Prior to the Coronavirus Pandemic, 44% of companies around the globe didn’t allow remote work. Globally, just 2.8% of the workforce worked from home at least half the time.
Those numbers have obviously changed quickly since the outbreak began. Now organizations around the world have no choice but to embrace remote work.
Many of them already had business continuity plans in place, often counting on Virtual Private Networks (VPNs) or Virtual Desktop Infrastructures (VDI)/Remote Desktop Protocol (RDP) to fill what is anticipated to be a short-term gap. However, the technologically advanced global work world has never experienced a business continuity event at the scale and uncertain length of what they face today with COVID-19.
And that’s a problem. In a cyberworld constantly under siege from hackers and nation-states, most organizations still rely on VPNs and VDIs – which happen to be among the most frequently targeted attack vectors by hackers (after phishing attacks).
Just recently, enterprise VPN vulnerabilities from four of the most well-known vendors – Pulse Secure, Fortinet, Palo Alto and Citrix – were exploited in the wild by hackers and nation-states. RDP, meanwhile, continues to be the most significant attack vector from which hackers can launch ransomware attacks.
In this post, we’ll go in depth on the security challenges of VPNs. In our next blog post, we’ll examine the security consequences of using RDP for remote access. And in both posts, we’ll discuss a much more secure alternative – Zero Trust with Total Access Control.
The Bandwidth Bottleneck
The architecture and security needs of the modern hybrid enterprise are far beyond the configuration capabilities of today’s VPNs. Originally, VPNs were not designed to be a secure way to access networks. They were designed, long before the days of ransomware, man-in-the-middle attacks, and phishing – solely to connect the outside world to your inside network.
For instance, VPNs were never meant to specialize in the in-depth inspection of your traffic that is so vital to keeping your security posture strong today. And while some have added security measures that go beyond just username and password credentials, the tradeoff is that those security capabilities also create a drastic drag on a VPN’s throughput.
The heavy connection a VPN uses requires significant bandwidth – and bandwidth can be a limited resource, especially at a time when entire workforces around the globe are logging in remotely. That’s because VPNs deal with connectivity solely at the network level, relying on standard communications as if your users were still on the network sitting in their offices.
As we are seeing now, when you change your remote workflow coming in through a VPN from 500 to 5,000 employees, that creates a significant bottleneck. All the messages that circulate through your network, all the overhead operations of security measures like group policy, software updates, and patches, all the things that used to be controlled locally – they are all now part of the communication layer flowing through the VPNs and through your external communications infrastructure.
Normally, your internal bandwidth is much more than your external bandwidth, so this is going to place extraordinary pressure on your organization, with pervasive performance issues very likely to develop.
Most of that information is not useful to a remote business user, and worse, it chews up a tremendous amount of your infrastructure’s bandwidth along the way. Meanwhile, hackers find the open port, exploit it by using valid credentials (either through phishing attacks or by purchasing them on the Dark Web), and gain access to your infrastructure. Then – BANG – it’s all over. They can quickly and easily move laterally across all your network resources.
Total Access Control (TAC) takes a different approach. Instead of working at the network level – which requires sending all your traffic back and forth across the Internet – TAC manages all the session and network interactions for your end users, without exposing your network on a wide basis to hackers.
All that transverses the internet with TAC is an optimized flow of screen traffic and minimal overhead. Even these exponentially smaller traffic flows are compressed and optimized through advanced algorithms and caching. The result is a much faster user experience with dramatically lower overhead than traditional VPNs, as well as reduced loads on application servers.
As more IT organizations turned to VPNs for remote access, they found they had a problem. They still wanted to be able to limit what people working remotely could access through the VPN. They needed segmentation.
Historically with VPNs, organizations would give everybody access to the network at the same level. Someone coming in from the outside might get access to resources that they wouldn’t have permissions for if they were working in the office.
Subnets were designed to try to isolate end users coming into the network from the VPN, so organizations didn’t have to figure out that access on every access request. But what happens when all of a sudden everybody’s invited to the party, like now?
How do you keep the network from being overrun? How do you keep from giving the wrong permissions to the wrong people, especially when you’re ramping up forwarding rules on the fly? And what happens if a hacker can gain access with compromised credentials?
Now these users (or hackers) potentially have access to all your resources, because the VPN doesn’t offer any segmentation without complicating things with subnets. It just drops the users on your network, and from there it becomes a nightmare for your team to securely manage the segmentation of permissions effectively. VPNs aren’t designed to really offer any granular control.
