Once the staple for securing employees working remotely, VPNs were designed to provide secure access to corporate data and systems for a small percentage of a workforce while the majority worked within traditional office confines. The move to mass remote working brought about by COVID-19 in early 2020 changed things dramatically. Since then, it has become the norm for large numbers of employees to regularly work from home, with many only going to the office sporadically (if at all).
VPNs are insufficient for the remote working and hybrid landscape, and an overreliance on them to secure large numbers of employees working from home poses significant risks. “VPNs originally helped companies manage a few employees or third-party contractors who needed remote access to certain systems while working remotely,” Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, tells CSO. He adds that it has also led to negative impacts on employee productivity and user experience, all adding to increased friction.
“Using VPNs at such a large scale could never have been predicted, and it has created a security nightmare for IT teams as it widened the surface area for potential attacks,” says Netacea’s head of threat research Matthew Gracey-McMinn.
“With the COVID-19 pandemic, most companies were forced to quickly adapt to a full remote work environment, and some of those did insecurely, just deploying generic VPN solutions to enable their employees to access the same systems from their homes and blindly trusting their devices,” says Appgate security researcher Felipe Duarte.
With remote and hybrid working set to be the norm for the foreseeable future, it is vital that organizations not only recognize the shortcomings and risks of VPNs in the remote working era but also understand how alternative options can better secure the future of remote and hybrid working.
Shortcomings of VPNs for remote working
Because VPNs typically extend an organization’s network, if the network that the user is on is insecure, there is greater potential for an attacker to leverage it, says Sean Wright, application security lead at Immersive Labs. “Home networks have more security vulnerabilities, making this risk heightened,” he adds.
Wave Money, CISO at Dominic Grunden points to another shortcoming: the fact that VPNs only provide encryption for traffic passing between two points, requiring a standalone full security stack that must be deployed at one end of every VPN connection for traffic inspection. “This is a requirement that grows increasingly difficult to meet when enterprise resources are increasingly hosted in the cloud and accessed by remote workers. VPNs also don’t provide an avenue to secure third-party access, which is perhaps the weakest attack link.”
Gracey-McMinn says most VPNs provide minimal security with traffic encryption and often do not enforce the use of multi-factor authentication (MFA). “If a member of staff’s computer has been compromised while working at home, this could lead to a malicious actor gaining access to a company’s network via the VPN using staff credentials, which would grant them full trusted access—activity less likely to be detected by a security team due to not having a full security stack layer while working from home.”
This was observed in the recent Colonial Pipeline ransomware attack, says Duarte. “In that case, the attackers got access to the internal network just by using compromised username and password credentials for an insecure VPN appliance.” He also notes instances of attackers targeting and exploiting known VPN appliance vulnerabilities. “Most recently, we observed the exploitation of CVE-2021-20016 (affecting SonicWall SSLVPN) by the cybercrime group DarkSide, and also CVE-2021-22893 (affecting Pulse Secure VPN) exploited by more than 12 different malware strains.”
Another significant issue is that of malware-infected and unpatched devices. “This scenario is generally related to human-driven malware, like botnets, backdoors, and RATs [remote access Trojans],” says Duarte. “The attacker creates a remote connection with the device, and after the VPN is connected, the malware can impersonate the user, accessing all the systems it has access to and spreading through the internal network.”
Wright agrees, adding that devices are only going to be sufficiently secure if they are actively updated. “You can have the world’s most secure VPN connection, but if the device is not sufficiently patched it will represent a risk to your organization, and the VPN connection will make little difference.”
VPNs also have significant drawbacks from a usability and productivity standpoint, says Grunden. “A common complaint about VPNs is how they reduce network speed because VPNs reroute requests through a different server, and so it is inevitable that the connection speed would not remain the same due to increased network latency.” Besides that, other performance issues sometimes arise relating to the use of kill switches and DHCP. “The security provided by VPNs, while being necessary, often comes with undue complexity, particularly for organizations using enterprise VPNs,” he adds.
Secure alternatives to VPNs for remote working
Whether it’s replacing VPNs altogether or supplementing them with other options, organizations must recognize and implement alternative security methods better suited to protecting mass remote working. Which and how many of these strategies a business may explore will vary depending on several factors such as posture and risk appetite. However, security experts agree that the following are most likely to be most universally effective for companies.
1. Zero trust network access
Zero-trust network access (ZTNA) is essentially brokered access to applications and data on the network. Users and devices are challenged and confirmed before access is granted. “What you must do is adopt a zero-trust mindset, always assuming a device or an employee account might be compromised,” says Duarte.
Grunden explains that “zero-trust methods are able to perform the basic capabilities of a VPN, such as granting access to certain systems and networks, but with an added layer of security in the form of least-privileged access (down to the specific applications), identity authentication, employment verification, and credential storage.”
