Amid the COVID-19 pandemic, the global workforce has been forced to work from home. While safety first is the order of the day, it has also put tremendous pressure on CISOs & security teams within organizations to test the ‘safeness’ of their respective organizations’ IT infrastructure and architecture.
For most, VPN-based remote access is the way to go. For all the right reasons, the appeal for a VPN is justified since it is cost-effective, easy to use and, most importantly, gives the perception of secure remote access. However, what is interesting is this – while I was browsing through the primary use cases of a VPN, I found some astonishing results!
Well, I know the more significant intent of a VPN and how it works for organizations, especially in scenarios where a site-to-site VPN is in use. In some places, a remote VPN is used wherein there is a pre-requisite for end users’ devices to have the VPN client installed.
Yet, it is amusing that the use cases did not feel a compelling reason to opt for a VPN for securing access to critical IT systems and applications, should one not know about its use case in IT scenarios. None of the above use cases speaks of the security aspects a VPN can provide to an organization or how it can secure a user’s access or protect critical data. It simply says of the anonymity a VPN can provide while browsing over the internet or public Wi-Fi under the pretext of safeguarding the privacy and encrypting the traffic from the user’s machine to the VPN as if the access came from the organization’s private network.
Yet, are these reasons enough to make VPN the go-to solution for securing remote work from home amid this global pandemic, especially for organizations that store confidential data and allow critical access to users? Maybe not.
From an operational standpoint, a VPN setup is architecturally more complex and more expensive to maintain. Furthermore, it causes inconvenience to users requiring manual and time-consuming steps to enter credentials and initiate a session.
From a security standpoint, the attack surface is much larger. Let’s consider the below scenarios:
Scenario 1:
For organizations where remote workers use personal devices and are required only to access selective applications or systems, allowing access via a VPN client may create vulnerabilities. This is because the VPN client is installed on personal devices, through which other hitherto unknown or malicious applications are exposed to sensitive organizational servers and systems.
Scenario 2:
To tackle the above scenario, designated & hardened IT-managed desktops/laptops are provided to remote users for remote access. Notwithstanding the operational & cost burden to facilitate this arrangement, does it still offer fool proof security?
A few months ago, academics conducted research identifying a vulnerability or security flaw in specific operating systems (tracked as CVE-2019-14899), allowing attackers to tamper with VPN-tunnelled connections.
Another Research by a group of United States & Spain academics has discovered a whopping 13 programming errors in 61 separate VPN systems tested. They also identified that 6 of 200 VPN services scandalously monitored user traffic. This very concept is nothing but data leakage.
Such vulnerabilities are enough for hackers to inject malware onto the remote system, intercept and compromise credentials of high-privilege accounts and take out sensitive information. All it takes is one compromised credential to bring an organization to its knees. Not worth the risk!
Scenario 3:
With VPN-based access enabled, remote users can access an entire network with restrictive control as to which the users can access systems or applications. This exposes the whole infrastructure for access to all remote users, which again calls for high risk since the concept of controlled privileges or need-based access is left unaddressed.
Furthermore, there is no logging or tracking of activities or access proactively. This could make governance much harder, considering the lack of comprehensive accountability, relying only on system logs at best.
Scenario 4:
VPN growth is accompanied by the need for more firewalls and other gateway or router appliances. A couple of years ago, Cisco released an alert stating a vulnerability that could allow an unauthenticated, remote attacker to cause a reload of the affected system; and it could stop processing incoming VPN authentication requests due to a low memory condition.
From the above scenarios, the baseline is clear – VPNs are good for allowing users who need access to non-critical information. Still, for those who need access to sensitive data and systems, VPN isn’t enough to ensure privacy.
A modern and easy-to-deploy approach is to activate a remote privileged access system. All it takes is for the organization to provide a dedicated virtual server with its IT-managed network. The IP for this server (or dedicated URL defined by the IT team) should be published over the internet.
Any remote user who wishes to access the organization’s infrastructure connects and authenticates through this SSL-encrypted communication from the user’s machine to the server. Once in, password-less & role-based access can be defined for only designated applications or systems such as RDP, SSH or critical business applications.
Moreover, such access can be allowed over any HTML5-supported browser. This means the real RDP or SSH sessions open on the server residing on the organization’s premises. Only a virtualized rendering of this session is emulated over the browser for the remote user.
As such, for any critical session accessed, the user only sees an HTTPS-based session secured and encrypted. Furthermore, since a browser-based session is allowed, activities including copy-paste or extraction and downloading data from the session to the end user’s machine are restricted, imposing more robust control measures.
Rest assured, all sessions initiated by remote users are entirely logged and monitored with comprehensive audit trails suggesting who logged in to which system at what time and performed what.
This helps with better governance and mitigates risks associated with uncontrolled access given to remote users, isolating the user’s end machine from critical systems and networks and restricting copy or movement of data outside the network.
To mitigate risks of VPN vulnerabilities, impose an additional layer of security with a privileged remote access security technology. Instead of allowing transparent access to users from the VPN to critical systems, enforce access to remote users and route traffic through this privileged access (PAM) server.
Allow communication from the VPN only towards the PAM server. From PAM, access can be better controlled and encrypted. Instead of allowing access to the complete network, dedicated need-based access to RDP, SSH and other critical applications can be defined for users. Needless to say, comprehensive logs and monitoring of user activities can be captured.
Sectona provides an easy-to-deploy Privileged & Remote Access Management solution capable of delivering advanced technology to allow VPN-less or VPN-integrable secure access to remote work-from-home users.
The solution seamlessly allows RDP, SSH, and Web sessions over TLS on port 443, enabling you to traverse corporate firewalls easily. With added control of the restricted movement of data and isolating the user machine to connect to your environment significantly reduces your attack surface.
Related Reading: Know more about Sectona Privileged Access Management