Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/15/2020
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

4 Challenges with Existing VPNs

A VPN is a step in the right direction, but it's not the be-all and end-all when it comes to security and falls short in many ways.

In the blink of an eye, everything changed. March 2020 marked a huge shift in the way we approach remote work and the infrastructure needed to support the future of business. According to Gartner's recent CFO survey, 74% of organizations will move at least 5% of their previously on-site workforce to permanently remote positions following the pandemic. In the very near future, remote work will be the norm rather than the exception, necessitating a shift in how we approach security. 

The reality of the modern, mobile-enabled workplace is that we need to go where the users are — an approach that requires security measures beyond virtual private networks (VPNs). While a VPN is a step in the right direction, it's not the be-all and end-all when it comes to security and falls short in many ways. Here are four challenges I see with traditional VPNs: 

1. VPNs Are Physically Limited
Traditional VPNs typically have an on-premises appliance that is constrained by hardware in the number of users that can be supported. Many businesses determined specifications for their VPN appliances using remote work statistics from many years ago, leaving them unprepared for the surge in teleworking that occurred when COVID-19 hit. VPNs are failing and companies are struggling to figure out how to scale to support so many users. Organizations are resorting to creative approaches, such as limiting VPN use to select workers, purchasing a secondary solution, enforcing inconsistent policies, etc. — but these aren't viable long-term strategies.

2. VPNs Fail to Balance Productivity & Security
The age-old debate over productivity and security rages on, and VPNs don't provide a workable solution. Do organizations enable productivity and allow access, effectively endangering security? Or is all traffic routed through the security infrastructure so it can be filtered, overloading the VPN, Web gateways, and firewalls, while negatively affecting productivity because of the resulting substandard user experience? Ask VPN users and they'll tell you about getting half the work done in double the time. Then there are the IT pros who relate countless examples of employees who've infected their corporate laptops with malware or compromised sensitive information by failing to use appropriate security measures. With traditional VPNs, the war between productivity and security has no resolution.

3. VPNs Fall Short on Mobile
VPNs were designed to use a protocol that's resource-intensive on the setup — it takes a bit of time to connect, but the assumption is that the connection will stay alive for the duration of the user's needs. This all changes with mobile. Every time your device goes to sleep or you change networks, the VPN gets interrupted and has to reconnect. Furthermore, mobile apps are not built to be VPN-aware; when the VPN has to reconnect, app responsiveness suffers and user experience suffers. Consider this: Wandera finds that typical knowledge workers will engage with their mobile device almost 100 times in a typical day — that's 100 times a day the VPN has to reconnect and 100 instances of a remote worker who cannot be productive. For businesses, time is money, so that wasted time translates into lost revenue.

4. VPNs Aren't Built for the Modern Workforce
In today's business ecosystem, various remote users are making choices for their own devices and collaborating with individuals outside of their organizations. The way VPNs have been managed in the past is via certificates that sit on the devices and are used to initiate a session. Access to the organization's infrastructure is granted via access to the certificate and, therefore, VPN use is often restricted to company-managed devices. This means that BYOD devices and those used by contractors or partners are often unable to utilize the company's remote access tool.

According to a 2016 research report, the average company's network is accessed by 89 different vendors — contractors, partners, freelancers, etc. — every week, a figure that's likely grown given the rapid digital transformation across industries. These third parties aren't able to access the corporate VPN given they have devices that aren't managed by the company, yet they often have access to sensitive information or collaboration tools. Beyond third-party risk management, the surge in remote work spurred by coronavirus has seen organizations shifting their policies toward lenience. Countless organizations tried and failed to supply employees with approved corporate devices, forcing many to rethink their BYOD policies and take a "whatever you've got, make it work" approach to remote work. And this explosion in unmanaged, insecure devices opens organizations up to countless threats.

As companies transition to the cloud, a big part of that shift involves moving to software-as-a-service applications. In today's world, corporate information isn't on the private network anymore — some assets still live behind firewalls, but most users and the most usage is already on the Internet. This requires a new way of thinking and a new approach to security — that is, cloud-based security. [Editor's note: The author's company is one of a number that offer cloud-centric security.] Rather than the traditional VPN, organizations need cloud-based protection for traffic filtering and mobile-friendly traffic vectoring that doesn't break modern applications that are running on any device being used for remote work, whether it's a Windows 10 laptop, a MacBook, an iOS tablet, or an Android smartphone. Organizations still need filtering and the ability to provide access control to applications, but those protections must move to the cloud to prepare for the business of the future. 

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Michael J. Covington, Ph.D., is a seasoned technologist and the Vice President of Product Strategy for Wandera, a leading provider of mobile security. Michael is a hands-on innovator with broad experience across the entire product life cycle, from planning and R&D to ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/1/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Threat from the Internet--and What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15478
PUBLISHED: 2020-07-01
The Journal theme before 3.1.0 for OpenCart allows exposure of sensitive data via SQL errors.
CVE-2020-6261
PUBLISHED: 2020-07-01
SAP Solution Manager (Trace Analysis), version 7.20, allows an attacker to perform a log injection into the trace file, due to Incomplete XML Validation. The readability of the trace file is impaired.
CVE-2020-15471
PUBLISHED: 2020-07-01
In nDPI through 3.2, the packet parsing code is vulnerable to a heap-based buffer over-read in ndpi_parse_packet_line_info in lib/ndpi_main.c.
CVE-2020-15472
PUBLISHED: 2020-07-01
In nDPI through 3.2, the H.323 dissector is vulnerable to a heap-based buffer over-read in ndpi_search_h323 in lib/protocols/h323.c, as demonstrated by a payload packet length that is too short.
CVE-2020-15473
PUBLISHED: 2020-07-01
In nDPI through 3.2, the OpenVPN dissector is vulnerable to a heap-based buffer over-read in ndpi_search_openvpn in lib/protocols/openvpn.c.