Cybersecurity, Emerging Issues in Security

No, Enterprise VPNs Aren’t Dead—They Weren’t Then, and They Aren’t Now

Have you heard the news? VPNs are dead, apparently. It’s happened. One of the most iconic and widely-used tools is, according to some, fading from use. Just don’t tell my team at OpenVPN — based on our business, we certainly couldn’t tell.

Remote worker on laptop in cafe

fizkes /

VPNs aren’t dead; far from it. And yet, time and time again, their demise is heralded, usually thanks to some new technological development that users don’t realize is actually already a part of what a VPN offers. In 2016, claims that VPNs couldn’t provide secure remote access led many to believe we were seeing the “Death of the Enterprise VPN.” But the reality was and is that any good enterprise VPN does provide secure remote access. In fact, that’s a huge part of why our customers use Access Server (our enterprise VPN) in the first place.

The issue, of course, is fear — and when people are afraid, they tend to blame what they don’t understand. When any major data breach happens, of course it leads to questioning. How did this happen? How can it be prevented? It is absolutely essential to ask those questions — but in the face of fear, many people aren’t looking for real answers. They’re looking for someone or something to blame. The VPN! they cry. VPNs are dying! They’re flawed! It’s easy to use some technical jargon to paint a doom-and-gloom picture, laying blame on a tool that’s done much more good than they realize. And so VPNs are blamed.

Unfortunately, these people ignore the fact that the breach they’re referencing may have been caused by human error. Or that not all VPNs are created equal — and perhaps the one used during that breach was in fact flawed. But consider: if your car breaks down, do you curse all cars as useless and dying? Of course not. You might not trust that particular brand of car any longer — because not all cars are created equal. But one breakdown does not equate to the death of a machine that is all but ubiquitous in our culture, and who’s usefulness far outweighs potential risks.

The same is true for VPNs. This tool is ubiquitous, essential, and almost always offers the exact service it’s criticized for lacking. But a tool that has so many uses can be difficult to understand — which is why the same cycle of fear and blame has begun again, in the name of zero trust networks.

When considering how to best secure your business resources, one of the biggest ‘flaws’ often listed when regarding the VPN is the wide ‘attack surface.’ It’s this idea that VPNs somehow give full trust to all users to access all of the network, which leaves more room for attacks and malware.

That certainly would be a flaw — and a fatal one — if it were at all true.

The ‘zero trust network’ is touted by many in contrast to this idea. “Zero trust” is called ‘a more secure’ option than the VPN. A zero trust network limits access on a per-user basis, and every user in or outside the network must be verified to access any resources. This is a truly secure method indeed — one that is fully accessible with our VPN. In fact, we highly recommend it.

The right VPN solution, like our Access Server, should always include access control with the option of a zero trust network. Anyone who claims these two ideas are in opposition to each other simply doesn’t understand the full capabilities of a VPN. Claiming that your VPN doesn’t offer zero trust network access is like claiming your car isn’t safe because it doesn’t offer seatbelts. The seatbelts are there (in a good car, anyway) — you just have to actually use them if you want them to be effective. If you choose not to buckle up, you can hardly criticize the car for being unsafe.

The reality is, your private network needs to occasionally be accessible to third parties. Contractors, guests, remote employees, all at some point need some type of access. But those users very rarely need access to everything. Does your marketing team need access to your HR department? Does that temporary contractor need access to proprietary information? Probably not. Of your entire team, likely only a sparse few actually need access to all your resources — so limit your resources to those sparse few. That is the strategy behind zero trust networks, and that’s the strategy we recommend all our users apply when using our VPN, Access Server.

Claiming that VPN does not support access control, as some are claiming now, is inaccurate and ultimately misleading the market. Just because you don’t understand the full capabilities of a powerful enterprise VPN doesn’t mean that VPNs are dead; it just means you need to catch up on your reading.

alt link text Francis Dinha is the founder and CEO of OpenVPN, a provider of next-generation secure and scalable communication services. With over 60 million downloads since 2002, OpenVPN’s award-winning open source VPN protocol has established itself as the de facto standard in the networking space.

Before he founded OpenVPN, Francis was the CEO at Iraq Development and Investment Projects where he played a principal role in architecting a joint venture to win the mobile communication license in Iraq. He has served as an architect and broadband system engineer at Ericsson, where he worked both in the U.S. and Sweden. Francis was also the founder and CTO of PacketStream, a company whose patented technology enabled dynamic Quality of Service provisioning of IP networks. Francis has a Master of Science in computer engineering from the University of Linkoping in Sweden.

You can find Francis Dinha on LinkedIn and Twitter.