VPNs Are Killing Productivity

February 24, 2023

No matter where an organization lies on the remote work spectrum, flexibility and adaptability will always be a competitive edge. Even for companies that have strict mandates on granting network and resource access to users who are verified to be physically present, it makes no sense to reject the option for remote access in unprecedented times of crisis. When productivity hinges on the employee ability to work regardless of location, it's important to evaluate your company’s approach to securing remote access.

Traditionally, Virtual Private Networks (VPNs) have been the go-to for secure remote connections. However, VPNs are vulnerable to a wide range of security threats, including man-in-the-middle attacks, malware infections, and data breaches. In addition to security concerns, VPNs can also experience performance issues, such as slow connections, poor quality video and audio, and frequent disconnects. This can make VPNs difficult to use and creates a point of frustration for employees, reducing productivity and morale.

The VPN has to go, or at the very least organizations should be jump-starting the process of reducing their dependency on it. VPNs include all the following problems:

  • Disrupt productivity

  • Increase workload and margin of error

  • No monitoring capability

  • Poor security, utilizing a flawed and incomplete security model

Organizations need an access control solution that is secure, reliable, and user-friendly, enabling employees to access critical information and resources from any location. The VPN fits less than half of those requirements.

Disrupts productivity

VPNs are known to disrupt the productivity of both IT teams and end-users. For IT teams, managing and maintaining the VPN servers, as well as troubleshooting any technical issues, can be a time-consuming and complex process. End-users also face difficulties when trying to navigate the VPN's user interface to connect to the network, which can lead to frustration and a lack of trust in the technology.

Please attempt to be productive again.

Furthermore, performance issues associated with VPNs, such as slow connections and frequent disconnects, can reduce employee engagement and productivity. Latency — the amount of time it takes for data to travel between its source and destination — is a common problem with VPNs. High latency can cause slow connections, poor quality video and audio, and frequent disconnects, which can kill productivity, morale, and frustrate employees..

Factors that can cause latency issues with VPNs include the physical distance between the user and the server, the number of users connected to the VPN, and the speed of the user's internet connection. All of these can contribute to poor performance, making it difficult for employees to do their jobs.

Inefficiency at its finest.

Latency issues are a major concern for organizations, as they can significantly reduce employee productivity. In order to ensure a smooth and secure user experience, organizations must invest in reliable VPN solutions with efficient routing protocols and encryption algorithms.

VPNs increase workloads and margins of error

The utilization of VPNs can add a layer of complexity to the workload of both IT teams and end-users. IT teams are responsible for the management and maintenance of the VPN servers, as well as troubleshooting any technical issues that may arise.

Provisioning access for VPNs is a Kafkaesque process, which looks like this:

  1. End-user or contractor needs access to resource

  2. Manager sends ticket to IT helpdesk and request provisioning access

    • Productivity loss: If it’s not sent as high-priority, the end-user cannot start the work until access is granted, thus losing productivity

    • Workload increase: If it’s sent as high-priority, IT helpdesk’s list of “high-priority” ticket items become jammed up with the IT equivalent of running to open the door

  3. The IT team most likely needs to make the necessary policy restrictions with that access to ensure the end-user only gets access to the necessary resource. Further modifications may be necessary

  4. The IT team needs to make a note to cut off this access sometime in the future

    • If forgotten or there's delay, that access is vulnerable to being exploited

There’s so much that can go wrong here. Configuring VPNs is a manual process prone to human error. IT teams may inadvertently provide users with access to sensitive data and resources, causing a data breach or other security incident. This can be difficult to reverse, particularly if the user has left the organization, making it difficult to revoke their access. Organizations must also monitor user activity and investigate any suspicious behavior, further adding unnecessary workloads.

Moreover, even if an organization is capable of monitoring effectively, revoking user access quickly in the event of a data breach or other security incident (such as compromised credentials) can be difficult to do with a VPN.

Not to mention…

VPNs are poor for monitoring

When it comes to logging and auditing, VPNs leave a lot to be desired. Because they work on layer 4 of the OSI layer, VPNs are not able to provide the detailed logs and audit trails required to monitor user activity and protect against data breaches.

With VPNs, organizations are unable to track which users have accessed which resources, limiting the organization’s ability to identify and investigate any suspicious activity. Furthermore, VPNs are not able to provide real-time notifications when suspicious activity is detected, further delaying quick action in the event of a breach.

In order to ensure the security of data and sensitive resources, organizations must have the ability to track user activity and investigate any suspicious behavior. Without an effective logging and auditing solution, organizations are blind to the risk of becoming the victim of a data breach.

VPNs are holes in your network perimeter

When corporate networks first became commonplace, they were built on internal servers and resources. To protect these assets, there was often a rule that users could only access them when inside the “network perimeter,” usually enforced by checking whether the user was within the building and directly connected to the organization’s network.

The network would assume everything inside is safe and grant associated access. After all, someone who was already in the building could only be an employee of the organization, and therefore they should have access to be productive, right? As the need for connecting to these assets from outside the perimeter arose, VPNs were adopted to grant access to users by treating them as “within” the organization’s network perimeter.

But the National Institute of Standards and Technology (NIST) has been pushing for zero trust architecture (ZTA), and one of the fundamental tenets of ZTA is to pivot away from the perimeter-defense model. Here it is in their own words, line 259 of SP 1800-35 Volume B.

It is no longer feasible to simply enforce access controls at the perimeter of the enterprise environment and assume that all subjects (e.g., end users, applications, and other non-human entities that request information from resources) within it can be trusted.

Today, organizations of all sizes can be expected to have complex infrastructure spanning multiple clouds, on-premise or hybrid-combinations of servers, third-party platforms, and other varied assets from mergers and acquisitions. There is no boundary, there is no “trusted inside, unsafe outside.” The concept of a network perimeter has become meaningless because everything is unsafe, and nothing should be trusted until it is proven safe.

The VPN is a bigger liability than asset in the modern digital infrastructure. By having existing tunnels that you force your network to trust implicitly, without any monitoring mechanisms, and having little recourse for revoking that access should something be wrong, it’s little wonder that NIST explicitly cautions against using VPNs. And that’s on top of all the disruptions to productivity and workflow.

This is why…

The VPN must be replaced

Yet the problem with dependency is that it is very hard to quit. Remote work is still necessary and users still need a way to be productive. Any organization would balk at the idea of changing how “it has always been done” because "change" sounds painful.

The good news is that pivoting away from the VPN is never a rip and replace process, but a gradual roll-out. There are solutions available that can be phased in to replace the VPN without disrupting productivity and company operations. One such solution is Pomerium, an identity and context-aware access control gateway. Pomerium provides a secure and user-friendly way to access internal applications from anywhere, without the need for a VPN. Productivity does not need to be impacted and administration has never been easier.

Pomerium is the top choice for companies looking for an open-source context-aware access gateway to manage secure, identity-aware access to applications and services. Our customers depend on us to secure zero trust, clientless access to their web applications everyday.

Check out our open-source Github Repository or give Pomerium a try today!


More Blog Posts

See All Blog Posts
Introducing Pomerium Zero
Skip the SSO tax with Pomerium
Announcing Pomerium v0.26

Your Security

Embrace Seamless Resource Access, Robust Zero Trust Integration, and Streamlined Compliance with Our App.

Pomerium logo
© 2024 Pomerium. All rights reserved