It goes without saying that our world is now experiencing a significant paradigm shift that a vast majority of the population has no tangible precedent to relate to, most certainly in our lifetimes. This mass upheaval is marked by numerous changes and adjustments in our daily lives, both personal and professional. One of the most notable being the where, when and how behind the way a large portion of the global workforce now operates.
Like it or not, most workers whose physical presence onsite is not mandated as an essential function of their job are now transitioning to working from home for the foreseeable future. Remote work is by no means a new or revolutionary occurrence. In fact, for years prognosticators have been touting remote work and work from home as the absolute future of work.
What’s unprecedented is the main driving force behind this sudden mass-transition to working from home, and how most enterprises don’t yet have the policies, processes, infrastructure, and most importantly, the security in place to truly facilitate and support this mode of working.
We’ve now been thrust into a situation where we’re having to learn and adapt on the go when it comes to securing remote workers. Naturally, prominent patterns are starting to emerge, one of the most noteworthy being the surge in VPN usage.
For example, NordVPN reports it has seen a 165% growth in average daily users since governments around the world began directing people back in February to start working from home as Covid-19 spread. Other VPN providers have also seen similar explosions in usage as remote work becomes the new normal during this global pandemic.
The unfortunate reality is that VPNs are not as secure as most organizations and individuals believe they are. In fact, a variety of studies report numerous security flaws within VPNs that make an organization and its remote workforce vulnerable to cyberattacks.
While VPNs are a convenient, easy way for employees to connect to their organization’s IT network, the drawbacks and limitations of this technology are quickly becoming more apparent as demand and usage skyrocket out of sheer force of necessity.
According to a recent study, Advanced Persistent Threats (APTs) actors continue to focus on attacking VPNs in order to gain a foothold on the networks of targeted organizations through the “exploitation of known vulnerabilities in systems with unpatched VPN and RDP services, in order to infiltrate and take control over critical corporate information storages.”
The U.S. Department of Homeland Security also recently put out warnings regarding enterprise VPN security, noting its shortcomings. Among the security concerns the National Cyber Awareness System (a branch of Homeland Security) identified was the fact that most organizations are less likely to update VPNs with the latest patches and updates because they operate 24/7, combined with the lack of multi-factor authentication usage among workers trying to access their organization’s network remotely.
Enterprises may also contend with a limited number of VPN connections, and this decreased availability can have a negative impact on cybersecurity and crucial business functions. Furthermore, as a rule of thumb, VPNs on BYO devices are generally a bad idea. Even with valid credentials and multi-factor authentication, users who access corporate systems by way of VPNs are being granted a significant level of access to the entire enterprise network. Even if the VPN connection is secure, an infected device can be used as a pivot to infect an organization’s internal systems.
The takeaway from all this is that VPNs are by no means the end-all and be-all technology for securing the remote workforce that they are often touted to be. In order for enterprises to truly secure their remote workforces during this rather tumultuous time, they should adopt a Zero Trust architecture and security model. This model is defined by trusting no one and absolutely nothing by default – especially remote users connecting to the network on unmanaged devices.
Zero Trust Architectures
By assuming every user, device or network is hostile, Zero Trust security forces everyone and everything to prove who they are before access is authorized and it’s proven that they aren’t acting maliciously. And while this may seem like an annoying add-on that could impact productivity, a Zero Trust architecture backed by strong security using AI and analytics can deliver on the promise of Zero Trust security without becoming a burden to users.
Any Zero Trust architecture worth its salt should incorporate a secure Internet gateway as well. This is a secure browser that works on any device – corporate managed or BYO – and represents a much more robust and sound security offering for enterprises, compared to a VPN. That’s because using a secure Internet gateway makes it easier for IT teams to manage user access without granting access to entire networks (like a VPN would) and doesn’t result in any negative impact to performance or user experience.
The VPN-less network access provided by a secure Internet gateway also facilitates ubiquitous, secure access that extends security capabilities like contextual and continuous authentication, as well as traffic segmentation, to any device. It’s worth noting that VPN services are currently overloaded with users due to the current surge of newly minted remote workers, so having an alternative application with secure network connectivity has a lot of advantages.
As millions of workers navigate remote work for the first time, and enterprises start ramping up to speed on best practices to keep their organizations and employees secure, placing all of one’s eggs in the VPN basket is a foolhardy option.
For the greatest levels of security when protecting the remote workforce, look no further than The X-Files mantra of “trust no one” for inspiration. By embracing Zero Trust and deploying more comprehensive measures like a secure Internet gateway, workers will become more secure no matter where, when or how they work.