Surging Threats, Complexity Means VPNs Are On Their Way Out: Experts

Even among SMBs, the shift from VPNs to cloud-based alternatives such as zero trust network access is accelerating, vendor and solution provider executives tell CRN.

The continuing intensification of attacks targeting VPNs and the complexities of hybrid IT environments are accelerating the shift away from the technology and toward cloud-based alternatives such as zero trust network access (ZTNA), experts told CRN.

This is the case even for businesses on the smaller end of the spectrum, which have been deeply impacted by the continual exploitation of VPN vulnerabilities and credential theft, vendor and solution provider executives said.

When it comes to transitioning from VPN to ZTNA, “this is something that the enterprise has been doing for several years now,” said Michael Ruffolo, CTO at eSecurity Solutions, a cybersecurity-focused solution provider based in Irvine, Calif. “But we are definitely seeing this being deployed more widely with small businesses. And there’s a big need for it.”

Key vendor partners for eSecurity Solutions include WatchGuard Technologies, which in many ways exemplifies the VPN-to-ZTNA shift in the cybersecurity industry. While WatchGuard previously focused on traditional network security technologies, the vendor is now increasingly emphasizing a zero-trust approach with its FireCloud Total Access offering.

The constant disclosures of exploited vulnerabilities for SSL VPNs — which are exposed to the internet — is a clear indicator that for many organizations, the answer is to “get rid of VPNs,” said Adam Winston, field CTO at WatchGuard.

“If your VPN can be breached because you have a vulnerability and you don’t have a patch for it — and you can’t automatically very quickly deploy it — then that [vulnerable device] is just sitting out there. And the time to [compromise] that is very, very low — sometimes hours,” Winston said. “Is it a big problem? Yes. Don’t do SSL VPN anymore, as soon as you have the option not to.”

In one recent example, security researchers from multiple vendors disclosed in early August that the Akira ransomware group had been exploiting a vulnerability impacting SonicWall firewalls with SSL VPN enabled. Then in September, Rapid7 researchers said the threat actor had resumed its attacks targeting the SonicWall devices.

Earlier this year, Ivanti disclosed that a critical-severity, zero-day vulnerability impacting its widely used Connect Secure VPN had seen exploitation in attacks.

A key issue is that VPNs actually provide a false sense of security to many organizations, according to Rob Allen, chief product officer of ThreatLocker.

“They’re thinking, ‘Oh, it’s encrypted,’” Allen said. “But the fact of the matter is that if you are making a VPN available, effectively, it’s just one more port open to the internet.”

Ultimately, “the preference is, just don’t use VPN at all,” he said.

While the VPN will probably persist well into the future as a technology used within businesses, the likelihood is that its days are numbered, experts told CRN.

“Over the long term, I do think that they will fall by the wayside,” said Rob Gregory, CISO at Denver-based Optiv, No. 28 on CRN’s Solution Provider 500 for 2025. “The reality is, a zero-trust platform does everything that a VPN and firewall can do, and do it better.”

For larger businesses, setting up and maintaining traditional networks security technologies at multiple different sites is also exceedingly complex and expensive, Gregory said. A ZTNA-based approach, on the other hand, offers a decentralized approach to management and access control, he said.

“It really puts you in a place that is far more scalable,” Gregory said. “If they roll out a new office, they just connect via a standard internet connection into our zero-trust environment. Same with a new employee wants to work from home, or wants to work from a coffee shop or an airport.”

All of these factors make it “inevitable that we’ll see firewalls and traditional VPN be replaced,” he said. “But it’ll be some time.”