In the wake of the global COVID-19 pandemic, a majority of organizations have swiftly transitioned vast portions of their workforces to remote work. With that, security and networking leaders have been faced with a dual challenge: rapidly scaling work-from-home resources to match the surge in demand, while securing remote access to protect the enterprise from threats targeting remote workers. Indeed, the top remote cybersecurity concerns of enterprises revolve around their ability to manage new devices using remote work resources, as well as the fact that employees often use unmanaged devices and lack adequate protections for their personal devices and networks.
What’s become clear is that the traditional means of securing remote access, VPN, has quickly become insufficient: VPNs not only put significant strain on traditional IT resources as enterprises scale remote connectivity, but they leave enterprises with glaring and exploitable security and networking gaps. The dangers of those gaps are tangible: recently, for instance, a hacker released passwords for more than 900 enterprise VPN services — exploiting a vulnerability that was discovered, and left unpatched in those servers, from over a year before the exploit occurred. In fact, CISA and the UK’s NCSC recently issued a joint report detailing the specific threat of malicious actors exploiting known vulnerabilities in VPN.
As a result, many enterprises are rethinking their approach to securing remote access, with a long-term shift to distributed workforces, security and infrastructure teams will need permanent solutions to the remote access challenge.
10 features of a next-gen VPN replacement
What does a best-in-class VPN replacement look like? For enterprise security and networking teams, who are bombarded with information today, it can be hard to know where to start. In general, the industry is moving toward models that enable remote connectivity to rapidly scale, while securing the enterprise by assuming that no remote user or device should be trusted, by default. To help enterprise teams narrow their search, we’ve compiled a list of 10 features that any next-gen VPN replacement should contain:
- Adaptive access protection
Unlike legacy VPN approaches, where users can reach enterprise assets after the VPN terminates, a next-generation solution should remove assets from direct visibility from both inside (enterprise) and outside (Internet) access. To achieve this goal, the solution must offer a number of critical, interrelated features. The first is precision enabled access — meaning the solution grants access only to specific applications (not the underlying network) and only for users who are explicitly allowed and verified to do so. Second, access must be location-independent, meaning that access policies must be based on the identity of users, devices, and applications — not based on user or device IP address. Access policies must also be adaptive, factoring into context like location, health, time of day, and the sensitivity of data and applications. Finally, to ensure data is protected, the solution must provide end-to-end encryption of all network communications.
- Strong Authentication and ZTNA
To verify identity, next-generation VPN replacements must use rigorous authentication methods like MFA and SSO.
In addition, they must also have strong authorization. Traditional VPN networks are not segmented, which allows malicious actors to traverse laterally over the network. To solve this problem, solutions must offer fine-grained or micro-segmentation, which is best achieved through Zero Trust Network Access (ZTNA) ZTNA allows enterprises to enable a “default deny” network security posture, where nothing can communicate with anything else, without a policy. Users, devices, and apps are isolated until they are verified as trusted. Similarly, application workloads cannot communicate with anything else until they are trusted. Practically, ZTNA lets organizations micro-segment their networks, combining users, workloads, systems, applications, devices, and more into logical groups, and access policies are based on these logical groupings. The entire micro-segmented network is encrypted, ensuring data protection and mitigating man-in-the-middle (MITM) attacks.
- Threat prevention
Any next-generation VPN replacement must support a full suite of security features. These should include, at a minimum:
- Adaptive access protection and attack prevention
- User and entity behavior analytics (UEBA), which enables the enterprise to identity anomalous or suspicious activity
- Protections like cloud firewalls and URL filtering
- Sensitive data discovery and protection
- Malware sandbox
- Risk scores by asset or PIN, which allows the most critical enterprise assets to be protected by policy
- Inline inspection of traffic without the encrypt/decrypt cycle, which enables teams to screen and secure traffic, while ensuring high performance
- Integrations with security tools like DPL software, vulnerability scanners, threat feeds, SIEM tools, and SOAR programs.
