Why VPNs make remote access less secure and what to do about it
Virtual private networks (VPNs) were introduced roughly a quarter of a century ago. The premise at the time was solid: Create an encrypted tunnel from a computer to a network so remote users could have secure access to company resources and communications. Although they were slow and time consuming for IT to administer, VPNs gained traction because they met the primary objective -- the connections were secure...or at least secure enough.
Today, it’s a different story. Where VPNs were uncommon 20 years ago, now they’re ubiquitous. But they were never intended to handle the scale of a massive remote migration, and the weaknesses are showing. Last spring, a report from Digital Shadows on Q1 vulnerability activity had cyber criminals targeting VPNs more than most other attack avenues to get into enterprise networks. Even prior to COVID-19, the National Security Agency (NSA) released a Cybersecurity Advisory about "malicious cyber actors leveraging VPN vulnerabilities."
But companies can be slow to make VPN upgrades, patches are sometimes missed, and the attacks continue -- nabbing even the savviest. Recently, credentials stolen from 87,000 unpatched Fortinet SSL-VPNs were posted online, an event that was confirmed by the cybersecurity company.
VPNs remain a useful tool for unifying networks, but they were never created with massive remote workforces or modern cyber threats in mind -- clientless solutions were. The following are just three areas where VPNs can hamper security, whereas the clientless approach shines.
Analysts from IDC noted that more than 40 percent of security breaches come from authorized users. It’s a broad group covering employees to vendors, which is a problem because most VPNs lack granular control over permissions.
In some cases, when a remote user is authenticated, they become effectively "trusted," and that could provide them access to more of the network than you’d like. According to the Ponemon Institute, insider threats grew nearly 50% from 2018 to 2020, so there’s real reason to be concerned.
What’s more, because VPN performance can be painfully slow, employees may seek even less secure workarounds. There’s no malice intended -- they’re just trying to get their jobs done but get bogged down by the VPN. Regardless, it can introduce more vulnerabilities and increase the likelihood of attacks.
Confusion and mistakes
Keeping tabs on users can be difficult. If your company is in the cloud and has a distributed network, remote workers may end up requiring secure access to dozens of servers. That means every employee, and each VPN appliance, will have a policy that needs to be synced and maintained.
This entails a long list of tasks. For IT leaders, the only means of seeing who has access and their specific policies is often with confusing dashboards. With this snowballing complexity, it’s understandably easy for admins to lose track of where things stand and make mistakes, introducing security holes that can be exploited.
Patch it up
Patches are often needed with software and credible vendors release timely ones, often accompanied by an announcement to alert customers and users. It’s the right thing to do, particularly in an area like security. However, this can also alert cyber criminals to targetable vulnerabilities, and VPN providers have released many software patches over the past year, driven by the increase in remote workforces.
Companies need to get to these patches to keep hackers from getting to them -- and it’s nothing short of a race. Using a known vulnerability, it’s fairly easy and fast for bad actors to access VPN traffic, mess with infrastructure, and move laterally across a network to find the holes where they can do severe damage.
The end of VPN?
Today, employees want access to remote desktops and apps securely from a web browser, on the device they choose, using only their credentials. This is the freedom enterprises want, too, because it gives them greater agility, decreases demands on IT, and is more cost efficient.
The fact is, open-source, clientless, remote desktop software has been around for roughly a decade. Desktop traffic can be encrypted via a secure browser connection through an authenticated gateway. In that way, desktops and other remotely accessible resources are never exposed to the public internet. All functions occur behind a firewall and access rights can be granularly assigned. And these kinds of solutions cost less than VPNs, are easier for IT to administer and perform more reliably.
Does this mark the end of the VPN? No, they’ve proven useful for tasks like unifying networks. However, the appliances have become too much of a security risk for remote access. There are better approaches available that won’t require sacrificing performance, convenience, costs -- and the sanity of your IT team.
Mike Jumper is CEO of Glyptodon, a simple, secure, scalable and affordable means for remote access, whether it's for dozens or tens of thousands of end-users. Its flagship product, Glyptodon Enterprise, is an enterprise build of Apache Guacamole, the open-source project based on technology created by the co-founders.