Let’s face it – most organizations have been using VPN technology for years. Most technology professionals know exactly what to expect with both SSL/TLS and IPSec-based VPN technologies, as they’ve been tried-and-true staples of our remote access strategies for decades. Unfortunately, VPN is rapidly moving to “the way we’ve always done it” in remote access strategy, which we all know means…fading in relevance and less adapted to the nature of today’s workforces. Does that mean VPN is dead? Probably not, but we’ve seen a number of issues with VPN “hub and spoke” models in the past several years, such as:
- Many critical applications and services that employees need are cloud-based, eliminating the need to come back on-premise in the first place.
- More organizations have shifted to bring-your-own-device (BYOD) strategies, especially with unexpected scenarios like the COVID-19 pandemic. At the same time, employees have been steadily moving to remote work overall, but traditional remote access security controls haven’t adapted.
- Our hybrid infrastructure is more complex than ever, and building and maintaining least-privilege access models has gotten significantly more challenging.
All of this is compounded by more attacks against remote workers, as well as an expanded need to support remote access for vendors, partners, and other various stakeholders.
As many workforces became entirely remote in 2020, attacks targeted remote users with sophisticated campaigns that involve collaboration tools, services, and more. In the most recent SANS Endpoint Protection and Response survey, 42 percent of respondents say at least one of their endpoints has been compromised. Even worse, 20 percent didn’t know whether or not any endpoints had been compromised. Without strong privilege controls, these users and endpoints become immediate ingress and lateral movement starting points for adversaries looking to compromise central data center resources.
Remote Access Security in the New Normal
The nature of many organizations’ workforces is likely to change, too. In the coming months and years, many employees won’t come back to traditional on-premises jobs, and will continue to work remotely 100% of the time.
For some jobs, this shift to full-time remote working won’t pose a major challenge. Hower, this is not the case for many other roles, especially those that demand very strict control of privileges to a limited number of resources (for example, vendors performing remote support), or administrators that hold “the keys to the kingdom”. For this time of sensitive work involving highly privileged access, shifting to a remote access strategy requires implementation of strong oversight and audit controls..
There’s really never been a better time than right now for organizations to rethink the types of capabilities they want and need in a remote access solution. We’ll need strong access controls at the endpoint, network access controls at the cloud and data center levels, strong logging and audit capabilities, and more advanced functionality like session monitoring and management and just-in-time access.
One thing is for sure – the VPN technology of yesterday won’t get us where we need to go. To further explore how to address these security challenges now and into the future, watch my on-demand webinar: The Quest for Better and Safer Remote Access.
Dave Shackleford, Cybersecurity Expert and Founder of Voodoo Security
Dave Shackleford is the owner and principal consultant of Voodoo Security and a SANS analyst, senior instructor, and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst, and manager for several Fortune 500 companies.