Connecting to the VPN was always the first step. After that, you could do everything else on your work computer (needs). This has been the recommendation since before remote working and so far. That advice was appropriate for a time when the bulk of security relied on a fortified network perimeter, and anything outside that perimeter was considered untrusted by default. However, remote access tools have come a long way since that time and many implementations are now peer-to-peer with little traffic routed through a VPN. Next follows the obvious question: does skipping that step actually weaken security or do we need to take a more nuanced view than just yes or no?
The truth is that this depends heavily on what actually replaces the VPN because the removal of one protective layer means very little if nothing else is doing its part.
What a VPN was Actually Protecting Against
The primary use of VPN is to extend a private network across a public one, allowing authentication and encrypting traffic and making remote device appear as if it were part of the corporate network. Speaking of which, this was important in the past because several internal systems were never created to be opened straight on the open internet. That was not an option for businesses more commonly under siege and at the mercy of scripts checking for something anything to exploit simply because putting a VPN in front meant that attackers scanning the internet for services to take advantage of would never even see those systems as they resided behind this artificially-created encrypted tunnel.
Removing the VPN does not automatically remove this protection if remote desktop access without VPN handles the equivalent functions directly. By providing what principle of a VPN I was using, a connection to authenticate the user, encrypt the session and not make all that unsolicited internet traffic go to your host machine; this is mostly done in another way which has much of what a VPN was providing. The answer is not whether a VPN exists or comes with some kind of protections, but in what way are those protections implemented under the hood.
The Function of Direct Connection Encryption
Encryption is the component that replaces what a VPN tunnel was providing you with. Modern remote access connections generally provide transport-layer encryption (which is the same general type of protection that a VPN tunnel provides, only applied directly to the remote access session instead of being wrapped around all network traffic).
The transport layer security standard defines the current version of the protocol responsible for this kind of protection across much of the modern internet, including a great deal of web traffic, email, and remote access sessions that never touch a VPN. When done correctly, this protocol provides authentication of the parties involved, confidentiality of the data exchanged and protection against tampering properties very much aligned with what a VPN tunnel would historically be deployed to provide.
That does not mean that every connection made without the use of a VPN is secure. It follows therefore that a remote access tool that doesn’t encrypt correctly, uses outdated cryptographic methods, or skips authentication altogether would create an actual hole in the wall a VPN may have plugged. In other words, the fact that there is encryption is much less important than whether that encryption is applied to a contemporary standard.
Why Exposure Without Inspection Matters
The only new, legitimate argument against VPN-less access is that one might wonder what all it is exposing to the Internet. With a typical VPN deployment, an attacker performing an internet scan would actually not find the internal systems that reside behind it at all as those systems are just not reachable before they connect through the VPN. That picture changes when the listening service itself is a remote access tool that listens for connections directly on the internet because now this part of the attack surface may be found by simply running a scan.
How important that is depends a lot on what exactly the exposed service does when it receives an unauthenticated connection request. A good remote access architecture restricts the visibility or actions of an unauthenticated party, authenticates before providing any significant access to resources, and prevents any leakage of information that would assist an attacker in planning their next move. The latter announcement dealt primarily with new recommendations for improving security in authentication mechanisms, such as not leaking version information in poorly designed ones, better credential handling and restricting how much of the underlying system is revealed (e.g. OS or services in use) before an authentication attempt.
A Different Security Philosophy Entirely
The emergence of VPN-less access is partly a symptom of the idea that the network environment has changed and most security professionals agree that the way they think about protecting networks must also change. The zero trust security model which has gained proliferation in recent years deliberately rejects the notion that simply being inside the perimeter of a network (i.e., being behind a VPN) should give users broad, implicit trust. Rather, this mechanism validates each request in isolation, irrespective of origin that is, a connection from within an old-school VPN tunnel would be scrutinized as rigorously as one arriving directly from the public internet.
Under this philosophy, the traditional value of a VPN opens up broad access once inside the tunnel begins to feel more like a liability than a feature in that one compromised VPN credential can sometimes be worth far more than a single remote access session. When the authentication and authorization behind each individual connection are genuine, direct, individually authenticated connections can fit much more snugly with this model than a broad VPN tunnel does.
Weighing the Tradeoffs Honestly
All of this does not mean: VPN-less remote access is either safer or riskier by nature than the traditional alternative. Both approaches can be executed well or poorly, and the true security differences are determined by details the strength of encryption in use, the rigor of authentication, how much exposure occurs before a connection has been established properly, and how quickly a compromised credential could be discovered and invalidated. A VPN with bad passwords and no second factor gives less actual protection than an un-VPNed connection that has strong encryption and multifactor authentication, even with that additional network leg.
In either case, the safest design treats authentication and encryption more as parts of structural security than as a single architectural decision that does all the heavy lifting. Having a VPN is one way to get a secure connection (not guarantee) and not having access is neither safe nor dangerous in isolation.
The Post-Question-A-VPN Training Data You
The question of how safe remote desktop access is without a VPN comes down to the protections that are really in place around your connection, not whether or not you use it at all. What matters much more than which specific architecture delivers them is strong encryption, strict authentication and (for a change) a security posture that neither assumes safety just because the connection appears to originate from somewhere familiar nor assumes viciousness simply because it originates from somewhere unfamiliar.
FAQ
Will a remote desktop connection be automatically less secure if you remove the VPN?
Not necessarily. Security relies on what protections take place of the functions of VPN, particularly in terms of encryption and authentication. However, a properly implemented direct connection can be equivalent to a VPN copy in terms of security.
Before using a shortcut connection without vpn, what to check?
The main parameters you should evaluate is the strength of encryption protocal being used, how strong the authentication process is, and how much of the underlying system gets exposed before connection verification.
With the introduction of new remote access tools, is VPN ever still required?
Where legacy systems were never designed to be directly connected to the internet, some organizations utilize both. It is more about whether or not you need to access something, not just because VPNs are required or not.
