remote and hybrid working set to be the norm for the foreseeable future, it is vital that organizations not only recognize the shortcomings and risks of VPNs in the remote working era but also understand how alternative options can better secure the future of remote and hybrid working.

[Editor’s note: This article, originally published on October 11, 2021, has been updated with information on VPN-less remote connection products.]

Shortcomings of VPNs for remote working

Because VPNs typically extend an organization’s network, if the network that the user is on is insecure, there is greater potential for an attacker to leverage it, says Sean Wright, application security lead at Immersive Labs. “Home networks have more security vulnerabilities, making this risk heightened,” he adds.

Wave Money CISO Dominic Grunden points to another shortcoming: the fact that VPNs only provide encryption for traffic passing between two points, requiring a standalone full security stack that must be deployed at one end of every VPN connection for traffic inspection. “This is a requirement that grows increasingly difficult to meet when enterprise resources are increasingly hosted in the cloud and accessed by remote workers. VPNs also don’t provide an avenue to secure third-party access, which is perhaps the weakest attack link.”

Gracey-McMinn says most VPNs provide minimal security with traffic encryption and often do not enforce the use of multi-factor authentication (MFA). “If a member of staff’s computer has been compromised while working at home, this could lead to a malicious actor gaining access to a company’s network via the VPN using staff credentials, which would grant them full trusted access—activity less likely to be detected by a security team due to not having a full security stack layer while working from home.”

This was observed in the recent Colonial Pipeline ransomware attack, says Duarte. “In that case, the attackers got access to the internal network just by using compromised username and password credentials for an insecure VPN appliance.” He also notes instances of attackers targeting and exploiting known VPN appliance vulnerabilities. “Most recently, we observed the exploitation of CVE-2021-20016 (affecting SonicWall SSLVPN) by the cybercrime group DarkSide, and also CVE-2021-22893 (affecting Pulse Secure VPN) exploited by more than 12 different malware strains.”

Another significant issue is that of malware-infected and unpatched devices. “This scenario is generally related to human-driven malware, like botnets, backdoors, and RATs [remote access Trojans],” says Duarte. “The attacker creates a remote connection with the device, and after the VPN is connected, the malware can impersonate the user, accessing all the systems it has access to and spreading through the internal network.”

Wright agrees, adding that devices are only going to be sufficiently secure if they are actively updated. “You can have the world’s most secure VPN connection, but if the device is not sufficiently patched it will represent a risk to your organization, and the VPN connection will make little difference.”

VPNs also have significant drawbacks from a usability and productivity standpoint, says Grunden. “A common complaint about VPNs is how they reduce network speed because VPNs reroute requests through a different server, and so it is inevitable that the connection speed would not remain the same due to increased network latency.” Besides that, other performance issues sometimes arise relating to the use of kill switches and DHCP. “The security provided by VPNs, while being necessary, often comes with undue complexity, particularly for organizations using enterprise VPNs,” he adds.

Secure alternatives to VPNs for remote working

Whether it’s replacing VPNs altogether or supplementing them with other options, organizations must recognize and implement alternative security methods better suited to protecting mass remote working. Which and how many of these strategies a business may explore will vary depending on several factors such as posture and risk appetite. However, security experts agree that the following are most likely to be most universally effective for companies.

1. Zero trust network access

Zero-trust network access (ZTNA) is essentially brokered access to applications and data on the network. Users and devices are challenged and confirmed before access is granted. “What you must do is adopt a zero-trust mindset, always assuming a device or an employee account might be compromised,” says Duarte.

Grunden explains that “zero-trust methods are able to perform the basic capabilities of a VPN, such as granting access to certain systems and networks, but with an added layer of security in the form of least-privileged access (down to the specific applications), identity authentication, employment verification, and credential storage.”

As a result, if an attacker succeeds in infecting a system, the damage is limited to only what this system has access to, Duarte says. “Also, be sure to implement network monitoring solutions to detect suspicious behavior, like an infected machine doing a port scan, so you can automatically generate an alert and shutdown the infected system,” he adds.

