As soon as the staple for securing workers working remotely, VPNs have been designed to supply safe entry to company knowledge and techniques for a small proportion of a workforce whereas the bulk labored inside conventional workplace confines. The transfer to mass distant working led to by COVID-19 in early 2020 modified issues dramatically. Since then, it has change into the norm for giant numbers of workers to recurrently make money working from home, with many solely going to the workplace sporadically (if in any respect).
VPNs are inadequate for the distant working and hybrid panorama, and an overreliance on them to safe massive numbers of workers working from residence poses vital dangers. “VPNs initially helped corporations handle just a few workers or third-party contractors who wanted distant entry to sure techniques whereas working remotely,” Joseph Carson, chief safety scientist and advisory CISO at ThycoticCentrify, tells CSO. He provides that it has additionally led to unfavourable impacts on worker productiveness and person expertise, all including to elevated friction.
“Utilizing VPNs at such a big scale may by no means have been predicted, and it has created a safety nightmare for IT groups because it widened the floor space for potential assaults,” says Netacea’s head of risk analysis Matthew Gracey-McMinn.
“With the COVID-19 pandemic, most corporations have been pressured to rapidly adapt to a full distant work surroundings, and a few of these did insecurely, simply deploying generic VPN options to allow their workers to entry the identical techniques from their properties and blindly trusting their units,” says Appgate safety researcher Felipe Duarte.
With distant and hybrid working set to be the norm for the foreseeable future, it’s vital that organizations not solely acknowledge the shortcomings and dangers of VPNs within the distant working period but additionally perceive how different choices can higher safe the way forward for distant and hybrid working.
[Editor’s note: This article, originally published on October 11, 2021, has been updated with information on VPN-less remote connection products.]
Shortcomings of VPNs for distant working
As a result of VPNs usually lengthen a company’s community, if the community that the person is on is insecure, there’s higher potential for an attacker to leverage it, says Sean Wright, software safety lead at Immersive Labs. “Residence networks have extra safety vulnerabilities, making this threat heightened,” he provides.
Wave Cash CISO Dominic Grunden factors to a different shortcoming: the truth that VPNs solely present encryption for visitors passing between two factors, requiring a standalone full safety stack that should be deployed at one finish of each VPN connection for visitors inspection. “This can be a requirement that grows more and more troublesome to satisfy when enterprise assets are more and more hosted within the cloud and accessed by distant staff. VPNs additionally don’t present an avenue to safe third-party entry, which is probably the weakest assault hyperlink.”
Gracey-McMinn says most VPNs present minimal safety with visitors encryption and infrequently don’t implement using multi-factor authentication (MFA). “If a member of workers’s pc has been compromised whereas working at residence, this might result in a malicious actor getting access to an organization’s community through the VPN utilizing workers credentials, which might grant them full trusted entry—exercise much less prone to be detected by a safety crew resulting from not having a full safety stack layer whereas working from residence.”
This was noticed within the current Colonial Pipeline ransomware assault, says Duarte. “In that case, the attackers received entry to the interior community simply by utilizing compromised username and password credentials for an insecure VPN equipment.” He additionally notes situations of attackers concentrating on and exploiting identified VPN equipment vulnerabilities. “Most just lately, we noticed the exploitation of CVE-2021-20016 (affecting SonicWall SSLVPN) by the cybercrime group DarkSide, and likewise CVE-2021-22893 (affecting Pulse Safe VPN) exploited by greater than 12 totally different malware strains.”
One other vital concern is that of malware-infected and unpatched units. “This situation is mostly associated to human-driven malware, like botnets, backdoors, and RATs [remote access Trojans],” says Duarte. “The attacker creates a distant reference to the gadget, and after the VPN is linked, the malware can impersonate the person, accessing all of the techniques it has entry to and spreading by means of the interior community.”
Wright agrees, including that units are solely going to be sufficiently safe if they’re actively up to date. “You may have the world’s most safe VPN connection, but when the gadget just isn’t sufficiently patched it is going to symbolize a threat to your group, and the VPN connection will make little distinction.”
VPNs even have vital drawbacks from a usability and productiveness standpoint, says Grunden. “A standard criticism about VPNs is how they cut back community velocity as a result of VPNs reroute requests by means of a special server, and so it’s inevitable that the connection velocity wouldn’t stay the identical resulting from elevated community latency.” In addition to that, different efficiency points typically come up regarding using kill switches and DHCP. “The safety offered by VPNs, whereas being crucial, typically comes with undue complexity, significantly for organizations utilizing enterprise VPNs,” he provides.
