Originally published June 17, 2021
If you work in the cybersecurity field, or if you’ve ever worked from home, you’re probably pretty familiar with a virtual private network, or as we all know them, a VPN. VPNs offer a method of secure remote access connection between users and a private corporate network.
In other words, it gives you the access you need to files (or anything else) that are found locally on a server, but from the comfort of your home (or airport, coffee shop, or anywhere in between).
What you might not be as familiar with are VPN alternatives for business – solutions that offer the same functionalities as VPNs, but offer stronger and more advanced security solutions – and why your organization might need to consider alternatives to VPNs.
Now, don’t get us wrong – VPNs are great for what they’re meant for, but the problem is that VPN technology comes with several risks and hasn’t really evolved with the changing nature of businesses. VPNs are missing much of the functionality of better cybersecurity practices that aid in proactively preventing data breaches from occurring, and we can see this in current events such as the pandemic and the Colonial Pipeline cyberattack.
When the COVID-19 pandemic hit the United States in March 2020, the entire nature of the workforce changed, but nothing about VPN connections did. Workplaces transitioned to work-from-home environments while the framework of VPNs stayed the same, even though new partnerships and technologies changed the access needs of users. This left network managers scrambling to maintain a secure environment while trying to control internal access and third-party external access. While VPNs can handle internal access, using a basic VPN connection for third parties can expose a business network to more vulnerabilities, like hackers exploiting third-party connections or shared passwords.
The recent cyberattack on the Colonial Pipeline Co. was also a wake-up call to those using VPN connections. The ransomware attack resulted in paying nearly five million dollars to the hacking group plus a sharp halt in fuel production that impacted the eastern coast of the United States. The cause of the attack was due to the hacking group finding a leaked password and accessing Colonial Pipelines IT systems through an old, inactive VPN account. Without proper access controls and provisioning/de-provisioning of VPN accounts, there isn’t any effective way to manage active vs. inactive VPN accounts or disable them once an account has expired or is no longer in use. And without VPNs changing, there isn’t any way to properly secure network access from hackers like those in the pipeline attack.
While many businesses still use VPNs for all remote access, it’s imperative that all organizations realize a VPNs limited capabilities and start looking for alternatives to VPN for remote access, especially when dealing with the specific unique access needs for different types of users. A VPN is not a good catch-all technology for all remote access use cases, especially for third parties and vendors. You shouldn’t give internal users the same access permissions as external users, right? You need to ensure that the level of access given to external entities, like vendors or contractors, is tailored specifically to what they need, and nothing more.
Organizations might not know that there are several alternatives to VPNs that offer similar functionalities and security features. The following platforms are some suggestions to consider as VPN alternatives for your business.
What are the Best VPN Replacements Available?
Some of the most common choices when replacing VPNs are efficient alternatives like identity and access management, privileged access management, third-party security platforms, and Zero Trust network access.
1. Use a Software-defined Perimeter
A software-defined perimeter (SDP) is a network boundary based on software rather than hardware that is an effective alternative to classic VPN solutions when used as part of larger zero trust strategies.
This allows you to not only use multi-factor authentication and segment your network, but you can profile the user and the device connecting and create rules to enable access to only what it actually acquires according to different scenarios.
SDP makes it easier for you to block access to resources once a suspicious behavior is detected in your network and Instead of completely disabling the device and rendering a user unable to do meaningful work, SDP blocks access to resources once it detects suspicious behavior in your network.
2. Try a Software-defined WAN (SD-WAN)
SD-WAN products are designed to be a more efficient VPN alternative and replace the traditional physical routers with virtualized software that can control application-level policies and offer a network overlay.
SD-WAN delivers optimum routing of encrypted traffic between a network of SD-WAN appliances rather than implementing point-to-point communication. In addition, secure SD-WAN solutions incorporate a whole security stack into an SD-WAN appliance to provide the necessary security.
3. Unified Endpoint Management (UEM) tools
Unified Endpoint Management (UEM) allows IT to manage, secure, and deploy corporate resources and applications on any device from a single console. UEM tools can provide a VPN-less experience through conditional access capabilities, whereby an agent running on the device will evaluate various conditions before enabling a person to access a particular resource.
As users increasingly work remotely from traditional as well as mobile devices, and enterprises incorporate IoT and other new technologies, unified endpoint management has evolved to solve the problems modern IT departments encounter when securing and connecting these environments.
IT departments also face the difficulties of integrating legacy systems on these new devices — leading to higher IT costs. Unified endpoint management reduces the burden of connecting these systems while lowering costs and mitigating risks.
4. Desktop-as-a-service Alternative
Desktop as a Service (DaaS) is a cloud computing offering where a service provider securely delivers virtual virtual apps and desktops to end users over the Internet, licensed with a per-user subscription.
Your workforce can access this service through an internet connection via an html-based web browser or a secure application downloaded to a device such as a laptop, desktop, thin client, smartphone, or tablet. DaaS can be a viable option for customers that like the centralization, security, and management of VDI but are attracted to the simplicity of having a professional organization perform basic desktop management on their behalf.
Which Other Alternative to Enterprise VPN Connections are There?
Some other alternatives when replacing VPNs are include proxies like Shadowsocks, TOR, and SSH Tunnels
Shadowsocks is a connection tool that lets you circumvent censorship. It’s used widely in China by people looking to tunnel under the Great Firewall—the digital barrier that keeps the Chinese internet “safe” from foreign influence. Technically, shadowsocks is just a proxy: it reroutes an internet connection through a third server, making it appear like you’re in a different location.
In a regular network connection you connect to your internet service provider’s server and then to the website you want to visit. If the authorities want to block a site, the internet service provider (ISP) is usually told to prevent access to its IP address. Using a proxy means you go from the ISP to an unblocked server and then to the site you want.
Although Shadowsocks may sound like virtual private networks, the encryption is a little more lightweight so it doesn’t offer the same security as a VPN does.
The Tor network allows users to anonymously access content on the internet. The free technology is designed for TCP connections and allows the anonymous use of web browsers, instant messaging, IRC, SSH, email, and P2P. The name “TOR” was originally used as an acronym for what was called the “The Onion Routing” project in direct reference to the technology on which it is based.
The connection is routed through a network of nodes that act as encrypting proxy servers. This gives the sent data packets multi-layer encryption corresponding to the number of nodes through which the route passes.
Just like Shadowsocks, TOR doesn’t offer the same security as VPN’s. There is always a risk that attackers will control and monitor a variety of nodes.
3. SSH Tunnel
SSH tunneling is a method of transporting arbitrary networking data over an encrypted SSH connection. It can be used to add encryption to legacy applications. This can be achieved with either local port forwarding, remote port forwarding, dynamic port forwarding, or by creating a TUN/TAP tunnel. It can also be used to implement VPNs (Virtual Private Networks) and access intranet services across firewalls. This means that the application data traffic is directed to flow inside an encrypted SSH connection so that it cannot be eavesdropped or intercepted while it is in transit.
The SSH connection is used by the application to connect to the application server. With tunneling enabled, the application contacts to a port on the local host that the SSH client listens on. The SSH client then forwards the application over its encrypted tunnel to the server. The server then connects to the actual application server – usually on the same machine or in the same data center as the SSH server. The application communication is thus secured, without having to modify the application or end user workflows.
Should You Choose a VPN or a Proxy? – this is a question that, according to Google’s People Also Ask, many users have when searching for this topic. Is using a proxy server a viable option? Or is a VPN better?