However, TAC provides that granular control instantly. When you scale and change your workforce, or need to publish new applications, TAC allows you to do so securely in minutes. You don’t have to conduct an in-depth network architecture conversation every time you want to make changes, or add support staff to manage permissions, or risk lumping people into the wrong categories.
Organizations using TAC can quickly and efficiently create and modify security policies. For instance, you may need to add permissions for a new group of users to gain access to certain applications. With TAC, you just add that group to the security policy for that application and they have access, provided they meet the security requirements you’ve instituted for that application. They no longer need access to the network; they now get access to the resources they qualify for – and nothing more.
Context of Access
As many organizations are discovering today, it can become very costly to expand VPN licenses, especially on little or no notice. That leads to shortcuts, where a temptation is a one-size-fits-all approach that groups everyone together, or segments them into far-too-broad permission categories. That leaves a gaping hole across your attack surface. Also note that right now phishing attacks are up dramatically over the past 30 days, so hackers are increasingly getting valid credentials to attack organizations with their own usernames and passwords.
But ask yourself: If your end users were on site, would you want them to have access to everything, anyway? The answer, or course, is no. And that’s where the nightmares of managing all these permission levels for VPNs becomes even more grave.
TAC takes a much more effective approach. It examines a person’s entire context of access and takes that into account when examining the remote access request. TAC’s multi-dimensional context of access enables organizations to:
- Validate user’s credentials
- Use multifactor authentication
- Verify the user’s type of device and the security status of that device
- Confirm that patch levels are up to date
- Validate certificates
- And much more
From there, TAC compares the access request to the organization’s own security policies for each resource, and then provides access to only those resources for which the end user has the proper permissions. TAC also makes it much easier for the end users by providing Single Sign-On (SSO) to resources regardless of whether they are locally based or hosted in the cloud.
Another issue for VPNs is the complexity of your network. VPNs often require clients that must be installed on remote machines. Getting the clients loaded and/or updated properly already makes admins pull out their hair. This is on top of the challenges of trying to manage who is getting access to which resources when users are getting direct network access.
Many organizations use VPNs because other remote access products today won’t work properly with applications. A good example of this is SharePoint. Many remote access solutions have difficulty properly processing links for SharePoint, which causes significant frustrations. That leaves you with the choice of running SharePoint over a VPN or publishing it directly to the outside world – itself a scary proposition.
TAC provides a secure and fast alternative to both scenarios. TAC does not require a complex client like VPN solutions; it can be run with either a light client or without any client at all, dramatically simplifying implementation and ongoing operations.
Also, TAC’s full reverse proxy engine not only works fabulously for SharePoint, but for almost any other application as well. And TAC dramatically increases security and significantly improves performance over the other alternatives.
Don’t Fly Blind
The encrypted tunnels that VPNs use pose yet another security problem. Sure, the outside world can’t see them, but you are also blind to the traffic going through the fully SSL-encrypted tunnels as well. That means you don’t have the opportunity to thoroughly inspect the traffic coming in through the VPNs before it’s placed on your network.
While there is the ability now to do some packet filtering with VPNs, the tradeoff in processing power makes their use very inefficient. Not only does the performance of the VPN slow down dramatically, but so does your infrastructure across the board. In a situation where you need to ramp up the processing power of a VPN, a way to do that is to turn off its security features. But then you’re flying blind.
TAC was designed from the ground up to guarantee optimum performance with its complete portfolio of security features running. TAC unencrypts traffic, inspects it and makes sure it’s valid for the application that it’s going to, then re-encrypts the traffic and sends it to the application. Oh, and this in-depth assessment of the traffic coming in from remote locations? TAC completes it seamlessly, before the user even touches the network – without any lulls in performance.
One final note:
VPNs don’t allow your organization to monitor and report on access, whether it is an employee or a third-party, such as a vendor. You do not know which users had access to what resources when, and how they are using those resources.
TAC, on the other hand, provides full audit and historical reporting capabilities on all access within your enterprise, local and cloud. With TAC, for the first time you now have total awareness of all the rich information on every session and the specifics of that session available to you at any time – all in one place.
VPNs may be good for certain circumstances, but the legacy technology that sits at their foundation presents several significant security concerns for both normal circumstances and, more long-term, for your business continuity strategies. TAC is not just an alternative to VPN. It can also be your primary access solution for all resources, local and cloud, while working equally well for internal employees and improving their productivity.
At the end of the day, Total Access Control provides a simpler, stronger and more unified approach to managing security for remote users.
In our next blog post, we’ll analyze the security challenges of RDP, and how TAC addresses those concerns. In the meantime, stay tuned, stay safe, and wash your hands.