As a result, if an attacker succeeds in infecting a system, the damage is limited to only what this system has access to, Duarte says. “Also, be sure to implement network monitoring solutions to detect suspicious behavior, like an infected machine doing a port scan, so you can automatically generate an alert and shutdown the infected system,” he adds.
2. Secure access service edge (SASE)
With a ZTNA model, according to Gracey-McMinn, every user and device will be verified and checked before it is allowed access, not only at the network level but also at the application level. However, zero trust is only one part of fixing the problem and cannot monitor all traffic from one endpoint to the other, he adds. “SASE [secure access service edge] solves that issue. As a cloud-based model, SASE combines the network and security functions together as a single architecture service, which allows a company to unify their network at one singular point from one screen.”
Grunden says that SASE is a modern solution designed to meet the performance and security needs of today’s organizations, offering simplified management and operation, lower costs, and increased visibility and security with the extra layers of network functionality as well as underlying cloud-native security architecture. “Ultimately, SASE gives IT teams as well as an enterprise’s entire workforce the flexibility to function securely in the new normal of this work anywhere, cyber everywhere COVID world,” he says.
3. Software-defined perimeter
Often implemented within wider zero trust strategies, a software-defined perimeter (SDP) is a network boundary based on software instead of hardware, and is an effective replacement for classic VPN solutions, says Duarte. “This allows you to not only use multi-factor authentication and segment your network, but you can profile the user and the device connecting and create rules to enable access to only what it really needs according to different scenarios.”
SDP also makes it easier for you to block access to resources once a suspicious behavior is detected in your network, effectively isolating potential threats, minimizing the damage caused in an attack, and maintaining productivity in case of a false positive, instead of fully disabling the device and making a user unable to do any meaningful work, Duarte adds.
4. Software-defined wide area networks
VPNs depend on a router-centric model to distribute the control function across the network, where routers route traffic based on the IP addresses and access-control lists (ACLs). Software-defined wide area networks (SD-WANs), however, rely on a software and centralized control function that can steer traffic across the WAN in a smarter way by handling the traffic based on priority, security, and quality of service requirements as per the organization’s needs, Grunden says.
“SD-WAN products are designed to replace the traditional physical routers with virtualized software that can control application-level policies and offer a network overlay. Additionally, SD-WAN can automate the ongoing configuration of WAN edge routers and run traffic over a hybrid of public broadband and private MPLS links,” Grunden says. This creates an enterprise edge-level network with lower costs, less complexity, more flexibility, and better security.
5. Identity and access management and privileged access management
Solutions that incorporate a comprehensive verification process to confirm the validity of login attempts provide greater protections compared to traditional VPNs, which normally only require a password. “A security feature of IAM [identity and access management] is that session activity and access privileges are connected to the individual user, so network managers can be sure each user has authorized access and can track each network session,” says Grunden. “IAM solutions also often provide additional levels of access so that users can only access the resources they are authorized to use.”
While this VPN alternative or paired option manages identity protocols allowing for more granular activity monitoring, it does not provide additional protections for privileged credentials. To securely manage the credentials for privileged accounts, privileged access management (PAM) is needed, Grunden adds. “If identity management establishes the identity of individual users and authorizes them, PAM tools focus on managing privileged credentials that access critical systems and applications with a higher level of care and scrutiny.”
Such high-level accounts must be managed and monitored closely, as they present the largest risk to security and are heavy targets for bad actors because of the administrative capabilities they allow. “The key benefits of a PAM solution include advanced credential security like the frequent rotation of complex passwords, obfuscation of passwords, systems and data access control, and user activity monitoring,” says Grunden. “These features reduce the threat of unauthorized privileged credential use and make it easier for IT managers to spot suspicious or risky operations.”
6. Unified endpoint management tools
Conditional access via unified endpoint management (UEM) tools can provide a VPN-less experience through conditional access capabilities, whereby an agent running on the device will evaluate various conditions before enabling a person to access a particular resource, says Andrew Hewitt, senior analyst at Forrester. “For example, the solution may evaluate device compliance, identity information, and user behavior to determine whether that person can indeed access enterprise data. Often, UEM providers will integrate with ZTNA providers for added protection.
7. Virtual desktop infrastructure or desktop-as-a-service
Virtual desktop infrastructure (VDI) or desktop-as-a-service solutions “essentially stream compute from the cloud (or from an on-prem server) so that nothing resides locally on the device,” explains Hewitt. Sometimes organizations will use this as an alternative to VPN, but there still needs to be checks at the device level along with user authentication to secure the access, he adds. “The benefit of this however is that no data can be copied from the virtual session onto a local client, unlike traditional VPN.”
Copyright © 2021 IDG Communications, Inc.