Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

12/17/2020
10:00 AM
Petar Besalev
Petar Besalev
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

VPNs, MFA & the Realities of Remote Work

The work-from-home-era is accelerating cloud-native service adoption.

For most of 2020, organizations have been forced to adapt to the operational challenges of employees working from home networks, often on personal computers, while accessing corporate data. A primary dilemma is balancing security vs. productivity. For example, according to the 2020 Verizon "Data Breach Investigations Report," 45% of breaches featured hacking and 22% included social engineering attacks. Attacks will likely continue to occur, especially with many remote workers remaining at home, and data breaches are expected to skyrocket.

Related Content:

Prevention Is Better Than the Cure When Securing Cloud-Native Deployments

The Changing Face of Threat Intelligence

ISP Security: Do We Expect Too Much?

There is a definite upside to remote work. Employees save time by not commuting, and many are able to focus and embrace collaboration tools for increased productivity. A remote workforce also enables organizations to reduce operational costs tied to physical office space. However, the trade-off for security professionals is that the corporate perimeter can no longer secure these employees, and home networks continue to present a significant security risk.

From my own conversations with clients, most organizations are implementing a combination of virtual private networks (VPN) and multifactor authentication (MFA) to secure the remote connections. To a lesser extent, some organizations may still be handcuffed to their existing virtual desktop infrastructure (VDI), but the user experience and performance can degrade, so most organizations avoid it. VDI is suitable for general office work but won't cut it for developers, designers, or anyone who needs a lot of processing power because all of the computing resources are pooled together for shared allocation.

As organizations have adapted to remote work and adopted new solutions, it's critical they understand how their architecture has changed in order to identify the evolving threat surface. But it's also important to realize that an IT architecture is like a fingerprint; there are some common types, but ultimately, they're unique. VPN is more effective for an on-premises environment, while MFA is more effective for a cloud-based setup.

Let's take VPNs as an example. The most straightforward use case of a VPN is to establish a secure connection to access corporate infrastructure. You're at home, on your own wireless network, but you connect through a VPN. The VPN is protected by a firewall device to access the corporate network. This model works well for organizations that have a data center and file servers on-site because they can still leverage their network perimeter to protect it.

However, VPN traffic can get more challenging when you consider the scale of larger organizations. Once hundreds of remote employees are connecting through VPN, the burden of moving data to a point which it can be distributed over network traffic can become significant. This is particularly true if an organization has very strict data loss protection controls — for example, if an employee working from home connects through a VPN but decides to browse Amazon during a coffee break, should your organization monitor and protect that traffic? Some organizations that are sensitive to risk will take on that burden, but an alternative approach is to utilize split tunneling, in which you route device or app traffic through the encrypted VPN tunnel while other devices or apps access the Internet directly to protect essential connections while allowing direct access to things such as social media and news.

On the other hand, there many companies have adopted a more cloud-native approach to their IT infrastructure. You can see this with services like Microsoft 365, Google Workspace, Salesforce, and cloud service providers like Microsoft Azure and Amazon EC3. Once an organization shifts to the cloud, there isn't much need for a VPN because these cloud service providers have commoditized a lot of traditional security controls, such as antivirus, email gateways, and Web traffic gateways. In addition, there really is no need to use a VPN to get into the corporate network if you're connecting to cloud services because none of the corporate data is actually inside the corporate network.

Threat Surface
However, cloud services still represent a substantial threat surface, because if your access credentials get compromised, then someone can log in as you — and the 2020 Verizon "Data Breach Investigations Report" indicates how prevalent and successful phishing is as an attack vector. That's why MFA is so critical for helping secure this type of architecture. Typically, MFA requires the use of a text message or an authenticator app to enter a second validation code after the password.

MFA solutions have been evolving with the advent of zero-trust solutions focused on continuous conditional access. These sorts of solutions monitor user behavior and require reauthentication if an anomaly is detected — for example, if your credentials are used to log in from Europe when you've been working out of the United States. One nice thing about working with a cloud service provider like Microsoft Azure is that you can integrate your MFA with Active Directory to help enforce this sort of conditional access. Single sign-on solutions and identity and access management providers can also help this approach run smoothly — but again, every architecture is unique.

Unfortunately, there are issues. Many organizations had to stand up remote work infrastructure very quickly this year when the pandemic forced remote work, and that means many of them deployed a lot of singular solutions that may not necessarily integrate very well. Despite that, some organizations may not be able to secure on-premises environments with MFA because they can't integrate with their VPN. Early adopters of cloud services have found the transition to remote work more manageable because they had already been moving corporate assets beyond the perimeter. In this regard, the necessity of remote work has most certainly accelerated the adoption of cloud-native services.

Petar Besalev is the Senior Vice President of Cybersecurity and Privacy Services at A-LIGN. He is responsible for overseeing all privacy and security services that A-LIGN offers, including PCI DSS, penetration testing, ISO 27001, HIPAA/HITECH, FISMA, and FedRAMP. Petar has ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32606
PUBLISHED: 2021-05-11
In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net/can/isotp.c allows privilege escalation to root by leveraging a use-after-free. (This does not affect earlier versions that lack CAN ISOTP SF_BROADCAST support.)
CVE-2021-3504
PUBLISHED: 2021-05-11
A flaw was found in the hivex library in versions before 1.3.20. It is caused due to a lack of bounds check within the hivex_open function. An attacker could input a specially crafted Windows Registry (hive) file which would cause hivex to read memory beyond its normal bounds or cause the program to...
CVE-2021-20309
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11 and before 6.9.12, where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick. The highest threat from this vulnerability is to ...
CVE-2021-20310
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero ConvertXYZToJzazbz() of MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. The highest threat from this...
CVE-2021-20311
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero in sRGBTransformImage() in the MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker processed by an application using ImageMagick. The highest threat from t...