Once essential for securing remote workers, VPNs were designed to provide secure access to corporate data and systems to a small percentage of the workforce, while the majority worked within the confines of business. traditional offices.
The shift to mass remote working brought about by COVID-19 in early 2020 has dramatically changed things. Since then, it has become the norm for a large number of employees to work from home on a regular basis, with many coming to the office only sporadically (if at all).
VPNs are insufficient for remote working and the hybrid landscape, and over-reliance on them to secure large numbers of employees working from home poses significant risks.
“Originally, VPNs helped companies manage a few employees or third-party contractors who needed remote access to certain systems while working remotely,” says Joseph Carson, chief security officer and CISO. advisory at ThycoticCentrify. He adds that this has also resulted in negative impacts on employee productivity and user experience, while increasing friction.
“The use of VPNs on such a large scale could never have been predicted, and it has created a security nightmare for IT teams by expanding the surface area for potential attacks,” says Matthew Gracey-McMinn , Head of Threat Research at Netacea.
“With the COVID-19 pandemic, most companies have been forced to adapt quickly to a full remote working environment, and some of them have done so in an insecure manner, by simply deploying solutions. Generic VPNs to allow their employees to access the same systems from their homes and blindly trusting their devices, ”said Felipe Duarte, security researcher at Appgate.
With remote and hybrid working set to be the norm for the foreseeable future, it is critical that organizations not only recognize the shortcomings and risks of VPNs in the remote working age, but also understand how alternative options can best be achieved. securing the future of remote and hybrid work. .
Disadvantages of VPNs for remote working
Because VPNs typically extend an organization’s network, if the network the user is on is not secure, an attacker’s potential is greater to exploit it, says Sean Wright, head of application security at Immersive Labs. “Home networks have more security vulnerabilities, which increases this risk,” he adds.
Wave Money, RSSI of Dominic Grunden points out another shortcoming: the fact that VPNs only provide encryption of traffic passing between two points, requiring a complete stand-alone security stack that must be deployed at one end of each VPN connection for the traffic inspection. “This is a requirement that becomes increasingly difficult to meet as corporate resources are increasingly hosted in the cloud and accessed by remote workers. VPNs also don’t provide a way to secure third-party access, which is perhaps the weakest link in the attack.
Gracey-McMinn claims that most VPNs offer minimal security with traffic encryption and often don’t enforce the use of multi-factor authentication (MFA). “If a staff member’s computer was compromised while working from home, it could cause a malicious actor to gain access to a company’s network through the VPN using staff credentials, which which would grant them full trusted access – an activity less likely to be detected by a security team due to not having a full security stack layer while working from home.
This was observed during the recent Colonial Pipeline ransomware attack, explains Duarte. “In this case, the attackers gained access to the internal network simply by using compromised username and password credentials for an unsecured VPN device. He also notes cases of attackers targeting and exploiting known vulnerabilities in the VPN appliance. “More recently, we observed the exploitation of CVE-2021-20016 (affecting SonicWall SSLVPN) by cybercrime group DarkSide, as well as CVE-2021-22893 (affecting Pulse Secure VPN) exploited by more than 12 malware strains. different.
Another big problem is that of devices infected with malware and not patched. “This scenario is generally related to human-directed malware, such as botnets, backdoors and RATs. [remote access Trojans], says Duarte. “The attacker creates a remote connection with the device, and once the VPN is connected, the malware can impersonate the user, gain access to all systems to which they have access and spread through the internal network. “
Wright agrees, adding that devices will only be secure enough if they are actively updated. “You can have the most secure VPN connection in the world, but if the device is not patched enough, it will pose a risk to your organization, and the VPN connection will make little difference. “
VPNs also have significant drawbacks from a usability and productivity standpoint, Grunden explains. “A common complaint about VPNs is how they reduce network speed, because VPNs redirect requests through a different server. So it is inevitable that the connection speed will not stay the same due to the increased network latency. In addition to this, other performance issues sometimes arise from the use of kill switches and DHCP. “The security provided by VPNs, while necessary, often comes with undue complexity, especially for organizations using corporate VPNs,” he adds.
Secure alternatives to VPNs for remote working
Whether it’s completely replacing VPNs or supplementing them with other options, organizations need to recognize and implement alternative security methods better suited to protecting mass remote work. Which and how many of these strategies a business can explore will depend on several factors such as posture and risk appetite. However, security experts agree that the following are the most likely to be the most universally effective for businesses.
1. Zero trust network access
Zero Trust Network Access (ZTNA) is essentially negotiated access to applications and data on the network. Users and devices are polled and confirmed before access is granted. “What you need to do is adopt a zero trust mindset, always assuming that a device or employee account could be compromised,” says Duarte.
Grunden explains that “zero trust methods are able to perform the basic capabilities of a VPN, such as granting access to certain systems and networks, but with an additional layer of security in the form of a least privileged access (down to specific applications), identity authentication, employment verification, and credential storage. “
As a result, if an attacker succeeds in infecting a system, the damage is limited to what that system has access to, Duarte explains. “In addition, be sure to implement network monitoring solutions to detect suspicious behavior, such as an infected machine performing a port scan, so that you can automatically generate an alert and shut down the infected system,” he adds. .
2. Edge Secure Access Service (SASE)
With a ZTNA model, according to Gracey-McMinn, every user and device will be verified and verified before being allowed access, not only at the network level but also at the application level. However, zero trust is only part of the solution and cannot monitor all traffic from one endpoint to another, he adds. “SASE [secure access service edge] solves this problem. As a cloud-based model, SASE combines network and security functions into a single architectural service, allowing a business to unify its network at a single point from a single screen.
Grunden says SASE is a modern solution designed to meet the performance and security needs of today’s organizations, offering simplified management and operation, reduced costs, and increased visibility and security through layers. additional network functionality as well as the underlying cloud native security architecture. . “Ultimately, SASE gives IT teams as well as the entire workforce of an organization the flexibility to operate securely in the new standard of this work anywhere, cyber everywhere. in the COVID world, ”he says.
3. Software defined scope
Often implemented as part of broader zero trust strategies, a software-defined perimeter (SDP) is a network boundary based on software rather than hardware, and effectively replaces traditional VPN solutions, says Duarte. “This not only allows you to use multi-factor authentication and segment your network, but you can also profile the user and device that connects and create rules to allow access only to what they really have. need according to different scenarios. “
Read more on the next page …
Subscribe to the newsletter !
Error: Please verify your email address.