Overestimating what VPNs can do is dangerous
As we know, a big part of the fight against the coronavirus has been to keep people inside their homes in order to flatten the curve, meaning that a never-before-seen number of workers are now adapting to working remotely.
About the author
Rich Orange, Regional Vice President for UK and Ireland, Forescout.
With this rapid shift to remote working, virtual private network (VPN) use has also increased. That’s because many applications remain on-premise and employees everywhere – particularly those working in government, healthcare and critical infrastructure – still require access to corporate and operational networks. This gives organisations no choice but to rely on VPNs to secure the pathway from remote users to a corporate network with an end-to-end encrypted tunnel.
The problem is, a VPN is a tool to enable security rather than an entire toolkit. They don’t carry functions like anti-malware or compliance checks, and so they should not be seen as a ‘catch-all’ approach to cybersecurity – ultimately they serve as a fast lane into the heart of corporate networks which, without adequate protection, could lead to potentially disastrous consequences.
Working from home creates a playground for hackers
When working in an office, it is possible to have full visibility and control over the devices connecting to the network, but this isn’t as straightforward for devices connecting via VPN.
When a high volume of corporate devices move from on-prem to off-prem, they bring all the responsibility for IT tasks such as patching, monitoring and security. Even with the use of management and security tools, enterprises are likely to have less visibility into how these devices are configured, patched and secured.
The problem with having less visibility and fewer controls is that both are confounded by people connecting more of their personal devices. Given the fact that businesses had to rapidly move employees to remote working, hugely straining the supply chain in the process, BYOD (bring your own device) culture is once again on the rise. These devices are less likely to be maintained against known-good images and are more likely to go unpatched, unprotected and unmonitored.
This, along with the increase of IoT devices on home networks results in more attack vectors for bad actors.
As well as the devices connecting to the network, the home WiFi networks themselves can present security flaws too. Without the same corporate controls that are put in place in offices, the usual protection such as firewalls, intrusion prevention systems and advanced threat detection are all bypassed. With insufficient network controls on home networks, device security and hygiene act as the primary line of defense.
Ensuring a holistic security strategy, at work and at home
While BYOD and VPNs can make achieving device securing more difficult, it can still be achieved. Firstly, visibility should be the number one priority for businesses looking to secure their networks during this transitionary time.
Beyond user and VPN authentication, it is important to be able to identify devices and also categorize them as corporate-issued or personal. This allows for the appropriate security policy to be applied to the device with contextual information. Being able to monitor device behavior and networks traffic if they are known to be higher risk can be the difference between detecting a threat and a bad actor gaining access.
With the knowledge that BYOD devices will be connecting to the network, businesses can work to extend the same level of cyber hygiene enforcement as applies for corporate devices. With device hygiene and security posture being paramount, this should apply for all devices. Essential posture checks need to be conducted before allowing devices on the corporate network, even if they have authenticated correctly via VPN. Even just a single compromised or non-compliant device can provide an entry point to the wider network for threat actors.
Once the devices are have been cleared to connect to the network, the next stage of protection is to enforce access controls and segmentation policies. With organisations already operating outside of their usual situations, monitoring and policy enforcement is vital to preventing a network breach. Users should be notified about compliance problems and CPN connections should be terminated if the issues aren’t resolved. Furthermore, network traffic and connection requests from remote devices should be monitored to detect deviations and ensure segmentation hygiene is being upheld.
With VPNs providing essential access for remote workers, uncompromised network access control and device compliance strategy are crucial to ensure effective device hygiene. The rise in VPN usage reassuringly points to the fact that businesses take cybersecurity more seriously than ever, but a comprehensive approach around device visibility and control is the only way to ensure complete protection.