It's no secret that COVID-19 has forever
altered the landscape of the world. This is certainly true for the millions of
people who uprooted their work life and brought it home with them. According to
a Stanford study, a whopping 42 percent of the U.S. labor force now works from home
full-time.
While VPN usage in the enterprise was
generally on the downward trend as more and more apps moved to the cloud, the
pandemic upended the status quo as all on-prem apps could only be accessed via
VPN. Many organizations rushed to increase VPN capacity. This new reliance on
VPNs has forced CISOs to take a closer look at their VPN security and brought
VPNs to the forefront of the cybersecurity dialogue.
To add fuel to the fire, in the last eighteen
months nearly all major VPN vendors have faced serious and untimely
vulnerabilities, many of these lead to credential compromise. Organizations do
patch these VPN systems when they become aware but those that lack good user
and access telemetry data and other detection mechanisms don't know if
credentials were ever stolen.
Additionally, most VPNs were designed for use
with on-premise authentication resources like LDAP servers and Active
Directory. COVID and Remote Work has accelerated the move away from on-premise
into more cloud based identity environments, and many VPN vendors haven't
supported new cloud infrastructures yet.
Who is Leading the Charge in
Authenticating VPNs?
It's tough to say, as the supported
authentication protocols can vary substantially by VPN vendor . Right now,
CISO's should ensure that their VPN infrastructure supports Multi-Factor
Authentication (MFA) and Certificate-Based Authentication (TLS) and RADIUS Authentication.
Most VPN providers do support some form of
Multi-Factor Authentication. However, in reality finding a vendor that supports
MFA in conjunction with TLS/certificate-based which offers device trust and
RADIUS is tough to find. The combination of certificates with identity lookup
to Okta/Azure/Google is the gold standard as it enables organizations to
accurately identify both the user and the endpoint/device accessing the VPN,
while simultaneously preventing credential compromise.
How As An Industry Do We Move Forward To
Weed Out The Insecure Options And Approaches?
Our approach as an industry needs to be met
with changes that directly address our work from home culture. A report shows
that 85% of organizations say network security is harder to
manage than it was two years ago. With this in mind, many forward
thinking companies have decided to adopt a Zero Trust philosophy towards
network security.
With a Zero Trust philosophy, the resources a
set of credentials grants access is greatly diminished. As a result of growing
VPN security risks, 72% of companies are prioritizing the adoption of a
zero-trust security model, while 59% have accelerated their efforts due to the
focus on remote work. While it may seem like a lot of work, it
really is the best way to keep your company assets safe.
Another important step for organizations to
take is avoiding antiquated credentials such as User IDs and Password based
authentication whenever possible. Passwords have a long history of being
targeted by malicious actors through social engineering attacks like phishing,
which have seen a dramatic increase during the pandemic. The issue now is users
being tricked by phony emails that seem to be from their VPN providers, leaving
their credentials in the hands of an attacker.
The issue with MFA is there's no way of
preventing insecure personal devices from authenticating to your network.
Consider the scenario where an employee self-installs VPN software and uses an
unauthorized device that is infected with malware. If it connects to the
company VPN the malware is free to spread to your network.
That's why combining MFA with a X.509 Digital
User Certificate that was issued during a secure enrollment process and is
protected by for TPM on the Device is the way forward. However, in reality
finding a vendor that supports MFA in conjunction with EAP-TLS/certificate-based
authentication which offers device trust and RADIUS is tough to find.
Switching to certificate authentication solves
a lot of the authentication security problems that we see in enterprises today.
It ties a unique serial number to every network connection, which can then be
associated with different identifying attributes (email, user groups, MAC
address, employee number, etc.)
Certificates also work well with PIV-backed smart cards like YubiKeys which
provide incredibly high assurance levels that users are who they claim to be.
VPNs have been critical for organizations to
keep their businesses going during a pandemic. It's the responsibility of the
leaders in our field to aim organizations in the right direction, towards safer
security practices and away from easily exploited credentials.
##
ABOUT THE AUTHOR
Bert
Kashyap is the Co-founder of SecureW2. With over 20 years of experience in
Networking and Cybersecurity, Bert has used his diverse security background to
quickly grow SecureW2 into an industry leader for certificate-based security,
and a trusted partner of many of the world's top Universities and Fortune 500
companies.