Are Corporate VPNs Really on the Way Out?
Let’s start with a blast from the past. It’s the early 2000’s and I’m on the floor of my childhood bedroom with my older brother battling and trading Pokémon on our GameBoys (he’s three years older and unashamedly swindling me) using our trusted no-internet-connection-needed Game Link Cable.
As a Nintendo household, little did we know that there was a new gaming technology waiting in the wings: Xbox Live. The online gaming service debuted to the public in November 2002, allowing players with broadband internet to connect to players around the world.
A similar shift is taking place in the world of corporate data security.
Think of the Game Link Cable as corporate VPNs and think of newer security models such as Zero Trust Network Access (ZTNA) as Xbox Live. The older technology still works, but the industry has shifted to remote connections that don’t require you to be in the same room as your brother. (Okay, so it’s not a perfect 1:1 comparison.)
So what does that mean for the future of corporate VPNs?
When setting out to write this piece, we didn’t have a particular angle we wanted to pursue. It was based out of pure curiosity–are VPNs still relevant in business environments or have they been replaced by Zero Trust technologies? The answer depends on who you ask. So we talked to people who still swear by VPNs, those who use them out of habit or necessity, and those who have never had to bother with one at all. Together, they gave us a sense about whether this technology still has a role to play.
The Rise of VPNs
The breakthrough innovation that enabled VPNs happened in 1996, when TechRadar writes that: “…a Microsoft engineer by the name of Gurdeep Singh-Pall developed the Peer-to-Peer Tunneling Protocol (PPTP). The goal was to use IP addresses to switch network packets and offer employees a secure and private means of connecting to their organization’s intranet.” This was before the widespread implementation of HTTPS, when unencrypted data intercepted via wifi was a huge security risk.
Kolide CEO Jason Meller remembers that time.
“If you were on a public Wi-Fi or something like that, all of your traffic was just in the clear. Anybody who was on that same network could see exactly what you were doing and what pages you were looking at.”
“Companies were really scared about that. They were like, ‘Oh crap, people are going to be able to see the emails people are sending, or they’ll be able to figure out stuff if they’re listening to the network. We need to make sure all the traffic is encrypted.’ That’s what a VPN allowed for.”
VPNs allowed workers to break free from the physical office building while still maintaining a connection to its servers and the corporate network. For a decade, they were as ubiquitous as trucker hats and frosted tips. But innovation stands still for no one.
The VPN Castle Comes Under Siege
By the 2010’s, the circumstances that created VPNs began to change. “The first thing that happened was mass proliferation of SaaS apps, and then the second thing was HTTPS got adopted everywhere,” says Meller. “Once those two things became true, the argument for VPN really came into question. It was just like, ‘Okay, what is this really doing for us?’”
On top of that, VPNs were incompatible with a new technology on the rise. “The executives all wanted iPhones,” explains Meller. “They wanted to get their email on their iPhones, and they weren’t willing to go do this whole VPN dance. Not only were they not willing, iPhones weren’t capable of even connecting to a VPN back then. So they started punching holes into them,”.
These developments exposed a core problem with VPNs: if one is compromised, the whole network is at risk. VPNs are part of a security paradigm commonly described as “castle-and-moat.” It’s a model built around the idea of a private company network, protected from the internet at large by firewalls, IDS tools, and VPNs. Cloudflare describes the security model like this:
“Imagine an organization’s network as a castle and the network perimeter as a moat. Once the drawbridge is lowered and someone crosses it, they have free rein inside the castle grounds.”
Forward-thinking security practitioners wanted multiple choke points to stop threats, not a single entry/exit. And the explosion of cloud apps enabled that–each had its own authentication process to control access, and even if one employee’s credentials were compromised on a single app, the others weren’t at risk. (That was the theory, anyway. In reality, poor password hygiene created its own security problems, and led to the rise of SSO.) Companies, specifically startups, faced a fork in the road: adopt an existing and tested security technology or lean into a burgeoning one that was still being figured out. But they didn’t all choose the same path.
Enter Zero Trust
2009, the year FarmVille captivated the world, was also the year Forrester analyst John Kindervag coined the term Zero Trust. While the term stuck, the definition has since become somewhat muddled. For that reason, we’ll proceed with one working definition.
Okta, an identity and access management platform, describes Zero Trust as:
“…a security framework based on the belief that every user, device, and IP address accessing a resource is a threat until proven otherwise. Under the concept of ‘never trust, always verify,’ it requires that security teams implement strict access controls and verify anything that tries to connect to an enterprise’s network.”
