Citrix Blogs

Remote Access Without VPN: Is It Secure?

VPNs have long been a security standard for secure access to corporate applications. Organizations began using VPN services at a time when the digital world was far less complex, however, and today, VPNs are far from secure. This blog post will explore the security challenges of VPNs and discuss the best alternatives.

Remote Access VPN Solutions

How does a remote access VPN solution work? These solutions aim to give remote users secure access to applications and data residing in the company’s data center. A remote access VPN starts by authenticating the user. After authentication, the user is tunneled into the corporate network where they can access the apps and data they need. Since the remote access VPN encrypts all traffic between users and the company network, remote staff can access applications securely, even from public locations.

Types of VPNs

There are two major options when deploying a remote access VPN: secure sockets layer (SSL) and IP security (IPSec). VPN solutions usually offer one or the other, though some solutions offer a hybrid, integrated approach.

IPSec VPNs are often the standard. They use a pre-installed VPN application on a user’s desktop, so they work better on managed devices. IPSec VPNs protect communications between two different points, which could include the network, but may also be two different routers or a firewall and host. With an IPSec VPN, admins can control the interface of the VPN and how it is used in the application.

By contrast, an SSL VPN is a networking protocol that does not need any client software to be installed on the network and requires no additional action from the end-user. SSLs also have the added advantage of delivering clientless access.

Ultimately, IPSec VPNs are better when you want to integrate remote or hybrid employees, while SSL is better for organizations with many third party users.

Why Are VPNs So Popular for Organizations?

A few things make VPNs attractive to organizations. VPNs are thought to:

Remote VPNs (also known as client-based VPNs or client-to-server VPNs) have several benefits for organizations that have a geographically-dispersed workforce:

However, remote access VPNs also have challenges. If not configured correctly, they can leave security gaps that can be easily exploited by attackers.

How Secure is a VPN?

VPNs have been around for decades now as an effective way to protect sensitive data when connecting to a public network. But a VPN may assume a connection is safe because of its location, which may not be the case. This assumption might leave the network exposed to internal threats.

VPNs can be an overlooked attack vector. Malicious users can log in from a different location, and the VPN may not flag the location change. In a recent case, hackers were selling college students’ VPN credentials on the dark web. Using these credentials, attackers can easily enter the college network and cause damage.

In 2021, a report from Nuspire showed an increase of 1,500 percent in VPN attacks over the previous year, a natural byproduct of the exponential growth in remote working. With organizations quickly moving applications and data to the cloud, users may not need to use the remote access VPN that often. Those disconnected users are not visible to IT teams, resulting in the organization losing oversight and control over user traffic.

The common solution is to add a proxy — but these can create their own set of problems. Proxies are not meant to fully replace the use of a VPN, and some proxy services have insufficient security protections.

Typically, VPNs can be challenging to scale because you need to install them on every connected device. This means every employee mobile phone, laptop, tablet, and desktop computer. For large organizations, this is a huge lift. Further, VPNs are somewhat limited because they are designed to protect privacy, so most of them lack the level of access control and traffic monitoring capabilities needed to keep networks secure.


Migrate to a VPN-less solution with Citrix Secure Private Access.


ZTNA Instead of VPNs for Secure Remote Access

With a VPN you get complete access to the organization’s LAN. Once you get inside the network, you can access any data, application, or resource that you can access on-site. However, VPNs don’t enable you to monitor and control what users can access and do once inside the network. That factor, together with other VPN security shortcomings, is driving organizations to replace VPN technologies with secure remote access based on zero trust network access (ZTNA).

What is secure remote access? Secure remote access uses software solutions that enable users to connect securely to a network application or data. These secure solutions are especially useful to organizations that need their staff and third party users to safely access their resources remotely every day.

Secure remote access software protects remote connections regardless of the time, location, or endpoint device used to access them. One of the key features of a robust secure remote access suite is applying a zero trust network security protocol to all applications.

ZTNA provides a cloud-native solution that enables access to on-premises applications without the need for a VPN. These solutions simplify IT management and prevent performance bottlenecks.

What to Look for When Choosing Secure Access

When looking for a solid, secure access solution it is important to look for the following features:

Zero Trust Network Access

The principle of zero trust means that the system will trust no user or device, inside or outside the network. ZTNA solutions authenticate every login request, constantly monitor the risk status of the session, offer access to only the minimal information needed, and implement end-to-end encryption.

Adaptive Authentication

Adaptive authentication is the security process of verifying user identity and authorization based on a user’s risk profile. This risk-based authentication approach continuously assesses the user risk profile and determines the type of authentication required based on criteria such as location, device posture, and user behavior.

Other authentication methods decide the user’s risk profile once, at the beginning of the session. Adaptive authentication solutions monitor the whole session to ensure the permission levels are maintained and the risk profile remains unchanged.

Adaptive Access

Granting access to network resources with an adaptive method offers several advantages for protecting applications from attacks. Adaptive app protection secures access to apps in unmanaged devices by encrypting and scrambling the data.  

Adaptive access allows for a granular security policy at the user level. It takes into account the user’s context, monitoring for factors such as time and location, and restricts application activities like copying and pasting, downloading, or watermarking.

Multiple Authentication Methods

Secure remote access solutions combine multiple authentication methods, choosing which one is best in a given moment based on the user’s risk profile. It can, for example, provide adaptive authentication and single sign-on (SSO) access to all applications in the system. In other cases, the remote access solution will choose to implement multi-factor authentication, requesting two or more authentication levels from the user.

Context-Aware Access

One characteristic of a secure remote access solution is the focus on context to grant access. With context-aware access, the system will determine which level of permissions and access the user will have according to the context surrounding the user. Some of the attributes considered may include the IP address or the security status of the device.

Segmented Access

Network segmentation is one of the most effective methods used to prevent lateral movement of a threat. It involves separating the network into different isolated sections, so that if one of them is compromised the infection doesn’t spread to the entire network. An attacker trying to move laterally would need to breach the security protocols in place for each separate section.

ZTNA’s identity-based authentication is a highly-effective alternative to the IP-based authentication used in most VPN solutions. The granularity of ZTNA empowers an organization to set different access control policies according to location or type of device. Thus, common VPN challenges, like granting all BYOD users the same level of secure access, are not present.

The next generation of ZTNA-based solutions delivers better security strategies for organizations with hybrid and remote users, including:

How Citrix Provides Secure Remote Access

Citrix provides an array of secure remote access solutions that give companies the flexibility to select what works best for their business requirements. One of the advantages of Citrix is that the solution provides secure access to virtualized and non-virtualized apps, including SaaS. Citrix’s unique and comprehensive approach begins with a secure internet browser, extending to a full ZTNA or SSE solution, depending on customer requirements.


Learn more about how Citrix empowers secure remote access for hybrid workspaces.


Exit mobile version