Virtualization Technology News and Information
How Has Covid/WFH Elevated The VPN Conversation and the Notion That Not All VPNs Are The Same?

work from home 

It's no secret that COVID-19 has forever altered the landscape of the world. This is certainly true for the millions of people who uprooted their work life and brought it home with them. According to a Stanford study, a whopping 42 percent of the U.S. labor force now works from home full-time. 

While VPN usage in the enterprise was generally on the downward trend as more and more apps moved to the cloud, the pandemic upended the status quo as all on-prem apps could only be accessed via VPN. Many organizations rushed to increase VPN capacity. This new reliance on VPNs has forced CISOs to take a closer look at their VPN security and brought VPNs to the forefront of the cybersecurity dialogue.

To add fuel to the fire, in the last eighteen months nearly all major VPN vendors have faced serious and untimely vulnerabilities, many of these lead to credential compromise. Organizations do patch these VPN systems when they become aware but those that lack good user and access telemetry data and other detection mechanisms don't know if credentials were ever stolen.

Additionally, most VPNs were designed for use with on-premise authentication resources like LDAP servers and Active Directory. COVID and Remote Work has accelerated the move away from on-premise into more cloud based identity environments, and many VPN vendors haven't supported new cloud infrastructures yet.

Who is Leading the Charge in Authenticating VPNs?

It's tough to say, as the supported authentication protocols can vary substantially by VPN vendor . Right now, CISO's should ensure that their VPN infrastructure supports Multi-Factor Authentication (MFA) and Certificate-Based Authentication (TLS) and RADIUS Authentication.

Most VPN providers do support some form of Multi-Factor Authentication. However, in reality finding a vendor that supports MFA in conjunction with TLS/certificate-based which offers device trust and RADIUS is tough to find. The combination of certificates with identity lookup to Okta/Azure/Google is the gold standard as it enables organizations to accurately identify both the user and the endpoint/device accessing the VPN, while simultaneously preventing credential compromise.

How As An Industry Do We Move Forward To Weed Out The Insecure Options And Approaches?

Our approach as an industry needs to be met with changes that directly address our work from home culture. A report shows that 85% of organizations say network security is harder to manage than it was two years ago. With this in mind, many forward thinking companies have decided to adopt a Zero Trust philosophy towards network security.

With a Zero Trust philosophy, the resources a set of credentials grants access is greatly diminished. As a result of growing VPN security risks, 72% of companies are prioritizing the adoption of a zero-trust security model, while 59% have accelerated their efforts due to the focus on remote work. While it may seem like a lot of work, it really is the best way to keep your company assets safe.

Another important step for organizations to take is avoiding antiquated credentials such as User IDs and Password based authentication whenever possible. Passwords have a long history of being targeted by malicious actors through social engineering attacks like phishing, which have seen a dramatic increase during the pandemic. The issue now is users being tricked by phony emails that seem to be from their VPN providers, leaving their credentials in the hands of an attacker.

The issue with MFA is there's no way of preventing insecure personal devices from authenticating to your network. Consider the scenario where an employee self-installs VPN software and uses an unauthorized device that is infected with malware. If it connects to the company VPN the malware is free to spread to your network.

That's why combining MFA with a X.509 Digital User Certificate that was issued during a secure enrollment process and is protected by for TPM on the Device is the way forward. However, in reality finding a vendor that supports MFA in conjunction with EAP-TLS/certificate-based authentication which offers device trust and RADIUS is tough to find.

Switching to certificate authentication solves a lot of the authentication security problems that we see in enterprises today. It ties a unique serial number to every network connection, which can then be associated with different identifying attributes (email, user groups, MAC address, employee number, etc.)

Certificates also work well with PIV-backed smart cards like YubiKeys which provide incredibly high assurance levels that users are who they claim to be.

VPNs have been critical for organizations to keep their businesses going during a pandemic. It's the responsibility of the leaders in our field to aim organizations in the right direction, towards safer security practices and away from easily exploited credentials.



Bert Kashyap is the Co-founder of SecureW2. With over 20 years of experience in Networking and Cybersecurity, Bert has used his diverse security background to quickly grow SecureW2 into an industry leader for certificate-based security, and a trusted partner of many of the world's top Universities and Fortune 500 companies.

Published Friday, March 12, 2021 9:28 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<March 2021>