Navigating the VPN landscape in 2024

VPN still relevant?

As we embark on 2024, the digital revolutions within businesses, led by Cloud, XaaS solutions and now AI, are accelerating. Add in a new trend which emerged in 2020, the hybrid workforce, and IT leaders have their hands full. Underpinning much of this change is a foundational technology which was born in the mid-1990s: remote access VPN.

Originally designed to provide employees and IT support staff access to the private data center, this same technology now connects the workforce to private and public applications—and supports critical third-party resources. Why is this and what is the current state of remote access VPNs? HPE Aruba Networking sponsored a survey with Cybersecurity Insiders to understand the current landscape, how it is being utilized in 2024, and where the future of this critical technology is heading. The full VPN Risk report can be accessed here, providing some interesting results from 593 cybersecurity experts and IT professionals.

Let’s start with usage. Currently 96% of organizations are still leveraging VPN. While a strong majority, 80%, use secure remote access for both private and public applications, 33% also use VPN for connecting critical third-party resources. Unsurprisingly, 92% use this technology once a week, with 58% of end users saying they depend on VPN for daily activities. With all this activity, you would think the solution would be easy to use, but the opposite is the case. 65% of respondents reported their companies host up to 3 VPN gateways, with 39% hosting 4 or more. This impacts both the employee who must select the right gateway and the IT admin who must manage, patch, and troubleshoot increasing complex system designs. This is likely one of the reasons 81% of users reported dissatisfaction with the solution. Top complaints included slow connection speeds, drops, constant authentications issues and worse, inconsistent user experience across different devices.

How about security? 92% of respondents expressed apprehension regarding VPN security. 24% had a high level of concern with 68% at a moderate level and only 8% were not concerned at all. This aligns with other studies on remote access VPNs that found a 270% increase in social engineering attacks in 2021, a 1500% increase in attacks against remote access VPNs, and 71% concerned the technology will compromise their businesses. Top vulnerabilities include phishing at 43%, malware at 42%, and, ransomware at 47%. Additionally, there is lateral movement, the ability of the attacker to move around the business network in search of critical data and corporate secrets. 43% of respondents stated they lacked confidence in the efficacy of VPN to assist in segmenting the network from cyber actors roaming their network.

With extreme dissatisfaction for the employee experience, increasing security threats and a low bar of security, what does the future hold? Here, there are several bright spots. First, businesses are seeking new solutions to solve this 30-year-old problem. 56% of respondents are in the process of seeking or have already implemented alternative solutions, that are increasingly based upon Zero Trust. These technologies place identity first and then run the request for an application or data through a series of adaptive risk-based tests including: who is asking for the resource, what is the state of the device, what is the location, what time of day, how critical is the data to the organization? Built on business policy, these new solutions also account for the employee experience. In fact, they can measure and report back the state of the connection and even take action to include “smart routing” technologies to resolve issues before they become a problem. Complexity can also be reduced as these platforms are software solutions delivered from the Cloud is a SaaS-like manner. Based on the report, 59% of organizations responding are prioritizing what are called Zero Trust Network Access (ZTNA) alternatives to traditional VPN in the next 24 months. Said another way, the migration to ZTNA is on and picking up speed.

While ZTNA is critical technology and a cornerstone of implementing an overall Zero Trust strategy, 83% reported they are taking it a step further and considering a Secure Service Edge (SSE) solution. SSE builds off an ZTNA foundation by protecting the company from Internet threats with Secure Web Gateway (SWG), securing SaaS solutions with Cloud Access Security Broker (CASB), locking down data with Data Loss Prevention (DLP) and understanding the employee experience with Digital Experience Monitoring (DEM). With SSE, what were previously point solutions are bundled together in as a unified platform to reduce the management burden, uplevel security, and provide IT and the business with a solid return on investment (ROI). For more details about the risks of VPN and choosing a secure alternative, read the full 2024 VPN Risk Report.