2. Secure access service edge (SASE)

With a ZTNA model, according to Gracey-McMinn, every user and device will be verified and checked before it is allowed access, not only at the network level but also at the application level. However, zero trust is only one part of fixing the problem and cannot monitor all traffic from one endpoint to the other, he adds. “SASE [secure access service edge] solves that issue. As a cloud-based model, SASE combines the network and security functions together as a single architecture service, which allows a company to unify their network at one singular point from one screen.”

Grunden says that SASE is a modern solution designed to meet the performance and security needs of today’s organizations, offering simplified management and operation, lower costs, and increased visibility and security with the extra layers of network functionality as well as underlying cloud-native security architecture. “Ultimately, SASE gives IT teams as well as an enterprise’s entire workforce the flexibility to function securely in the new normal of this work anywhere, cyber everywhere COVID world,” he says.

3. Software-defined perimeter

Often implemented within wider zero trust strategies, a software-defined perimeter (SDP) is a network boundary based on software instead of hardware, and is an effective replacement for classic VPN solutions, says Duarte. “This allows you to not only use multi-factor authentication and segment your network, but you can profile the user and the device connecting and create rules to enable access to only what it really needs according to different scenarios.”

SDP also makes it easier for you to block access to resources once a suspicious behavior is detected in your network, effectively isolating potential threats, minimizing the damage caused in an attack, and maintaining productivity in case of a false positive, instead of fully disabling the device and making a user unable to do any meaningful work, Duarte adds.

4. Software-defined wide area networks

VPNs depend on a router-centric model to distribute the control function across the network, where routers route traffic based on the IP addresses and access-control lists (ACLs). Software-defined wide area networks (SD-WANs), however, rely on a software and centralized control function that can steer traffic across the WAN in a smarter way by handling the traffic based on priority, security, and quality of service requirements as per the organization’s needs, Grunden says.

“SD-WAN products are designed to replace the traditional physical routers with virtualized software that can control application-level policies and offer a network overlay. Additionally, SD-WAN can automate the ongoing configuration of WAN edge routers and run traffic over a hybrid of public broadband and private MPLS links,” Grunden says. This creates an enterprise edge-level network with lower costs, less complexity, more flexibility, and better security.

5. Identity and access management and privileged access management

Solutions that incorporate a comprehensive verification process to confirm the validity of login attempts provide greater protections compared to traditional VPNs, which normally only require a password. “A security feature of IAM [identity and access management] is that session activity and access privileges are connected to the individual user, so network managers can be sure each user has authorized access and can track each network session,” says Grunden. “IAM solutions also often provide additional levels of access so that users can only access the resources they are authorized to use.”

While this VPN alternative or paired option manages identity protocols allowing for more granular activity monitoring, it does not provide additional protections for privileged credentials. To securely manage the credentials for privileged accounts, privileged access management (PAM) is needed, Grunden adds. “If identity management establishes the identity of individual users and authorizes them, PAM tools focus on managing privileged credentials that access critical systems and applications with a higher level of care and scrutiny.”

Such high-level accounts must be managed and monitored closely, as they present the largest risk to security and are heavy targets for bad actors because of the administrative capabilities they allow. “The key benefits of a PAM solution include advanced credential security like the frequent rotation of complex passwords, obfuscation of passwords, systems and data access control, and user activity monitoring,” says Grunden. “These features reduce the threat of unauthorized privileged credential use and make it easier for IT managers to spot suspicious or risky operations.”

6. Unified endpoint management tools

Conditional access via unified endpoint management (UEM) tools can provide a VPN-less experience through conditional access capabilities, whereby an agent running on the device will evaluate various conditions before enabling a person to access a particular resource, says Andrew Hewitt, senior analyst at Forrester. “For example, the solution may evaluate device compliance, identity information, and user behavior to determine whether that person can indeed access enterprise data. Often, UEM providers will integrate with ZTNA providers for added protection.

7. Virtual desktop infrastructure or desktop-as-a-service

Virtual desktop infrastructure (VDI) or desktop-as-a-service solutions “essentially stream compute from the cloud (or from an on-prem server) so that nothing resides locally on the device,” explains Hewitt. Sometimes organizations will use this as an alternative to VPN, but there still needs to be checks at the device level along with user authentication to secure the access, he adds. “The benefit of this however is that no data can be copied from the virtual session onto a local client, unlike traditional VPN.”

Vendors invest in non-VPN approaches to hybrid security

Security vendors are investing in many of the non-VPN, hybrid security approaches outlined above, with some notable recent examples. In May 2023, AWS announced the release of AWS Verified Access, enabling customers to provide VPN-less, secure access to their corporate applications. Built using AWS Zero Trust principles, Verified Access aims to help customers reduce the risks associated with remote connectivity. It allows IT administrators and developers to define fine-grain access per application using real-time contextual signals, including identity and device posture, along with giving customers the ability to manage policies for each application in one place, AWS said.

Verified Access supports integration with AWS Web Application Firewall (WAF) to protect web applications from application-layer threats and the passing of signed identity context to application endpoints, according to AWS. AWS said use cases include:

• Securing distributed users by evaluating each request in real time against predefined security requirements to facilitate secure access to applications.
• Managing corporate application access with access policies using security signal input like user identity and device security status.
• Evaluating access requests and logging of request data, accelerating analysis of and response to security and connectivity incidents.

In April 2023, Netskope committed to 100% legacy VPN retirement with the release of ZTNA Next – a fully integrated service that aims to provides a clear path to complete replacement of remote access VPNs for all application access use cases. The vendor said it reduces the digital attack surface, enhances security posture with zero trust principles, and boosts remote worker productivity with seamless and optimized application access experience.

Netskope also released Netskope Endpoint SD-WAN, claiming an “industry-first” software-based SASE offering converging SD-WAN and Security Service Edge (SSE) capabilities. It claimed that organizations can use Netskope Endpoint SD-WAN to reduce cost and complexity of hybrid working, simplifying connectivity, eliminating the sprawl of multiple clients and point products, and preserving network performance at scale.

Key benefits of Endpoint SD-WAN include unified architecture and consistent context-aware policy, providing every remote user, device, and site with simple, secure, high-performance access to hybrid and multi-cloud environments, according to Netskope. It also features AI-driven operations, high-performance connectivity for critical voice, video, and data applications, and optimized user experience.

In April 2023, cybersecurity vendor Inside-Out Defense emerged from stealth with the launch of a new privilege access abuse detection and remediation platform. The SaaS, agentless platform supports all environments and applications, complementing existing identity and IAM, PAM, and custom identity solutions, the firm said.

Inside-Out Defense said the platform’s key features include:

• Privilege abuse remediation by detecting access abuse behaviors in real time and providing in-line remediation of malicious privilege access through a kill switch.
• A 360-degree profile of malicious access requests, their context, and intent, offering a real-time view of the organization’s access posture.
• Coverage across the organization’s environments includes infrastructure (cloud and on-premises), applications (SaaS, managed, unmanaged), APIs, and human/ non-human users.

In March 2023, cybersecurity vendor Palo Alto Networks announced new SD-WAN features in its Prisma SASE solution for IoT device security and to help customers meet industry-specific security compliance requirements. Prisma SD-WAN with integrated IoT security enables accurate detection and identification of branch IoT devices, Palo Alto Networks stated. It allows customers to enable security controls from within the familiar cloud management for Prisma SASE without the need for additional appliances and sensors to be deployed in the network in order to gain visibility into IoT devices and prevent threats.

Prisma SD-WAN provides extra visibility into intra-branch traffic, allowing Prisma Access to provide a rich and accurate IoT inventory, while ensuring IoT devices are egressing application traffic from the branch on encrypted SD-WAN fabric to Prisma Access where they are inspected to ensure zero-trust, Palo Alto Networks said.