- Data protection
A next-generation solution must provide comprehensive protection for enterprise data. For that, the solution must provide true end-to-end encryption of all data traffic. This includes both optimized and high-performance encryption. This refers, in the first case, to the fact that traditional VPN solutions route encrypted data through the data center — even if a remote user is accessing a SaaS app or cloud app — which is a suboptimal architecture that degrades performance. A next-generation solution should provide an optimized and direct secure connectivity to cloud applications. Second, high-performance encryption refers to the fact that many modern remote access solutions encrypt traffic directly to the cloud, but then decrypt and re-encrypt the traffic at arrival — creating compliance requirements that can hinder performance and decrease the user experience. As such, the next-gen solution needs high-performance encryption that scales easily, avoiding the encrypt-decrypt cycle.
But that only scratches the surface of data protection. The next-gen solution should also support features like sensitive data identification, data loss prevention (DLP), and the ability to correlate data to offer the highest levels of protection. In other words, the solution should be able to provide enhanced protections for critical enterprise data, while actively preventing data breaches or exfiltration attempts.
- Built on the cloud, for the cloud
Traditional VPN was built for traditional enterprise infrastructure — and for networking constructs built decades ago. Yet, many moden cloud-based solutions have replicated legacy data center designs for middle-mile.
A truly next-generation remote access solution must be built on the cloud, for cloud applications. This means it must support a number of cloud-based features: it must be multi-tenant; it must protect against billions of threats per day and accommodate trillions of requests for data during peak periods; it must provide comprehensive security, at low latency; and the solution must scale instantly, where customers can add users and activate any number of services at a moment’s notice.
- Rapid onboarding & seamless user experience
Enterprises must be able to seamlessly onboard new users and rapidly scale any remote access solution. This means that the solution must both have global access — accessible for users in any region with high performance — and applications, themselves, must be able to be located anywhere. In other words, the user must be able to quickly connect to the nearest resource, from any location, without sacrificing performance. Moreover, the solution must be able to rapidly scale to accommodate any number of users and remote connections.
Similarly, a next-gen solution must provide a flexible, seamless experience for users. As such, the solution must support clientless or client-based access, regardless of network location — thereby providing a consistent user experience for accessing any application.
- Global access
Any remote access must provide global access through a cloud-delivered global backbone or with the provision of intelligent hardware, software, or container-based edges — enabling “anywhere access” from any device or location on the planet. This includes achieving low-latency for the middle-mile, which ensures high-performance connectivity across global locations.
- Full visibility and seamless auditing of SaaS, IaaS, PaaS and other traffic
Similarly, any solution should provide complete visibility into every remote user and device — ensuring security teams have total confidence that the right users are accessing the right resources. Visibility must also include full traffic visibility and security of SaaS, IaaS, and PaaS traffic. Moreover, the solution should provide centralized, cloud-based logging of every access decision for seamless auditing and reporting.
- Continuous Identity Verification and Continuous Risk Monitoring
Next-gen remote access solutions must be able to do continuous authentication, authorization as well as the verification of users and/or devices at the packets level. Security isn’t left to chance.
In addition, it requires continuous monitoring of every access decision to catch suspicious or unwanted activity as it happens. Moreover, the solution should provide optional inspection of the traffic stream to identity excessive risks in the form of sensitive data mishandling and malware. The solution should also enable optional monitoring of individual sessions for indications of unusual activity, duration, or bandwidth requirements. Ideally, the solution should also leverage AI tools to make automatic policy recommendations — ensuring policies are never “set and forget.”
With remote users accessing enterprise assets hosted numerous on-premises and public and private cloud locations, from any number of devices, cloud resources/services and applications, a solution must accommodate them all. This means that the solution must be: client agnostic, with support with Windows, macOS, Android, and iOS; enterprise resource-agnostic, meaning applications can be anywhere, from private and public clouds, to the data center; and location-agnostic, meaning users can access resources, regardless of the location of the device or enterprise resource.
For a deep dive into how enterprises can secure their remote workers, view our remote access Use Case.