NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

Is Your Workforce Going Remote? – Why VPNs and Personal Computers (BYOD) Should Never Mix

March 30, 2020

  • Blog
  • Archive

Over the past several decades as a security professional, I’ve witnessed countless security architectures, and been privy to decisions for policies and implementations. Perhaps the most reckless recurring security practice I’ve continually observed over the years is the installation of an organization’s VPN (virtual private network) software on an employee’s home computer for remote access. Simply put, BYOD and VPN should never mix or co-exist.

Today, with the largescale move to go remote to support social distancing and help mitigate the Coronavirus health threat, the flaws of this practice are being hastily multiplied exponentially, and the damage will be reflected in widespread malware infections, corrupted systems, breached data, and organizations that get outright “owned”.

Corporate VPN technology—whether hosted in the cloud or within a business’s DMZ (perimeter network or screened subnet)—is designed to allow remote access to an organization’s network through protocol tunnelling and encryption technology. The goal is to connect remote assets to an organizations network when the physical location of the connection is beyond traditional firewalls and the network perimeter. Generally, this technology is implemented using a single network access connection, or multiple locations based on geography, to provide a demarcation point from an external connection into a controlled network and segments within an environment.

Risks and Challenges of VPNs

While we’re in a time of elevated societal risk, adding cybersecurity risk will only compound our inability to function. Even in the most prosperous and stable of times, giving VPN access to workers using personal computers is a completely unacceptable risk. Here are a few reasons why:

  • Personal computer users are typically local administrators on their devices. While the best practice is to abide by the principle of least privilege by creating a standard user account that is used for routine computing (only using the admin account to perform system updates, and other tasks that require higher privilege), few users carry out this practice—if they are even aware of it at all. Thus, these users are highly susceptible to malware when performing routine computing (emailing, web surfing, etc.). Most malware requires privilege to execute and install, and once an account is exploited, it then gains access to the privileges and access of that account. Older home computer operating system, including Windows 8, Windows 7 and Windows XP, are not only worse at defending against malware that require administrative rights for exploitation of the system, but they are no longer supported platforms. Many users have yet to migrate to a newer operating system or just purchased a new computer with the latest software. This lack of support potentially means vulnerabilities will not be vigorously discovered and patched. All of this adds up to completely unjustifiable risk for any organization.
  • In instances when a personal home computer is shared amongst family members, there are very few mitigations to prevent an infection or poor judgement of one individual from infecting others. This holds true even when each person has their own, unique user profile. Windows systems also have a feature called Fast User Switching, which allows users to sign in to accounts while other users remain signed in on the machine. By keeping multiple user profiles in memory, Fast User Switching can make the accounts susceptible to a variety of attacks based on other active profiles. So, for instance, the compromise of one user, not related at all to the organization, could be leveraged against an active VPN session connected to the organization. These are serious risks that should not be glossed over.
  • Organizations typically lack the authority to manage an individual’s home computer. If permitted by the end user and legal within that particular country, NAC (Network Access Control) solutions can validate antivirus signature versions and other basic hardware characteristics. However, NACs still cannot inventory a home computer to ensure it is hardened and maintained like a corporate asset. There may not be a compatible local agent to provide these details remotely. The presence of these gaps, even when connected to a bastion host for remote access, can expose the enterprise to data leakage from keystroke loggers and screen capturing malware.
  • Corporate VPN solutions usually embed a certificate into the VPN profile to validate the connection. This is independent of the authentication the user should provide via credentials and multi-factor authentication. Both the certificate and the credentials are only as secure as the security maintenance implemented for those particular assets. These are prime targets for a threat actor. A poorly maintained host makes it easy for a threat actor to initiate their own connections, steal the certificates or VPN installer, or hijack sessions used by remote employees who are using their home computers. If you cannot secure the host, how can you secure the connection software it is running? You can’t.
  • Personal home computers generally only have antivirus and a basic, free firewall (i.e. Windows Firewall) software on their computers, if they have any security software installed and enabled at all. These users do not have EDR (endpoint, detection, and response), EPM (endpoint privilege management), nor vulnerability or patch management solutions. Additionally, home users typically operate as independent workstations with no monitoring from security professionals to react when something goes awry.
  • VPN technology is highly dependent on the bandwidth of the external connection into the environment, internal network links connecting the VPN into the network, and network segmentation to isolate external connections from sensitive resources. With this in mind, it cannot suddenly sustain all of the users normally operating in an office based on bandwidth alone that would be connected via traditional network switches and routers. The VPN is also not normally configured to allow access to all of the resources that are available when someone is physically sitting on a trusted network within an office building. Simply put, most corporate VPN implementations, even with corporate-issued mobile devices, are not scaled to support large quantities of users all operating simultaneously into an environment. In addition to injecting security issues into the corporate environment, movement to VPNs en masse can result in severe network performance issues.

Best Practices for Enabling an Expanding Remote Workforce

Some organizations recognize the risks of VPNs, yet still try to make them work through complex workarounds. For instance, they may develop and maintain highly secure VDI (virtual desktop infrastructures) environments and bastion hosts to proxy (or gateway) the connection to protect applications and sensitive data. They have created isolated networks and resources in the cloud just to manage these connections and, in many cases, invested exorbitant sums of money in licensing costs and personnel just to stand up resources in a defensive network strategy to mitigate these risks. While organizations can sometimes be effective in mitigating VPN risk with this approach, it’s not generally cost-effective from a human and asset resources perspective.

In my strong opinion, based on many years of security experience, enterprises should reconsider the risks of VPN software on home assets, and consider lower risk and more highly scalable ways to extend remote access to remote workers. Here are my two recommendations:

  1. Provision corporate-owned assets that are hardened and managed (potentially through the cloud) to provide secure remote access. If employees that need remote access have a traditional desktop computer, consider replacing it with a corporate-owned and managed laptop with a docking station. In the office, it would operate like a regular desktop, including having large monitors, but when required at home, the laptop can travel with them as a managed asset minimizing, the risk and providing secure connectivity.
  2. License a modern, elegantly architected remote access solution that does not require a complex environment to provide secure connectivity. Ideally, your solution is cloud-based and provides the ability to perform the connection through a web browser without the need for VPN software, dedicated applications, nor protocol tunneling.

VPN use on personal computers is a practice that was never sound from a security perspective in the first place. With the availability of enterprise-class remote access technologies today, there’s no excuse, and probably no justifiable benefit, of deploying VPNs for remote access on worker-owned computers.

Learn about BeyondTrust Secure Remote Access solutions:

  • Privileged Remote Access for employees and vendors
  • Remote Support for IT service desks.

Learn about BeyondTrust Endpoint Privilege Management Solutions

  • Privilege Management for Windows & Mac
  • Privilege Management for Unix & LInux

Other Resources

Coronavirus is Stress Testing Remote Access: How to Make Telework Safe, Secure, & Productive (blog)

IT Considerations for Supporting Remote Workers due to the Coronavirus Epidemic (blog)

A Guide to Endpoint Privilege Management

Photograph of Morey J. Haber

Morey J. Haber, Chief Security Officer, BeyondTrust

Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Azure PIM vs. BeyondTrust PAM

Whitepapers

The Remote Access Challenge

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.