By Tim Boivin
In the first blog post of our series looking at cost optimization, we examined what is driving the dynamic shift in IT budget priorities as organizations adapt to our New Normal. That post kicked off this series on how Zero Trust Access can cost-effectively secure and manage access to all your resources – local and cloud.
In this post, we’ll examine one of the areas that has the most potential for optimizing your costs and still strengthening security: the significant costs associated with bandwidth and support issues for VPNs and RDP.
Unfortunately, many enterprise organizations still rely on the legacy “castle-and-moat” approach, setting up barriers at the edge of their infrastructure to protect valuable resources. Hackers quickly figured out how to breach those barriers. Then, once they’re inside a network, they can move laterally to access other critical resources and cause chaos.
One way they do this is by exploiting the way many organizations allow remote access. Organizations offer multiple ways to access information when users are remote. IT teams then must create pathways for each respective channel for users to get inside their infrastructure from outside. Thus, IT teams had to poke holes in firewalls to provide access through to internal resources for tools such as VPNs and RDP. Hackers know this and can easily scan for and find these attack vectors.
It’s bad enough that hackers use vulnerabilities in these attack vectors to launch malware, exfiltrate data and effect ransomware attacks, but what’s worse is that these legacy technologies often come with hefty price tags – and still don’t provide adequate protection.
When Covid-19 hit, organizations had to quickly adapt their access strategy to a remote workforce. Some just bought everyone a corporate managed device, which is terribly expensive in and of itself. That gets even more prohibitively expensive very quickly, when you factor in loading a VPN or RDP client onto it and then patching and maintaining those clients and devices.
But there are other problems too, particularly with performance. Some of these technologies are difficult to optimize, particularly when you have a wide variety of traffic types transiting the network. Built-in overhead, chatty protocols (like CIFS) and other factors like inadequate hardware performance can have very serious implications to performance across these technologies.
This costs you time, money and especially reduced productivity (which is the real hidden cost). Research from Zen Internet found that poor connectivity can cost employees up to 72 minutes a day. Think about how much that costs your organization!
Virtual Pricey Networks
During the pandemic, some organizations decided to ramp up their VPN capacity – a pricey proposition with significant implicit and explicit costs. This is especially true when you factor in the responsibility, obligation and cost of maintaining these legacy technologies from both an operational and security perspective to ensure they work correctly.
The problem is that VPNs, when they came on the market decades ago, weren’t designed for mass use. When a user connects to a tunnel with a full bandwidth VPN, it is as if that user is sitting on the network.
The user’s access, however, ends up using much more resources to establish and maintain the connection. That means the network keeps gobbling up bandwidth as it constantly checks on the user’s current status and whatever requests are passing back and forth.
Multiply that by hundreds, thousands or tens of thousands of employees, and it’s no surprise that the network bandwidth may not be enough to meet the surge in demand – especially in a rapid-response crisis setting with little planning.
As a result, during the pandemic some organizations ended up limiting the number of users who could come in through VPN (meaning, many who couldn’t work). Or they staggered employee work hours to make sure the network could handle the rapid rise in outside traffic.
VPNs are also temperamental technologies. Many require a client to be installed on an endpoint, which creates even more patching, maintenance and support issues. And conflicts with other software (like Anti-Virus) can create serious headaches when trying to roll out VPN clients to endpoints.
The sad thing is that this was all so unnecessary – the expensive VPN approach isn’t even required today for what most people need to do their jobs.
RDP – A License to Blow Your Budget
As you are looking to optimize your IT security spend on remote access, RDP presents a golden opportunity. But it also presents significant security issues that can rapidly ring up the remote access register as well. During the pandemic, this became apparent as vulnerabilities that were rapidly exploited because patching and updates weren’t done in a timely manner needed to be addressed.
Before the pandemic, 150,000 RDP attacks were attempted every day. When the Covid-19 outbreak hit and more organizations turned to RDP to facilitate their employees working from home, that number quickly jumped to almost 1 million attempted brute force attacks every day.
The cost to deploy RDP is steep. Many security products being deployed around the world today actually use RDP behind the scenes. That means you need costly RDP licenses for any employees using remote access, even for accessing web applications.
But the bigger cost may come in troubleshooting the problems that come up with various clients. Performance issues, incompatibility in software versions, and other challenges can all be difficult and time-consuming to diagnose. This can leave end users and administrators frustrated.
Truth be told, most organizations don’t need RDP for many deployments. But even bigger costs can rapidly accumulate after deployment, if the attack surface is breached.
Using multiple techniques, hackers target RDP deployments because organizations are required to open ports through the firewall and expose them to the world. Sure, they require credentials, but typically those credentials consist only of username and password, which are easily cracked.
Plus, there are many tools to exploit RDP vulnerabilities like Goldbrute and Bluekeep (which were used to attack millions of RDP servers). Once inside, hackers can broaden their reach, accessing servers and other critical systems from which to launch costly malware and ransomware attacks.
Researchers discovered that the GoldBrute malware alone has a list of at least 1.5 million unique systems with RDP enabled. That’s more than half of the 2.9 million machines that can be accessed and have RDP enabled, according to Shodan.
Like VPNs, it’s a matter of when your RDP is attacked, not if – and those attacks are costly. Keep in mind, the average cost of a data breach worldwide is $3.86 million, which more than doubles to $8.64 million for companies in the U.S. But the costs of patching, managing updates, and monitoring RDP access will also quickly escalate and blow your IT security budget out of the water as you try to fend off those attacks day in and day out.
When Covid-19 hit, organizations were bogged down by a bandwidth paradox. With so many users stampeding to a remote environment, they faced four choices:
- Invest in much, much more bandwidth – an expensive, ongoing cost in an already tough business environment due to the pandemic.
- Change the structure of their workforce – either by eliminating users or staggering the hours they work, both of which present an ill-advised adverse impact on operations.
- Do nothing and hope for the best – letting employees use whatever device they want to for work, not the most secure option with millions of machines already at risk.
- Take a cost-optimized approach – making the switch to Zero Trust Access from the predominant legacy technologies previously used, VPNs and RDP.
With a tighter focus on cost-optimization because of the pandemic, many organizations made the decision to migrate from those legacy technologies to Total Access Control (TAC), a Zero Trust Access solution. TAC is a high-performance, low-cost Zero Trust Access solution that is easy to deploy, bandwidth-efficient, and works with or replaces other security technologies in your infrastructure.
TAC’s technology addresses bandwidth issues by optimizing and compressing traffic to send only the required information back and forth through efficient protocols – similar to a web transaction. With TAC, bandwidth is not unduly burdened with the constant pinging seeking to validate devices, locations, users, applications and resources, which are required by the legacy remote access technologies.
TAC also improves security as well. With Zero Trust Access, TAC provides much stronger policies utilizing a user’s complete context of access, both remotely and in the office. Organizations can now validate the device the user is employing, the security status of that device (including antivirus and certificates), the exact location from where access is being requested, the type of connection being used, and more – all in one place. TAC then grants, denies, or limits access to critical resources wherever those resources reside. This creates segmentation by only allowing access to authorized resources and not to the network in general.
The end user experience is smooth and seamless. TAC provides a simple, easy-to-understand interface with Single Sign-On (SSO) to all resources, regardless of where they reside (local or cloud). Administration, audit and reporting are made much easier and with centralized controls, and TAC costs far less to implement and run than other technologies.
All of this adds up to a comprehensive, well-designed IT cost-optimization strategy that any C-level executive or board member will love. With those savings, you can then turn your attention to more important business strategies – using Zero Trust Access to build a strong foundation for your digital transformation roadmap as well.