Virtual private networks (VPNs) have long been an enterprise mainstay. And just as long, there has been debate about their role in providing security, along with facilitating access. But amidst a year of briskly changing workplace staffing restrictions, are VPNs finally approaching their end as a viable business information security tool?
The Role of VPNs in Facilitating Access
Vendors for years bragged about VPNs providing “enhanced security,” but, do VPNs actually enhance security?
Let’s take a step back for a moment. Everyone is tired of talking about “the new normal.” I don’t mean wearing masks - I mean we’re tired of talking about it and using the term “the new normal.” The remote workplace trend long predates COVID-19, and the impact of COVID-19 was softer in office settings where remote work may have already been an option.
Front-line healthcare workers and restaurant staffers were never going to be able to work remotely. Sure, there’s been some smaller shifts from waitstaff at bars to drivers for DoorDash and some advances with telemedicine, but the brunt of the “remote work” shift has really just been a continuation of an existing trend. That trend actually started in the early 1970s during the OPEC oil embargo, when filling your car with gasoline became extremely difficult.
VPN technology was built to provide access and protect data in transit to outside the traditional company network. It is deployed as more of a business enablement tool than a cybersecurity tool, giving us the ability to extend the company network to users in any physical location - whether home, mobile, on an airplane, in a hotel, or somewhere else. IPSec packets aren’t easily sniffed, and while there are vulnerabilities, IPSec generally does its job and provides strong encryption to ensure the protection of data transmissions.
VPN as an Attack Vector
However, one longstanding problem has been that many businesses use VPNs to grant open network access to employees, assuming the trustworthiness of anyone inside the VPN, including third parties / vendors, office guests, and anyone who can compromise a VPN entry point. That itself is a serious security oversight. In these instances, your security may ultimately only be as good as that as the external endpoint/user you are allowing to tunnel into your environment.
Additionally, in recent years, we’ve seen dozens of VPN vulnerabilities exploited in major business and government breaches. VPNs have become a target, as hackers now know if they can breach a VPN, in many cases, they no longer have to worry about traditional security controls such as firewalls—they now have complete access to a company’s network. Firewalls can’t do much to help block unwanted traffic when you openly grant network access through a VPN. Additionally, VPNs are often misconfigured, creating exploitable gaps for attackers to gain access.
Another issue undermining VPN security is that VPN device and software patching is often forgotten or ignored. Those companies which require VPN access for employees to do their jobs often meet opposition to VPN patching maintenance windows.
Of course, in this era of large-scale remote access, network performance issues around VPNs are also increasingly cropping up, especially when you see many users simultaneously VPNing in.
How to Facilitate Truly Secure Remote Access
Instead of the “castle and moat” security architecture assumption that everything inside the network perimeter is safe, organization’s should carefully understand and plan:
- what resources should be available inside the company network
- what users truly need access to those resources
- a basic policy of least privilege to avoid granting access unless necessary
The zero trust model of refusing access by default to any person or system unless needed, represents a constructive movement towards a more secure architecture. Privileged access management (PAM) is a key piece of the zero trust approach and evolving to the security architecture where you can often replace VPNs.
Tuning your alerts and monitoring, and the ability to isolate things that are truly a big deal, is also an essential piece to establishing the secure architecture we need.
Hackers, or “threat actors” as we sometimes like to call them, aren’t going to wait for cybersecurity professionals to correct their security architecture. For “enhanced security,” consider scrapping the VPN and implementing Zero Trust.
For a more in-depth exploration, check out my on-demand webinar: VPNs: New to the Endangered Species List?
Dan Stern, Vice President of IT, Infrastructure and Services at AirMethods
Dan is a 20-year IT professional having owned a small IT business in Maryland, led fast paced IT teams at Chipotle, Blaze Pizza, and others, and now leads Infrastructure and Services teams as VP of Information Technology at Air Methods. Having a Bachelor of Arts specialized in journalism from Colorado State University and a Master of Applied Science concentrated in Information Systems Security from the University of Denver, Dan uses his experience with communications to help teach sometimes intimidating technology to office workers and college students. In his free time, Dan likes to power down all of the tech toys and simply get lost in the mountains.