Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/15/2020
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

4 Challenges with Existing VPNs

A VPN is a step in the right direction, but it's not the be-all and end-all when it comes to security and falls short in many ways.

In the blink of an eye, everything changed. March 2020 marked a huge shift in the way we approach remote work and the infrastructure needed to support the future of business. According to Gartner's recent CFO survey, 74% of organizations will move at least 5% of their previously on-site workforce to permanently remote positions following the pandemic. In the very near future, remote work will be the norm rather than the exception, necessitating a shift in how we approach security. 

The reality of the modern, mobile-enabled workplace is that we need to go where the users are — an approach that requires security measures beyond virtual private networks (VPNs). While a VPN is a step in the right direction, it's not the be-all and end-all when it comes to security and falls short in many ways. Here are four challenges I see with traditional VPNs: 

1. VPNs Are Physically Limited
Traditional VPNs typically have an on-premises appliance that is constrained by hardware in the number of users that can be supported. Many businesses determined specifications for their VPN appliances using remote work statistics from many years ago, leaving them unprepared for the surge in teleworking that occurred when COVID-19 hit. VPNs are failing and companies are struggling to figure out how to scale to support so many users. Organizations are resorting to creative approaches, such as limiting VPN use to select workers, purchasing a secondary solution, enforcing inconsistent policies, etc. — but these aren't viable long-term strategies.

2. VPNs Fail to Balance Productivity & Security
The age-old debate over productivity and security rages on, and VPNs don't provide a workable solution. Do organizations enable productivity and allow access, effectively endangering security? Or is all traffic routed through the security infrastructure so it can be filtered, overloading the VPN, Web gateways, and firewalls, while negatively affecting productivity because of the resulting substandard user experience? Ask VPN users and they'll tell you about getting half the work done in double the time. Then there are the IT pros who relate countless examples of employees who've infected their corporate laptops with malware or compromised sensitive information by failing to use appropriate security measures. With traditional VPNs, the war between productivity and security has no resolution.

3. VPNs Fall Short on Mobile
VPNs were designed to use a protocol that's resource-intensive on the setup — it takes a bit of time to connect, but the assumption is that the connection will stay alive for the duration of the user's needs. This all changes with mobile. Every time your device goes to sleep or you change networks, the VPN gets interrupted and has to reconnect. Furthermore, mobile apps are not built to be VPN-aware; when the VPN has to reconnect, app responsiveness suffers and user experience suffers. Consider this: Wandera finds that typical knowledge workers will engage with their mobile device almost 100 times in a typical day — that's 100 times a day the VPN has to reconnect and 100 instances of a remote worker who cannot be productive. For businesses, time is money, so that wasted time translates into lost revenue.

4. VPNs Aren't Built for the Modern Workforce
In today's business ecosystem, various remote users are making choices for their own devices and collaborating with individuals outside of their organizations. The way VPNs have been managed in the past is via certificates that sit on the devices and are used to initiate a session. Access to the organization's infrastructure is granted via access to the certificate and, therefore, VPN use is often restricted to company-managed devices. This means that BYOD devices and those used by contractors or partners are often unable to utilize the company's remote access tool.

According to a 2016 research report, the average company's network is accessed by 89 different vendors — contractors, partners, freelancers, etc. — every week, a figure that's likely grown given the rapid digital transformation across industries. These third parties aren't able to access the corporate VPN given they have devices that aren't managed by the company, yet they often have access to sensitive information or collaboration tools. Beyond third-party risk management, the surge in remote work spurred by coronavirus has seen organizations shifting their policies toward lenience. Countless organizations tried and failed to supply employees with approved corporate devices, forcing many to rethink their BYOD policies and take a "whatever you've got, make it work" approach to remote work. And this explosion in unmanaged, insecure devices opens organizations up to countless threats.

As companies transition to the cloud, a big part of that shift involves moving to software-as-a-service applications. In today's world, corporate information isn't on the private network anymore — some assets still live behind firewalls, but most users and the most usage is already on the Internet. This requires a new way of thinking and a new approach to security — that is, cloud-based security. [Editor's note: The author's company is one of a number that offer cloud-centric security.] Rather than the traditional VPN, organizations need cloud-based protection for traffic filtering and mobile-friendly traffic vectoring that doesn't break modern applications that are running on any device being used for remote work, whether it's a Windows 10 laptop, a MacBook, an iOS tablet, or an Android smartphone. Organizations still need filtering and the ability to provide access control to applications, but those protections must move to the cloud to prepare for the business of the future. 

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Michael J. Covington, Ph.D., is a seasoned technologist and the Vice President of Product Strategy for Wandera, a leading provider of mobile security. Michael is a hands-on innovator with broad experience across the entire product life cycle, from planning and R&D to ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4719
PUBLISHED: 2020-09-24
The client API authentication mechanism in Pexip Infinity before 10 allows remote attackers to gain privileges via a crafted request.
CVE-2020-15604
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
CVE-2020-24560
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
CVE-2020-25596
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
CVE-2020-25597
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...