Whether evaluating their current function or considering implementing them as part of a remote work strategy, many organizations have undoubtedly evaluated SSL VPNs and their efficacy in securing the applications, data, and services of remote workers.
But while VPNs might have more recognition, having been around for decades, there are technologies now that better fit the VPN use case in securely connecting remote workers to their corporate environments. Below we’ll look at the drawbacks of SSL VPNs that enterprises must be aware of and more modern technologies that are equipping enterprises with the security, connectivity, and improved end user experience that VPNs are lacking.
SSL VPNs and Why They Are Used
Virtual Private Networks (VPNs) provide users with secure remote connectivity. They are a mature, well-established technology that effectively allow a remote user to plug their laptop into the corporate network. SSL VPNs are software clients connecting end users to corporate networks. Connections are encrypted end-to-end so anyone “eavesdropping” on the network can’t intercept the traffic. That being said, SSL VPNs are increasingly being exploited by cybercriminals and nation states. This prompted the CISA and NSA to issue a detailed guide to help organizations and users understand the risks VPNs pose and how to select and configure a secure VPN.
However, I’d be remiss not to detail where these types of VPNs are used safely and effectively. An effective use case for example, is when companies issue company-managed devices to their employees. Fully managed and secured devices can enable users to connect from various locations via a SSL VPN without sacrificing much in terms of cybersecurity and protection. Of course, there are a lot of components that go into making a device managed and secured. These include enforcing password policies and multi factor authentication (MFA) on both laptop and VPN connections, equipping employee devices with anti-virus / anti-malware, current patches, etc.
The bottom line is SSL VPNs are a satisfactory solution if the environment matches it – meaning the client device connecting to the company network must be trusted as if it was physically present. It doesn’t work when WFH/WFA users install the company VPN client on a personal machine that has keyloggers or other nastiness compromising the environment’s security.
Drawbacks of SSL VPNs
SSL VPN connectivity is typically a function of a corporate firewall or router with VPN functionality being a non-scalable component of the core network. In many cases, they are designed to support up to a certain number of users or bandwidth threshold. If that’s exceeded then performance suffers dramatically, or users simply will not be able to connect. Upgrading VPN capabilities often requires changes to the core network infrastructure and scaling it up and down based on remote user need, so the state of pandemic and work from home policies has made managing and maintaining a robust and flexible VPN solution at scale very challenging.
Furthermore, SSL VPN functionality is generally seen as a low performance way to give users access to their data and applications. Unlike these VPNs that have users connect to the internet from unmanaged locations (ex. home network) and “pull” data across to their local PC, remote desktop solutions allow users to access data over higher bandwidth and lower latency connections by nature of their desktop running adjacent to the data source, and only send streaming images to the user’s home connection.
Finally, being a mature technology solution also means that in many cases SSL VPNs were not architected with modern security and availability considerations in mind. For instance, some solutions may not have multi-factor authentication enabled or may not have redundancy built in. Many organizations have traditionally used SSL VPNs for a small minority of users working remotely as opposed to within the confines of a corporate office. Because of this, a VPN failure could be tolerated because the majority of a company’s users used the corporate network to connect to corporate data and apps. In today’s WFH world, SSL VPNs simply don’t stack up to modern alternatives.
Emerging Technologies Better Fit the SSL VPN Use Case
A number of technologies like SD-WAN, SASE and SDP have emerged to address the same issues VPNs traditionally have by offering secure, encrypted remote access. It’s worth noting that some of these still suffer similar drawbacks such as reduced performance from accessing data at a distance and being susceptible to compromised end user devices. Many organizations have also replaced SSL VPN technologies with zero-trust methods and tools along with modern identity and access management (IAM) solutions.
That being said, organizations have also increasingly turned to virtual desktop infrastructure (VDI) and Desktop-as-a-Service (DaaS) solutions as they seek out not only more modern ways to securely enable remote work but also evaluate corporate device policies and hardware investments. These solutions, like Microsoft’s Azure Virtual Desktop and Windows 365 offerings, keep all data and work within the secured environment. As a result, there is no worry if a user is logging in from a company laptop, home computer, or public machine – users working inside VDI prevents the need for any data to travel outside the company network. So, the potential attack surface is much smaller while the scalability and opportunity for BYOD initiatives increases.
Additionally, today’s VDI solutions are very flexible, allowing users the option to security access their resources without needing extra software. Users can quickly connect through web browsers and without any installs, making remote work fast, flexible, and safe. And for simple cases like accessing internal apps or web resources, organizations won’t find it necessary to provide users a full desktop and can be selective in only giving users the resources they need and abiding by zero-trust principles.
The bottom line is that SSL VPNs are often a slower, less reliable, non-scalable, and less secure way to enable work from home. This is why VDI and DaaS solutions are better, more modern, and flexible alternatives.