Cybersecurity In-Depth

The Edge

ISP Security: Do We Expect Too Much?

With so many people now connecting to business networks from home routers, ISP security takes on heightened importance. But is the security provided by ISPs good enough to be the only security SMBs and remote employees need?

(Continued from first page.)

Is This the VPN You're Looking For?
Many users and organizations turn to VPNs to harden security on home ISPs – but they may not be the answer they were seeking.

"There are several challenges when leveraging VPNs while working from home," says Andrew Douglas, a risk and financial advisory managing director in Deloitte's cyber and strategic risk practice. "Not all VPNs carry all traffic, and not all security tools work well across VPN connections. For example, some security tools require regular connections, certain bandwidth, and appropriate configuration, or systems can miss updates and other controls."

Further, Douglas says, VPNs are themselves vulnerable, with a slew of recorded large-scale attempts to exploit and rising instances of employees giving away access credentials in phishing scams.

VPNs are also falling prey to other user behaviors.

"With entire corporations working from home and VPN appliances working overtime, many workers are averse to using the VPN because their bandwidth is limited and all of their work slows to a crawl," Censys' Sturdevant says.

Speeding up their work isn't the only reason workers and SMB owners turn off VPNs, which they often forget to turn back on. Multifactor authentication that counts device/user location as one of the factors – common among consumer financial institutions – also pushes workers to abandon VPNs.

"Banks will increasingly have to deal with location-mismatch data triggering fraud false positives, but it seems counterintuitive for them to push users away from VPNs," says Cameron Camp, security researcher at ESET.

Other security professionals say the use of VPNs to protect consumer financial information and transactions is itself a security issue.

"A VPN is not really a protection for accessing bank accounts because it just changes the exit point to the Internet from a client's ISP to VPN server ISP," says Kevin Reed, CISO at Acronis, a backup software, disaster recovery, and secure data access provider. "In my view, this actually creates more risk than it solves."

Employers with remote workers are turning to other VPN configurations in efforts to avoid users disabling them for work or private business.

"Various VPN configurations can be deployed based on circumstance and need," says Alex Artamonov, systems engineer and cybersecurity specialist at Infinitely Virtual. "Split-tunnel VPNs are common, in part because they can be on at all times and redirect defined traffic only over the VPN. In this example, any traffic for internal company servers would pass through the VPN, while browsing to a banking site would not. This approach avoids having to turn VPNs on and off."

The Final Score
In the final analysis, heightened awareness may be the best path to stronger protections for remote workers.

"My takeaway is that there's no simple answer to the question of remote security, since needs and network architectures vary so widely among companies of all sizes," says Artamonov. "The most important thing may be to correctly understand the challenge remote security presents."

While there is no simple answer, no one-size-fit-all security tactic or tool to deploy, there are some advances to consider from the lessons learned in the great work-from-home migration.

"The full tunnel VPN approach traditionally demands a large capital infrastructure investment to support all users to help manage for poor performance of certain high bandwidth applications," Deloitte's Douglas says. "As a result, full tunneling is becoming more legacy as companies look to reduce the potential for conflict between security and productivity."

Deloitte and other security pros think something else will replace VPNs soon.

"We think the Secure Access Service Edge (SASE) model is the future of remote work security," Douglas says. "Its ability to pull security services away from traditional on-prem limitations and traffic route bottlenecks allows cyber teams to enforce a unified security standard without sacrificing performance is key."

SASE's "user experience and security visibility are consistent, no matter where users connect from – be it home, an office location, or a public Wi-Fi network," Douglas added.