Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/15/2020
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

4 Challenges with Existing VPNs

A VPN is a step in the right direction, but it's not the be-all and end-all when it comes to security and falls short in many ways.

In the blink of an eye, everything changed. March 2020 marked a huge shift in the way we approach remote work and the infrastructure needed to support the future of business. According to Gartner's recent CFO survey, 74% of organizations will move at least 5% of their previously on-site workforce to permanently remote positions following the pandemic. In the very near future, remote work will be the norm rather than the exception, necessitating a shift in how we approach security. 

The reality of the modern, mobile-enabled workplace is that we need to go where the users are — an approach that requires security measures beyond virtual private networks (VPNs). While a VPN is a step in the right direction, it's not the be-all and end-all when it comes to security and falls short in many ways. Here are four challenges I see with traditional VPNs: 

1. VPNs Are Physically Limited
Traditional VPNs typically have an on-premises appliance that is constrained by hardware in the number of users that can be supported. Many businesses determined specifications for their VPN appliances using remote work statistics from many years ago, leaving them unprepared for the surge in teleworking that occurred when COVID-19 hit. VPNs are failing and companies are struggling to figure out how to scale to support so many users. Organizations are resorting to creative approaches, such as limiting VPN use to select workers, purchasing a secondary solution, enforcing inconsistent policies, etc. — but these aren't viable long-term strategies.

2. VPNs Fail to Balance Productivity & Security
The age-old debate over productivity and security rages on, and VPNs don't provide a workable solution. Do organizations enable productivity and allow access, effectively endangering security? Or is all traffic routed through the security infrastructure so it can be filtered, overloading the VPN, Web gateways, and firewalls, while negatively affecting productivity because of the resulting substandard user experience? Ask VPN users and they'll tell you about getting half the work done in double the time. Then there are the IT pros who relate countless examples of employees who've infected their corporate laptops with malware or compromised sensitive information by failing to use appropriate security measures. With traditional VPNs, the war between productivity and security has no resolution.

3. VPNs Fall Short on Mobile
VPNs were designed to use a protocol that's resource-intensive on the setup — it takes a bit of time to connect, but the assumption is that the connection will stay alive for the duration of the user's needs. This all changes with mobile. Every time your device goes to sleep or you change networks, the VPN gets interrupted and has to reconnect. Furthermore, mobile apps are not built to be VPN-aware; when the VPN has to reconnect, app responsiveness suffers and user experience suffers. Consider this: Wandera finds that typical knowledge workers will engage with their mobile device almost 100 times in a typical day — that's 100 times a day the VPN has to reconnect and 100 instances of a remote worker who cannot be productive. For businesses, time is money, so that wasted time translates into lost revenue.

4. VPNs Aren't Built for the Modern Workforce
In today's business ecosystem, various remote users are making choices for their own devices and collaborating with individuals outside of their organizations. The way VPNs have been managed in the past is via certificates that sit on the devices and are used to initiate a session. Access to the organization's infrastructure is granted via access to the certificate and, therefore, VPN use is often restricted to company-managed devices. This means that BYOD devices and those used by contractors or partners are often unable to utilize the company's remote access tool.

According to a 2016 research report, the average company's network is accessed by 89 different vendors — contractors, partners, freelancers, etc. — every week, a figure that's likely grown given the rapid digital transformation across industries. These third parties aren't able to access the corporate VPN given they have devices that aren't managed by the company, yet they often have access to sensitive information or collaboration tools. Beyond third-party risk management, the surge in remote work spurred by coronavirus has seen organizations shifting their policies toward lenience. Countless organizations tried and failed to supply employees with approved corporate devices, forcing many to rethink their BYOD policies and take a "whatever you've got, make it work" approach to remote work. And this explosion in unmanaged, insecure devices opens organizations up to countless threats.

As companies transition to the cloud, a big part of that shift involves moving to software-as-a-service applications. In today's world, corporate information isn't on the private network anymore — some assets still live behind firewalls, but most users and the most usage is already on the Internet. This requires a new way of thinking and a new approach to security — that is, cloud-based security. [Editor's note: The author's company is one of a number that offer cloud-centric security.] Rather than the traditional VPN, organizations need cloud-based protection for traffic filtering and mobile-friendly traffic vectoring that doesn't break modern applications that are running on any device being used for remote work, whether it's a Windows 10 laptop, a MacBook, an iOS tablet, or an Android smartphone. Organizations still need filtering and the ability to provide access control to applications, but those protections must move to the cloud to prepare for the business of the future. 

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Michael J. Covington, Ph.D., is a seasoned technologist and the Vice President of Product Strategy for Wandera, a leading provider of mobile security. Michael is a hands-on innovator with broad experience across the entire product life cycle, from planning and R&D to ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
GDPR Enforcement Loosens Amid Pandemic
Seth Rosenblatt, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4306
PUBLISHED: 2020-05-29
IBM Planning Analytics Local 2.0.0 through 2.0.9 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 17...
CVE-2020-4352
PUBLISHED: 2020-05-29
IBM MQ on HPE NonStop 8.0.4 and 8.1.0 is vulnerable to a privilege escalation attack when running in restricted mode. IBM X-Force ID: 178427.
CVE-2020-4490
PUBLISHED: 2020-05-29
IBM Business Automation Workflow 18 and 19, and IBM Business Process Manager 8.0, 8.5, and 8.6 could allow a remote attacker to bypass security restrictions, caused by a reverse tabnabbing flaw. An attacker could exploit this vulnerability and redirect a vitcim to a phishing site. IBM X-Force ID: 18...
CVE-2020-5572
PUBLISHED: 2020-05-29
Android App 'Mailwise for Android' 1.0.0 to 1.0.1 allows an attacker to obtain credential information registered in the product via unspecified vectors.
CVE-2020-5573
PUBLISHED: 2020-05-29
Android App 'kintone mobile for Android' 1.0.0 to 2.5 allows an attacker to obtain credential information registered in the product via unspecified vectors.