As breaches related to corporate VPN flaws skyrocket, security vendors are increasingly urging to drop VPNs altogether. Instead of drilling a hole in firewalls, they suggest adopting outbound-only tunnels offered by Zero Trust Network Access (ZTNA) solutions.
Akamai, a major content delivery network, cybersecurity, and cloud service company, thinks that it’s time to retire traditional corporate VPNs. And it makes sense.
To use a corporate VPN, admins need to expose infrastructure online, even if it’s just a single open port to give employees access to internal networks. And this becomes an entry point for attackers, looking to exploit vulnerabilities.
“Imagine you’re a CIO or IT admin, sipping your morning coffee, and an urgent security bulletin flashes across your screen — it’s yet another critical vulnerability in your company’s virtual private network (VPN). Attackers are already exploiting it in the wild,” Akamai writes in its blog post.
These cracks are discovered constantly. Last year, Ivanti disclosed multiple severe flaws in its appliances, which enabled hackers “to craft malicious requests and execute arbitrary commands on the system” without valid credentials.
“The situation became so dire that the US Cybersecurity and Infrastructure Security Agency (CISA) issued its first emergency directive of 2024, ordering federal agencies to temporarily disconnect the vulnerable VPN devices from their networks because of active attacks by state-sponsored actors,” Akamai writes.
Fortinet, another major appliance vendor, seems to be regularly plugging flaws affecting VPNs. One of them last year allowed hackers to gain full administrative control. This year, Bishop Fox researchers successfully bypassed authentication in unpatched SonicWall firewalls.
“In 2023, 133 VPN vulnerabilities were reported – a 47% increase from 2022,” Akamai says. “This constant drumbeat of VPN vulnerabilities across the industry highlights just how fragile legacy network security can be.”
The tech company punches down on traditional VPNs to promote its own product based on the Zero Trust Network Access (ZTNA) security model, which it calls ”Enterprise Application Access.”
It doesn’t need open ports in firewalls and instead relies on constantly running on-premises applications that initiate outbound connections, proxied through Akamai Cloud.
Akamai is just one player in the rapidly growing ZTNA market, and similar tunneling solutions include Cloudflare Access, Zscaler Private Access, Palo Alto Networks’ Prisma Access, and others.
ZTNA solutions promise to eliminate inbound firewall holes, enforce least-privilege access per app, maintain strong identity enforcement without network-wide trust, and shift the burden of patching and scaling to the cloud. It evaluates users and bridges them to the corresponding apps where they’re located.
“The fundamental flaw isn't just in the implementation; it's in the outdated trust model that allows broad network access once someone gets past the gate. Fortunately, there's a better path forward,” Akamai believes.
However, while ZTNA platforms seemingly solve many of the classic VPN pain points and vulnerabilities, they might also introduce new ones.
This shift introduces new costs and licensing complexities along with potential vendor lock-in and reliance on a third party. Instead of relying on their own VPN appliances, companies have to purchase long-term services, prone to cost increases.
“The problem with Zero Trust Network Access is trusting the service provider,” Pivot Point Security pointed out.
Other cybersecurity experts have previously also explained they have “Zero Trust issues with ZTNA.”
Your email address will not be published. Required fields are markedmarked