Modernizing Secure Remote Access: A VPN-less Future for Hybrid Work
Employees deserve safe and easy access to on-premises applications so they can stay productive, no matter where they are working from – an office, a dentist office, coffee shop, home, or any other place with a reliable Internet connection. Cyber threats can come from anywhere – they don’t just originate from “outside” corporate perimeters. Insiders can also pose a threat, unknowingly or purposefully. Adopting zero-trust security principles for network access is imperative to reduce risk of data exposure and breaches.
Many organizations are familiar with virtual private networks (VPNs), particularly during the COVID-19 pandemic when they had to rapidly enable remote access at scale. However, there are some challenges with exclusive reliance on VPNs.
The alternative to VPNs – a remote access proxy that mediates the connection between the client and application – is less common. Nevertheless, VPN-less solutions are gaining momentum due to their benefits over traditional VPNs. These benefits include reducing complexity by not requiring network segmentation, providing a fast and consistent user experience when accessing applications, easing onboarding of both the direct workforce and third-party users by not requiring a VPN setup, and employing strong zero-trust security principles for application access.
However, adoption of a VPN-less secure remote access solution varies by industry, an organization’s knowledge, skills, and comfort level with configuring and managing the solution, and cultural factors including executive buy-in. Organizations moving to this model might even take an iterative approach that considers such factors as account refresh schedules, major business projects, early adopter groups, and business criticality. Certain organizations will implement a VPN-less model for certain applications to start with. They might test and adopt VPN-less access for certain applications and in certain business groups within their organization.
Realistically, VPNs will continue to be used for certain use cases, like when users are required to be on managed devices or if they are authorized to access the entire network. For use cases where there is a need to enforce application-specific access and to enable contractors and other temporary workers on unmanaged devices to access private applications, VPN-less access will likely be used.
This blog post serves as a high-level guide for what to look for in a secure remote access solution that doesn’t require a VPN.
What to look for in a VPN-less secure remote access solution
While specifics will vary by an organization’s needs, the following list contains some key criteria to look for in a VPN-less secure remote access solution.
An ideal solution should:
Be based on an inherently closed, zero-trust based security model, and enforce user and device checks before granting access to private applications and resources
Easily scale as additional employees are either onboarded or offboarded and need flexibility to work either onsite or remotely in a typical work week
Support unmanaged devices, whether for direct or third-party employees. Consider this: Per a report by Verizon, almost half (49%) of enterprise devices are being used without any managed update policy. According to the same report, about 40% of organizations surveyed said they had experienced a mobile-related compromise.
Be purpose-built for hybrid infrastructures – cloud and on-premises
Allow for flexible deployment (either hosted by the vendor or self-managed)
Enable secure access to web applications, secure shell (SSH) services and TCP services such as remote desktop protocol (RDP), all of which are commonly used by remote employees but also vulnerable to cyberattacks.
Comparing VPN and VPN-less approaches for secure remote access
There is a difference between a VPN and a VPN-less based zero-trust architecture with regards to the type of access granted to end users. Inherently, a VPN-based approach is open for access to a subset of the network, whereas a zero-trust architecture is inherently closed, with access granted to one individual application at the time of access.
As illustrated in the diagram above, traditional remote access with a VPN works as follows. The requesting user on a particular device will need to authenticate to the VPN client with their credentials. If approved, the VPN tunnel allows the user to access any application on the network. In the example above, the user has access to all protected company resources through the VPN, including the company’s Customer Relationship Management (CRM), the Human Resources (HR) site and employee directory. VPNs are based upon an inherently open security model that doesn’t by default grant access to only a specific application on the internal corporate network.
As illustrated in the diagram above, modern remote access without a VPN, such as with adoption of Duo Network Gateway, works as follows. The requesting user on a particular device will need to authenticate to Duo, where we check the user and device health. If that user passes both of those policy checks, the Duo Network Gateway will only allow direct access to the specific application the user is authorized for – in this case the employee directory that was requested. This VPN-less remote proxy solution is based on an inherently closed security model – one that is centered on zero-trust security principles.
In summary, moving to a new modern remote access approach doesn’t mean you would replace VPNs everywhere, but rather that you can gradually and purposefully transition towards moving away from VPNs when and where it makes sense for your business. Understanding the differences between these approaches will empower you as you plan your organization’s security strategy for secure remote work.
Ready to try out a VPN-less approach to network security?
To learn how Duo helps organizations secure remote access with or without VPNs, visit the Duo Remote Access page.
Want to try Duo free for 30 days? Just sign up for a trial.