The current crisis has accelerated the trend toward a new normal where remote work is the rule rather than the exception. VPNs have long been a trusted and popular solution for securing remote access to company resources and while they have been trusted and popular, they may not always be the best fit for supporting and securing today’s changing workforce.
The idea of a “full VPN”* for all is like only having a hammer in your toolbox – the multiple flavors of VPNs are essential to consider alongside other technologies when enhancing remote access. However the current ‘new normal’ shows the limits of traditional VPNs, making clear that a new approach for securing remote access is necessary.
When the doorbell rings and it’s the repairman coming to mend the electric cooker, careful homeowners will not simply hand over the house key saying: “the kitchen is the first door on the left, go ahead and help yourself,” and then leave. They will stay and keep an eye on the service technician to check that he’s doing his job, and they definitely won’t let him wander around the house unattended.
And yet, when it comes to enterprise security, this is exactly what is happening: a virtual private network (VPN), standard technology in many companies for giving remote users access to corporate resources, hands over the ‘keys to the castle’ – once users are logged in, a VPN lets them proceed without restraint. Also, in the current crisis, many VPN gateways struggle to perform under the load of additional home office users.
Having to route all traffic via the corporate data center adds considerable latency and hurts the quality of time-sensitive services like video conferencing. However, many mechanisms aimed at avoiding this effect make the VPN complex and expensive to manage.
The dangers of unsecured trust
While the keys-to-the-castle approach of VPNs has always been problematic, it is even more dangerous today. If you control and trust the whole network and VPN ecosystem from end-to-end, a full VPN is a solid option but if you do not control or can’t control the whole ecosystem, a full VPN introduces the risks of lack of visibility and control. Attackers can target a much larger attack area these days: when they manage to get a remote user’s credentials, or access to an unsecured home office device, a traditional VPN will give them a free pass to roam the company network. Here they can search for sensitive information and install malware such as data-exfiltration tools or backdoors for an easy return.
Trust involves more moving parts than just the VPN tunnel. Since that endpoint becomes a full participant in the network, there needs to be constant verification of proper security tools, such as firewalls, IDS/IPS, AV tools and others. This leads to management complexity which leads to risk with multiple tools to manage and maintain.
Obviously, there must be a better way. And in fact, there is: it’s called ‘zero-trust.’ This new security approach that adds a security mindset to IT architecture. Zero-trust follows the principle: never trust, always verify. No user or device is assumed to be trustworthy, no matter whether they access resources from inside or outside the network. For this, the first step is to know the users, ideally by applying multiple authentication methods like hardware tokens or soft-token apps.
Devices connecting to the network are inspected just as thoroughly, for example by checking ownership (company-owned, privately owned) or whether the patch level is up to date. At the same time, company data is protected by limiting access to the resources users actually need for their roles.
Today’s zero-trust solutions utilize machine learning (ML) to continuously monitor end-user and endpoint activities, comparing them to behavior patterns and company policies. This allows the security teams to quickly detect unusual activities indicating compromised accounts or insider threats. By providing alerts as soon as a suspicious activity is identified, zero-trust enables a fast and highly-targeted reaction. It significantly speeds up incident response and shortens the time attackers have to snoop around the network.
This approach – after many years of the ‘bad guys’ improving their tools and tactics while businesses and organisations were slow to react – finally allows companies to catch up on the security side, no matter where users are located, or what devices they use. This makes it the perfect fit for today’s world where, accelerated by the crisis, remote work has become the new normal.
Zero-trust-based IT environments make sure that companies don’t simply hand over the house keys to any ‘repairman’ ringing the bell. Instead, it will ask the repairman – and any other visitor –for a company badge with photo ID. It will lock any doors except the kitchen door, knowing exactly where the technician is and what he is doing. And if he behaves unexpected, it will automatically inform the homeowner. This way, companies can always keep an eye on users and devices, improving compromise detection, and narrowing attack windows. At the same time, employees can access company resources securely – any time and from anywhere.
- Darren Fields is the Vice President – Cloud Networking EMEA at Citrix.