Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/15/2020
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

4 Challenges with Existing VPNs

A VPN is a step in the right direction, but it's not the be-all and end-all when it comes to security and falls short in many ways.

In the blink of an eye, everything changed. March 2020 marked a huge shift in the way we approach remote work and the infrastructure needed to support the future of business. According to Gartner's recent CFO survey, 74% of organizations will move at least 5% of their previously on-site workforce to permanently remote positions following the pandemic. In the very near future, remote work will be the norm rather than the exception, necessitating a shift in how we approach security. 

The reality of the modern, mobile-enabled workplace is that we need to go where the users are — an approach that requires security measures beyond virtual private networks (VPNs). While a VPN is a step in the right direction, it's not the be-all and end-all when it comes to security and falls short in many ways. Here are four challenges I see with traditional VPNs: 

1. VPNs Are Physically Limited
Traditional VPNs typically have an on-premises appliance that is constrained by hardware in the number of users that can be supported. Many businesses determined specifications for their VPN appliances using remote work statistics from many years ago, leaving them unprepared for the surge in teleworking that occurred when COVID-19 hit. VPNs are failing and companies are struggling to figure out how to scale to support so many users. Organizations are resorting to creative approaches, such as limiting VPN use to select workers, purchasing a secondary solution, enforcing inconsistent policies, etc. — but these aren't viable long-term strategies.

2. VPNs Fail to Balance Productivity & Security
The age-old debate over productivity and security rages on, and VPNs don't provide a workable solution. Do organizations enable productivity and allow access, effectively endangering security? Or is all traffic routed through the security infrastructure so it can be filtered, overloading the VPN, Web gateways, and firewalls, while negatively affecting productivity because of the resulting substandard user experience? Ask VPN users and they'll tell you about getting half the work done in double the time. Then there are the IT pros who relate countless examples of employees who've infected their corporate laptops with malware or compromised sensitive information by failing to use appropriate security measures. With traditional VPNs, the war between productivity and security has no resolution.

3. VPNs Fall Short on Mobile
VPNs were designed to use a protocol that's resource-intensive on the setup — it takes a bit of time to connect, but the assumption is that the connection will stay alive for the duration of the user's needs. This all changes with mobile. Every time your device goes to sleep or you change networks, the VPN gets interrupted and has to reconnect. Furthermore, mobile apps are not built to be VPN-aware; when the VPN has to reconnect, app responsiveness suffers and user experience suffers. Consider this: Wandera finds that typical knowledge workers will engage with their mobile device almost 100 times in a typical day — that's 100 times a day the VPN has to reconnect and 100 instances of a remote worker who cannot be productive. For businesses, time is money, so that wasted time translates into lost revenue.

4. VPNs Aren't Built for the Modern Workforce
In today's business ecosystem, various remote users are making choices for their own devices and collaborating with individuals outside of their organizations. The way VPNs have been managed in the past is via certificates that sit on the devices and are used to initiate a session. Access to the organization's infrastructure is granted via access to the certificate and, therefore, VPN use is often restricted to company-managed devices. This means that BYOD devices and those used by contractors or partners are often unable to utilize the company's remote access tool.

According to a 2016 research report, the average company's network is accessed by 89 different vendors — contractors, partners, freelancers, etc. — every week, a figure that's likely grown given the rapid digital transformation across industries. These third parties aren't able to access the corporate VPN given they have devices that aren't managed by the company, yet they often have access to sensitive information or collaboration tools. Beyond third-party risk management, the surge in remote work spurred by coronavirus has seen organizations shifting their policies toward lenience. Countless organizations tried and failed to supply employees with approved corporate devices, forcing many to rethink their BYOD policies and take a "whatever you've got, make it work" approach to remote work. And this explosion in unmanaged, insecure devices opens organizations up to countless threats.

As companies transition to the cloud, a big part of that shift involves moving to software-as-a-service applications. In today's world, corporate information isn't on the private network anymore — some assets still live behind firewalls, but most users and the most usage is already on the Internet. This requires a new way of thinking and a new approach to security — that is, cloud-based security. [Editor's note: The author's company is one of a number that offer cloud-centric security.] Rather than the traditional VPN, organizations need cloud-based protection for traffic filtering and mobile-friendly traffic vectoring that doesn't break modern applications that are running on any device being used for remote work, whether it's a Windows 10 laptop, a MacBook, an iOS tablet, or an Android smartphone. Organizations still need filtering and the ability to provide access control to applications, but those protections must move to the cloud to prepare for the business of the future. 

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Michael J. Covington, Ph.D., is a seasoned technologist and the Vice President of Product Strategy for Wandera, a leading provider of mobile security. Michael is a hands-on innovator with broad experience across the entire product life cycle, from planning and R&D to ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I like the old version of Google assistant much better.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8567
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
CVE-2020-8568
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...
CVE-2020-8569
PUBLISHED: 2021-01-21
Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass. - The snapshot-controller crashes, ...
CVE-2020-8570
PUBLISHED: 2021-01-21
Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executi...
CVE-2020-8554
PUBLISHED: 2021-01-21
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typicall...