Once the staple for securing employees working remotely, VPNs were designed to provide secure access to corporate data and systems for a small percentage of a workforce while the majority worked within traditional office confines.
The move to mass remote working brought about by COVID-19 in early 2020 changed things dramatically. Since then, it has become the norm for large numbers of employees to regularly work from home, with many only going to the office sporadically (if at all).
VPNs are insufficient for the remote working and hybrid landscape, and an over-reliance on them to secure large numbers of employees working from home poses significant risks.
“VPNs originally helped companies manage a few employees or third-party contractors who needed remote access to certain systems while working remotely,” Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, says. He adds that it has also led to negative impacts on employee productivity and user experience, all adding to increased friction.
“Using VPNs at such a large scale could never have been predicted, and it has created a security nightmare for IT teams as it widened the surface area for potential attacks,” says Netacea’s head of threat research Matthew Gracey-McMinn.
“With the COVID-19 pandemic, most companies were forced to quickly adapt to a full remote work environment, and some of those did insecurely, just deploying generic VPN solutions to enable their employees to access the same systems from their homes and blindly trusting their devices,” says Appgate security researcher Felipe Duarte.
With remote and hybrid working set to be the norm for the foreseeable future, it is vital that organisations not only recognise the shortcomings and risks of VPNs in the remote working era but also understand how alternative options can better secure the future of remote and hybrid working.
Shortcomings of VPNs for remote working
Because VPNs typically extend an organisation’s network, if the network that the user is on is insecure, there is greater potential for an attacker to leverage it, says Sean Wright, application security lead at Immersive Labs. “Home networks have more security vulnerabilities, making this risk heightened,” he adds.
Wave Money, CISO at Dominic Grunden points to another shortcoming: the fact that VPNs only provide encryption for traffic passing between two points, requiring a standalone full security stack that must be deployed at one end of every VPN connection for traffic inspection.
“This is a requirement that grows increasingly difficult to meet when enterprise resources are increasingly hosted in the cloud and accessed by remote workers. VPNs also don’t provide an avenue to secure third-party access, which is perhaps the weakest attack link.”
Gracey-McMinn says most VPNs provide minimal security with traffic encryption and often do not enforce the use of multi-factor authentication (MFA).
“If a member of staff’s computer has been compromised while working at home, this could lead to a malicious actor gaining access to a company’s network via the VPN using staff credentials, which would grant them full trusted access -- activity less likely to be detected by a security team due to not having a full security stack layer while working from home.”
This was observed in the recent Colonial Pipeline ransomware attack, says Duarte. “In that case, the attackers got access to the internal network just by using compromised username and password credentials for an insecure VPN appliance.” He also notes instances of attackers targeting and exploiting known VPN appliance vulnerabilities.
“Most recently, we observed the exploitation of CVE-2021-20016 (affecting SonicWall SSLVPN) by the cybercrime group DarkSide, and also CVE-2021-22893 (affecting Pulse Secure VPN) exploited by more than 12 different malware strains.”
Another significant issue is that of malware-infected and unpatched devices. “This scenario is generally related to human-driven malware, like botnets, backdoors, and RATs [remote access Trojans],” says Duarte. “The attacker creates a remote connection with the device, and after the VPN is connected, the malware can impersonate the user, accessing all the systems it has access to and spreading through the internal network.”
Wright agrees, adding that devices are only going to be sufficiently secure if they are actively updated. “You can have the world’s most secure VPN connection, but if the device is not sufficiently patched it will represent a risk to your organisation, and the VPN connection will make little difference.”
VPNs also have significant drawbacks from a usability and productivity standpoint, says Grunden. “A common complaint about VPNs is how they reduce network speed because VPNs reroute requests through a different server, and so it is inevitable that the connection speed would not remain the same due to increased network latency.”
Besides that, other performance issues sometimes arise relating to the use of kill switches and DHCP. “The security provided by VPNs, while being necessary, often comes with undue complexity, particularly for organisations using enterprise VPNs,” he adds.
Secure alternatives to VPNs for remote working
Whether it’s replacing VPNs altogether or supplementing them with other options, organisations must recognise and implement alternative security methods better suited to protecting mass remote working. Which and how many of these strategies a business may explore will vary depending on several factors such as posture and risk appetite. However, security experts agree that the following are most likely to be most universally effective for companies.
1. Zero trust network access
Zero-trust network access (ZTNA) is essentially brokered access to applications and data on the network. Users and devices are challenged and confirmed before access is granted. “What you must do is adopt a zero-trust mindset, always assuming a device or an employee account might be compromised,” says Duarte.
Grunden explains that “zero-trust methods are able to perform the basic capabilities of a VPN, such as granting access to certain systems and networks, but with an added layer of security in the form of least-privileged access (down to the specific applications), identity authentication, employment verification, and credential storage.”
As a result, if an attacker succeeds in infecting a system, the damage is limited to only what this system has access to, Duarte says. “Also, be sure to implement network monitoring solutions to detect suspicious behavior, like an infected machine doing a port scan, so you can automatically generate an alert and shutdown the infected system,” he adds.
2. Secure access service edge (SASE)
With a ZTNA model, according to Gracey-McMinn, every user and device will be verified and checked before it is allowed access, not only at the network level but also at the application level. However, zero trust is only one part of fixing the problem and cannot monitor all traffic from one endpoint to the other, he adds. “SASE [secure access service edge] solves that issue. As a cloud-based model, SASE combines the network and security functions together as a single architecture service, which allows a company to unify their network at one singular point from one screen.”
Grunden says that SASE is a modern solution designed to meet the performance and security needs of today’s organisations, offering simplified management and operation, lower costs, and increased visibility and security with the extra layers of network functionality as well as underlying cloud-native security architecture. “Ultimately, SASE gives IT teams as well as an enterprise’s entire workforce the flexibility to function securely in the new normal of this work anywhere, cyber everywhere COVID world,” he says.
3. Software-defined perimeter
Often implemented within wider zero trust strategies, a software-defined perimeter (SDP) is a network boundary based on software instead of hardware, and is an effective replacement for classic VPN solutions, says Duarte. “This allows you to not only use multi-factor authentication and segment your network, but you can profile the user and the device connecting and create rules to enable access to only what it really needs according to different scenarios.”
Read more on the next page...