In 2014, Google unveiled the BeyondCorps initiative, and their embrace of Zero Trust gave it an immediate credibility boost.
But not everyone was eager to embrace this shift, recalls Meller. “Really smart security people couldn’t quite wrap their head around it. You get stuck in your ways and you’re like, ‘No, VPN is how we’ve been doing it since the 90s, this is how we’re going to continue doing it.’” Though, that mentality wouldn’t play for much longer. “The threat landscape has really changed. You have to deal with insider threats or people who can get access to these VPNs and then they can wreak havoc,” says Meller.
Increasingly, startups started to circumvent VPNs altogether. The model shifted away from on-premises servers, closed networks, and office buildings, and toward SaaS applications, cloud hosted infrastructure, and remote work. “The reason we don’t use/have need for a VPN, is due to the fact we don’t have any self-hosted tools, software or servers and have a very IT literate team,” says Josh Barber, a Digital Specialist at 5874 Commerce.
Despite that, corporate VPNs (and VPNs more generally) still have their defenders.
The Companies Using VPNs Today
To get a temperature check on today’s usage of VPNs, we went to the Mac Admins forum for insights.
A VP of Technology at a small analytics company that uses a majority of SaaS applications still has a VPN in place. They boil their VPN usage down to “why not?” “VPN was easy to implement, and easy to maintain. And it provides an additional layer of protection when using untrusted WiFi’s.”
VPNs are also still the more familiar technology, and that can be useful for third-party compliance. As one IT manager said, “It’s easier to explain to auditors that your production environment is behind a VPN than it is to walk them through your zero trust platform.”
Some companies only keep VPN around because their customers demand it, as when a fixed IP is needed for a client’s server that has an IP whitelisted.
And of course, keeping on-prem servers–and VPNs to guard them–is still the most cost-effective option for some companies. That’s particularly true for legacy enterprises, although some younger and smaller companies also go that route. “We deal with large amounts of media that would be prohibitively expensive to have 100% cloud (print and digital publishing),” explains the IT Director of a medium-sized media company. “Hence the need for on premise storage and VPN to access that when not at one of our locations.”
Consumer VPNs come into focus
In Security.org’s 2022 VPN Consumer Market Report, only 22% of respondents used VPNs for business. Of these, only 31% used VPNs to access corporate networks. (That marks a stark 10% decline from the year prior.)
While it’s forecasted that the global market for VPNs will reach an estimated $77.1 billion by 2026, the future of VPNs may belong to individuals using it to watch geo-restricted media or to avoid governmental restrictions and surveillance. With 26% of respondents using VPNs for personal use, the changing of the guard is happening rapidly.
The Cloud Looms Over the Castle
Sid Nag, Vice President Analyst at Gartner, believes that cloud-hosted infrastructure is the future:…: “IaaS will naturally continue to grow as businesses accelerate IT modernization initiatives to minimize risk and optimize costs.”
Taking those elements into consideration–modernization, cost, security–the path to Zero Trust becoming the default corporate security model seems inevitable.
Most of the people we spoke to, whose companies utilize VPNs, are realistic about the future. “I’d love to migrate to a full ZTNA/SSE architecture eventually, but right now it’s too much work for not a lot of added benefit considering our needs and size,” says the VP of Technology we quoted earlier.
VPNs could maintain relevance by transition into cloud VPNs, which are compatible for on-prem, cloud, and hybrid networks. Using them, even a company that mostly relies on SaaS apps could still maintain a closed network. But even so, corporate VPNs may never be on security’s starting lineup again.
Kolide is an example of a company that has never had a use for VPN, and increasingly is part of the Zero Trust ecosystem. Since our inception, we’ve watched as some of our customers have transitioned away from their VPNs, while others have held on–the choice is mostly a matter of a company’s specific circumstances.
We’re not sure how long corporations will be able to hold off the transition to cloud-native methodologies like Zero Trust, or if VPNs can be a part of that change.
Security methodologies, like Pokémon, can evolve in unexpected ways. But if they fail to maintain their usefulness, you’ll need to trade them for one that does.
Disclaimer I: Quotes from participants have been modified for clarity and brevity with their permission and acknowledgement.
Disclaimer II: The author of this blog has frosted tips.
Want to see how we manage access to cloud applications, sans VPN? Try Kolide for free