sb-au logo
Story image

VPNs and zero trust security don't mix - Zscaler report

19 Feb 2021

Virtual private networks (VPNs) may have become a mainstay of remote access security in the last 12 months - and for the last 30 years - but exploding popularity of VPNs has also led to an explosion in VPN vulnerabilities.

According to Zscaler and Cybersecurity Insiders, VPN services remain a popular choice for remote security, even though IT administrators are aware of the security risks.

The 2021 Zscaler VPN Risk Report found that 93% of organisations surveyed have deployed some kind of VPN, yet 94% know that VPNs are a popular target for cybercriminals.

Seventy-five percent of respondents say that social engineering is a concerning attack vector, followed by ransomware (74%), and malware (60%).

While organisations understand that VPNs present serious security risks, three quarters say that they are concerned about VPN security. Of those, 67% say they are looking at alternatives to the traditional VPN for remote access requirements.

Many organisations (72%) are adopting a zero trust model, and 77% say their workforce will become a hybrid (in-office and remote) going forward. That means users need the flexibility to be able to work anywhere.

VPNs may not be the solution, according to Zscaler, because VPNs and zero trust frameworks are largely incompatible.

The company explains, “These incompatibilities, largely due to VPNs inherent need for access to the network, and need to be exposed to the Internet, have increased the enterprise attack surface allowing threat actors to exploit these legacy models based on their inherent trust of users.”

Seventy-two percent of organisations are thinking the same thing: they are concerned that VPN may jeopardise IT’s ability to keep their environments secure, the report notes.

As a result, organisations should consider security alternatives to VPNs - because zero trust will be crucial to the future of remote access.

Zscaler’s zero trust solutions director Chris Hines says it is encouraging to see that organisations understand how zero trust architectures can provide secure access for businesses. 

“As organisations continue on their journey to cloud and look to support a new hybrid workforce, they should rethink their security strategy and evaluate the rising cybersecurity threats that are actively exploiting legacy remote access solutions, like VPN,” he explains.

“The more secure approach is to completely leave network access out of the equation by taking the users securely and directly to the applications by brokering all user to app connections using a cloud-delivered zero trust access service instead.”

Story image
CISOs, don't underestimate the importance of soft skills
There is increasing importance on Chief Information Security Officers (CISOs) having and developing the skill of emotional intelligence, a new report states.More
Story image
Quantum extends Veeam partnership in a bid to protect against ransomware
“Quantum continues to expand its partnership with us and we are pleased to add ActiveScale object storage to a select group of S3 targets that can provide robust ransomware protection for our joint customers."More
Story image
High demand for hackers on the dark web
"Since March 2020, we have noticed a surge of interest in website hacking, which is seen by the increase in the number of ads on forums on the dark web."More
Story image
WatchGuard rolls out updates to bring greater security to MSPs
"WatchGuard Cloud’s continued evolution is lowering the barrier to entry for MSPs to add security to their portfolios and solidifying it as the management platform of choice for the security channel.”More
Story image
Organisations investing significant time modifying web application firewalls to keep ahead of cybersecurity threats
"The sheer amount of traffic and potential threats can ensnare resources and impact the ability to introduce greater precision to those key systems."More
Story image
rhipe launches security solution for SMEs in APAC region
SmartEncrypt has been developed to complement businesses existing security and business continuity strategies and provide smaller to medium enterprises the levels of digital protection typically reserved for big business.More