Let’s give credit where credit is due. Few organizations were prepared last March when the number of employees working from home (WFH) surged from 9% to 77% in a matter of weeks due to the COVID-19 lockdowns. The transition to remote work was so sudden and unexpected, employers were forced to support employee-owned devices whether or not they had strategies in place to do so. Tactical deployments of WFH tools and technologies were rolled out globally. The fact that so many of these deployments were initially successful is a testament to the dedication and ingenuity of an already overstressed IT workforce.
Now for the bad news. The legacy tools and technologies used for some of these deployments may have been riddled with critical vulnerabilities that are actively being exploited by threat groups. The underlying WFH infrastructure is immature in many instances and doesn’t adequately protect employee privacy. Personal data on employee-owned devices is routinely exposed on corporate networks. And many organizations still lack bring-your-own-device (BYOD) acceptable use and security policies.
Overall, legacy approaches for supporting remote workers are often overly complex, expensive to maintain, and difficult to manage. It’s time for a new, no compromise approach that more ably meets BYOD and WFH security, productivity, and privacy standards.
How VPN Solutions Stack Up
For decades, organizations relied on virtual private networks (VPNs) to provide secure encrypted communications between remote endpoints and enterprise data centers. It should come as no surprise, then, that global VPN deployments surged by an unprecedented 27% in 2020, a trend chiefly fueled by the urgent need to support remote workers. Unfortunately, VPNs are not as secure as once believed, often possessing design flaws and structural vulnerabilities that can be exploited relatively easily by crafty adversaries.
On April 24, 2019, for example, Pulse Secure issued an out of cycle advisory reporting multiple critical vulnerabilities in its VPN products. This included flaws that enable attackers to obtain private keys and passwords (CVE-2019-11510), and inject malicious code (CVE-2019-11539). Once systems are compromised, attackers can drop malware, conduct reconnaissance, and move laterally across the victim’s network. Pulse Secure also released a set of software patches that the company urged customers to install immediately. Yet, a year later, the Cybersecurity and Infrastructure Security Agency (CISA) found it necessary to issue a new alert warning that, “unpatched Pulse Secure VPN servers continue to be an attractive target for malicious actors”.
Several of these unpatched servers belonged to Travelex, a British foreign exchange company headquartered in London. On December 31, 2019, the Sodinokibi cyber-crime group exploited the Pulse Secure vulnerabilities to mount a devastating ransomware attack that cost Travelex an estimated $2.3 million in bitcoin payments.
Of course, VPN security issues are not confined to Pulse Secure products alone. Similar flaws have been reported for Palo Alto Networks' GlobalProtect™ (CVE-2019-1579), Fortinet® FortiOS® (CVE-2018-13379), and Citrix® (CVE-2019-19781).
VPNs also pose vexing employee privacy issues that make them a poor fit for many use case scenarios. For example, if the VPN client is running on an employee’s personal device, then the employer has full access to both the employee’s work files and their personal information. Likewise, if an attacker obtains an employee’s credentials by compromising the employer’s VPN, they can easily drop malware on the employee’s system and steal their personal data.
VPN clients perform many complex calculations, so they need hosts with enough memory and computing power to run them efficiently in near real time. That can cause major performance bottlenecks for workers with under-powered mobile phones and tablets.
What About Virtual Desktop Infrastructure (VDI) Solutions?
Microsoft®, VMWare®, Citrix, and others offer VDI solutions hosted on physical servers in the customer’s data center or on virtual servers hosted in the cloud. VDI solutions have the potential to provide secure containerized applications and workspaces to almost every kind of remote device. However, they are also costly, complex, and difficult to manage. The IT team must handle purchasing, deploying the virtual desktops, staffing a help desk, and monitoring, securing, and upgrading the infrastructure on an ongoing basis. The administrative overhead can be especially burdensome for small and mid-sized businesses contending with tight IT budgets and understaffed IT teams.
Like VPNs, VDI solutions are not immune to digital tampering or compromise. On November 23, 2020, for example, VMWare issued an advisory on a critical command injection vulnerability affecting a group of VMware Workspace ONE® products. Tracked by CISA as CVE-2020-4006, the vulnerability allows a malicious actor with stolen admin credentials to, “execute commands with unrestricted privileges on the underlying operating system”. A month later, the U.S. National Security Agency (NSA) issued a Cybersecurity Advisory warning that Russian state-sponsored threat actors were actively exploiting the vulnerability. The agency urged network administrators at federal agencies to make updating the affected servers a top priority. Similar critical vulnerabilities have also been reported for Citrix appliances, and applications that utilize Apache web servers.
In addition to security challenges, VDI solutions also pose daunting privacy issues, especially in mobile BYOD scenarios. Nearly 60% of the IT experts responding to a Bitglass survey said their organization requires physical access to a mobile device before it can be used for work. Another 51% require the device’s PIN. Others demand root access, passwords to cloud and backup accounts, and more. While necessary to monitor and manage security, this level of oversight is intrusive for employees and a clear threat to their personal privacy.
BlackBerry’s Advanced Approach to BYOD Security, Privacy, and Productivity
Although VPN and VDI can secure a network connection, the costs associated with licensing, hardware, software, infrastructure, and help desk support add up quickly. These legacy technologies also fail to effectively safeguard employee privacy or protect devices against new forms of malware and other cyber threats. It’s time to consider a new approach.
BlackBerry® Digital Workplace is a robust, self-contained platform that provides employees, contractors, and partners with secure “anywhere” access to behind-the-firewall resources with continuous threat protection using artificial intelligence.
- Awingu® provides users with a unified and lightweight single-sign-on workspace for running Windows®, Linux®, web and intranet apps, desktops, and files inside the secure browser. Users can access corporate servers and content, and web applications such as Zoom, from any combination of managed and unmanaged devices. They can also create, edit, and share Microsoft® Word, Microsoft® Excel®, and Microsoft® PowerPoint® files, and use tried-and-true productivity apps like BlackBerry® Work and BlackBerry® Workspaces.
- Thanks to BlackBerry® Dynamics™, BlackBerry Access data is encrypted at rest and in transit. Enterprise security and employee privacy are assured by next-generation containerization technologies that segregate personal data from business data on the device. Employee privacy is also enhanced since IT manages access to enterprise resources through BlackBerry Access rather than the host device.
- BlackBerry® Desktop affords users a secure connection to email, corporate websites, servers, content, and files on their personal or non-corporate managed Windows® 10 and macOS® devices. In combination, BlackBerry Access and BlackBerry Work enhance security while eliminating the licensing and maintenance costs for VPN and VDI products, complex hardware, certificate and authentication mechanisms, intrusive sign-in procedures, and inbound ports.
From an IT perspective, the BlackBerry approach is a four-win proposition.
- Users gain anywhere access on any device to the familiar tools and enterprise resources they need to be productive.
- Corporate and personal data are segregated and secured against cyber attacks.
- Eliminating VPN and VDI license fees frees up budget for more strategic IT investments.
- Streamlined administration allows IT to focus on digital transformation projects that directly benefit the business.
Learn how BlackBerry® BYOD solutions can help your organization optimize the security, productivity, and privacy of your remote workforce.