Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Petar Besalev
Petar Besalev
Connect Directly
E-Mail vvv

VPNs, MFA & the Realities of Remote Work

The work-from-home-era is accelerating cloud-native service adoption.

For most of 2020, organizations have been forced to adapt to the operational challenges of employees working from home networks, often on personal computers, while accessing corporate data. A primary dilemma is balancing security vs. productivity. For example, according to the 2020 Verizon "Data Breach Investigations Report," 45% of breaches featured hacking and 22% included social engineering attacks. Attacks will likely continue to occur, especially with many remote workers remaining at home, and data breaches are expected to skyrocket.

Related Content:

Prevention Is Better Than the Cure When Securing Cloud-Native Deployments

The Changing Face of Threat Intelligence

ISP Security: Do We Expect Too Much?

There is a definite upside to remote work. Employees save time by not commuting, and many are able to focus and embrace collaboration tools for increased productivity. A remote workforce also enables organizations to reduce operational costs tied to physical office space. However, the trade-off for security professionals is that the corporate perimeter can no longer secure these employees, and home networks continue to present a significant security risk.

From my own conversations with clients, most organizations are implementing a combination of virtual private networks (VPN) and multifactor authentication (MFA) to secure the remote connections. To a lesser extent, some organizations may still be handcuffed to their existing virtual desktop infrastructure (VDI), but the user experience and performance can degrade, so most organizations avoid it. VDI is suitable for general office work but won't cut it for developers, designers, or anyone who needs a lot of processing power because all of the computing resources are pooled together for shared allocation.

As organizations have adapted to remote work and adopted new solutions, it's critical they understand how their architecture has changed in order to identify the evolving threat surface. But it's also important to realize that an IT architecture is like a fingerprint; there are some common types, but ultimately, they're unique. VPN is more effective for an on-premises environment, while MFA is more effective for a cloud-based setup.

Let's take VPNs as an example. The most straightforward use case of a VPN is to establish a secure connection to access corporate infrastructure. You're at home, on your own wireless network, but you connect through a VPN. The VPN is protected by a firewall device to access the corporate network. This model works well for organizations that have a data center and file servers on-site because they can still leverage their network perimeter to protect it.

However, VPN traffic can get more challenging when you consider the scale of larger organizations. Once hundreds of remote employees are connecting through VPN, the burden of moving data to a point which it can be distributed over network traffic can become significant. This is particularly true if an organization has very strict data loss protection controls — for example, if an employee working from home connects through a VPN but decides to browse Amazon during a coffee break, should your organization monitor and protect that traffic? Some organizations that are sensitive to risk will take on that burden, but an alternative approach is to utilize split tunneling, in which you route device or app traffic through the encrypted VPN tunnel while other devices or apps access the Internet directly to protect essential connections while allowing direct access to things such as social media and news.

On the other hand, there many companies have adopted a more cloud-native approach to their IT infrastructure. You can see this with services like Microsoft 365, Google Workspace, Salesforce, and cloud service providers like Microsoft Azure and Amazon EC3. Once an organization shifts to the cloud, there isn't much need for a VPN because these cloud service providers have commoditized a lot of traditional security controls, such as antivirus, email gateways, and Web traffic gateways. In addition, there really is no need to use a VPN to get into the corporate network if you're connecting to cloud services because none of the corporate data is actually inside the corporate network.

Threat Surface
However, cloud services still represent a substantial threat surface, because if your access credentials get compromised, then someone can log in as you — and the 2020 Verizon "Data Breach Investigations Report" indicates how prevalent and successful phishing is as an attack vector. That's why MFA is so critical for helping secure this type of architecture. Typically, MFA requires the use of a text message or an authenticator app to enter a second validation code after the password.

MFA solutions have been evolving with the advent of zero-trust solutions focused on continuous conditional access. These sorts of solutions monitor user behavior and require reauthentication if an anomaly is detected — for example, if your credentials are used to log in from Europe when you've been working out of the United States. One nice thing about working with a cloud service provider like Microsoft Azure is that you can integrate your MFA with Active Directory to help enforce this sort of conditional access. Single sign-on solutions and identity and access management providers can also help this approach run smoothly — but again, every architecture is unique.

Unfortunately, there are issues. Many organizations had to stand up remote work infrastructure very quickly this year when the pandemic forced remote work, and that means many of them deployed a lot of singular solutions that may not necessarily integrate very well. Despite that, some organizations may not be able to secure on-premises environments with MFA because they can't integrate with their VPN. Early adopters of cloud services have found the transition to remote work more manageable because they had already been moving corporate assets beyond the perimeter. In this regard, the necessity of remote work has most certainly accelerated the adoption of cloud-native services.

Petar Besalev is the Senior Vice President of Cybersecurity and Privacy Services at A-LIGN. He is responsible for overseeing all privacy and security services that A-LIGN offers, including PCI DSS, penetration testing, ISO 27001, HIPAA/HITECH, FISMA, and FedRAMP. Petar has ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory w...
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieved in between the moment the file is extracted on t...
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 does not check for malicious files such as .html in the archive uploaded via the 'Import Settings' feature. As a result, it is possible for a high privilege user to upload a malicious file containing JavaScript code inside an archive which will execute w...
PUBLISHED: 2021-06-21
The Comments Like Dislike WordPress plugin before 1.1.4 allows users to like/dislike posted comments, however does not prevent them from replaying the AJAX request to add a like. This allows any user (even unauthenticated) to add unlimited like/dislike to any comment. The plugin appears to have some...
PUBLISHED: 2021-06-21
The WP Google Maps WordPress plugin before 8.1.12 did not sanitise, validate of escape the Map Name when output in the Map List of the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue