Corporate VPNs: Thriving Despite the Rise of "Zero Trust"

The concept of "Zero Trust": If it had lived up to the promises made by industry experts, VPNs might have disappeared long ago. But the reality is different; these networks are experiencing a remarkable boom. Despite continuous warnings, increasing vendor offerings, and LinkedIn posts asserting the inevitability of "Zero Trust," the corporate VPN market remains strong. Instead of fading, this market is expected to nearly double from $5.7 billion in 2024 to over $10 billion by 2033, according to Avery Pennarun, CEO and co-founder of Tailscale.

The concept of "Zero Trust" in cybersecurity is a security model based on the principle of "never trust, always verify." Unlike traditional models that assume trust in users and devices within the network, "Zero Trust" requires strict verification of every access attempt to resources, regardless of the user's or device's location. This model aims to enhance security through continuous identity verification, defining the least privileged access, and segmenting the network to reduce potential risks [1].

The Comfort of Familiar Solutions: Why Do Companies Prefer VPNs?

History of VPNs: VPNs evolved as temporary solutions to inherent problems in Internet Protocol infrastructure, such as TCP/IP. If IPv4 had been encrypted and access-controlled by default with sufficient IP addresses, or if IPv6 had been successfully rolled out, there would have been no need for VPNs in this form. Each generation of these tools was an attempt to fix deficiencies in the underlying network layers.

Why do companies prefer VPNs? Companies do not easily abandon tools they are accustomed to. VPNs offer a kind of reliability; they are "the devil we know." They have become an integral part of enterprise security packages, a constant in new employee onboarding checklists, and have been "good enough" for a long time, allowing most teams to coexist with them.

You may also like:
Is Software-Defined Perimeter (SDP) Better Than VPN?
Securing Enterprise Security in a "Zero Trust" World
The Complexity Trap: Why Should Cybersecurity Be Simplified?

Continuity of Tool Usage: When a tool continues to be used long after it has surpassed its original design goals – as with the old WvDial program that remained popular despite the obsolescence of modems – it becomes necessary to ask why. The answer is often that the available alternatives were worse. This applies perfectly to the current situation of VPNs.

Digital Security Challenges: When Security Hinders Progress

The High Cost of Security: This familiar comfort comes at a high security cost, according to recent research. Statistics indicate that over 83% of engineers admit to bypassing their company's security controls to get work done. Even more alarmingly, 68% retain access to internal systems even after leaving employment, revealing serious security vulnerabilities in the cybersecurity lifecycle. Despite these clear risks, only 10% of professionals feel that their current VPN solutions "work well."

The Challenge of Transitioning to "Zero Trust": The continued use of VPNs is not because they are the optimal solution, but because a complete transition to "Zero Trust" presents a significant challenge. It is not just a product that can be bought and installed, but a radical shift in security methodology and philosophy. Principles such as continuous verification, applying the principle of least privilege, and identity-driven networks may seem easy in theory, but their implementation on a sprawling and legacy IT infrastructure represents immense complexity.

Correcting Misconceptions About VPN Security

The False Concept of VPN Security: A common misconception is that VPNs are inherently insecure, which is inaccurate. The problem lies in the traditional model of corporate VPNs, which grants users broad and unrestricted access once they enter the internal network, posing a significant security risk akin to giving everyone a master key to the entire building.

The Most Effective Approach: Microsegmentation: This involves granting access gradually and specifically, based on user identity, current needs, and connection location. This concept is known as "Microsegmentation," a security strategy that divides the enterprise network into small, isolated segments, with precise security policies applied to each segment. This limits lateral attack movement and reduces the potential scope of damage in case of a network segment breach, providing granular access control [2]. It's not just about blocking connections, but about creating smaller, more controlled access tunnels, each with its own safety valve that precisely defines what can be accessed.

Key Pillars for Effective "Zero Trust" Implementation

Identity Management as the Core Pillar: The optimal security approach relies on making identity management the core. What matters most is not the user's location or the subnet they connect to, but their identity. This requires strong authentication, hardware-backed keys, and just-in-time, need-based access.

Challenges of Effective Identity Management: However, effective identity management is not an easy task. A recent survey showed that only 29% of organizations have widely adopted identity-based access control, while even fewer rely on automation. Many still depend on spreadsheets and service account credentials that may remain active long after the employees who set them up have left.

"VPN Fatigue" and Security's Impact on Workflow: As a result, security becomes a burden that hinders workflow. When security impedes productivity, users tend to bypass it. This explains the growing and palpable phenomenon of "VPN fatigue." The term "VPN fatigue" refers to the challenges and problems faced by users and companies due to the increasing complexity, slow performance, and operational difficulties associated with traditional VPN usage. This fatigue can lead users to bypass security protocols or seek alternative solutions that may be less secure, thereby weakening the organization's overall security posture [3].

A Glimmer of Hope in Security Transformation: But there is a glimmer of hope. The survey reveals that nearly half of companies have begun integrating disparate tools, embracing automation, and experimenting with adaptive security policies. More importantly, these companies have started to completely re-evaluate their security approach.

Effective Collaboration and AI Tools: Security and engineering teams are moving towards effective collaboration instead of conflict, to design security systems that work with users rather than being an obstacle to them. AI tools are also emerging, not to replace human personnel, but to assist them in detecting unusual changes, such as strange login patterns or unexpected access requests, that might be missed by the human eye.

Standardized Security Systems and Clear Policies: More companies are adopting standardized, policy-driven security systems. Instead of crafting dozens of firewall protection rules, security objectives are clearly defined: "This type of application is allowed to communicate with this type, under these conditions." This represents "Zero Trust" as an integrated infrastructure, not just a procedural checklist.

Practical Steps Towards Implementing "Zero Trust"

Zero Trust: A Methodology, Not a Product: It must be understood that "Zero Trust" is not a product to be installed, but a continuous strategic methodology and direction.

Initiating the Transition: Start by reducing implicit trust wherever it exists. Rely on strong, crypto-backed identity instead of IP addresses. Use short-lived credentials and always assume a worst-case scenario. Segment your network into defined zones to limit the blast radius in case of a breach.

Gradual Transition: This transition should be gradual. No organization can remove all VPNs in one day. Start by choosing one high-value system and apply "Zero Trust" principles to it. Learn from the experience, then repeat the process.

The Future of VPNs: VPNs will remain part of the technical landscape for some time, not because they are the ideal solution, but because alternatives may be too complex or not mature enough. However, as with tools like WvDial that continued to be used long after their importance declined, familiarity does not necessarily mean efficiency. The real future lies in systems that can handle the complexities of real-world access and present them in a simplified manner.

The Ultimate Goal of Cybersecurity: is to solve real technical problems, which requires an effective network infrastructure. For this reason, companies, even those valued in billions of dollars, continue to offer VPN solutions, striving to develop them to be the best. The hope is that one day we can move beyond the need to reinvent the "broken tunnel" itself, and transition to more advanced and permanently effective security solutions.