To VPN or not to VPN?

The global crisis brought on by COVID-19 pushed companies to support work-from-home solutions. Now the Delta variant has already succeeded in disrupting many organizations’ reopening plans. Remote work is now a long-term reality, and companies will be reliant on network tools and technology to ensure their teams’ success. The dispersed locations of employees and the data they need pose security risks and compliance issues that need to be managed.

For decades, VPN or virtual private network, has been popular among organizations. It does what its title suggests: provides a secured, shielded way for users to access the network or private servers of an organization, regardless of the users’ location. Companies enable access to the public network via a private network connection from an employee’s device with a Business VPN, which typically have stronger security measures than personal VPNs, to protect against malicious actors.

VPN’s MAJOR FLAW: SECURITY

Any breach of the employee’s system can provide malicious actors with opportunity and access to corporate resources, leaving data vulnerable. To avoid these vulnerabilities, companies should prioritize security features when selecting a VPN product. Must-have security features include:

  • Support for multifactor authentication (MFA)
  • Strong encryption algorithms
  • Support for end-point protection
  • Digital certificate support
  • Logging and auditing support
  • Ability to disable split tunneling

In addition to the recommended security features above, utilizing perfect forward secrecy (PFS) lends to a more secure posture. With PFS, each VPN session uses a different encryption key combination. Even if attackers steal information during a session, they won’t be able to decrypt subsequent VPN sessions, exposing only a small portion of sensitive data.

ZERO TRUST ARCHITECTURE

Although VPNs are a popular tool, they are an imperfect solution to the problem of corporate security. Zero-trust architecture is an alternative approach to security. In a zero-trust network model, the core principle is that no device is automatically trusted, even if it has been verified in the past or is connected to the trusted network.

In a zero-trust model, organizations identify “protect surfaces”, which include critical data, assets, applications, and data services. The next step would be to create micro-perimeters for each protect surface, rather than having one all-encompassing network perimeter. This segmentation will force an attacker to make their way through several walls, rather than only the initial entry point to the network.

As your company adapts to providing employees the ease and safety of working from home, it’s important to consider security posture and new vulnerabilities that develop. At OFFSITE, we believe there is no “silver bullet” when it comes to security. Instead, we believe the best defense is a pragmatic program of several security strategies, tools, and documented workflows.

Our team of consultants and engineers have the expertise to help your organization decrease technology risk as you support a remote workforce.