The rise of cloud computing means that a large percentage of a company’s data storage and processing is moving outside of the traditional network perimeter. In many cases, employees are following this trend as well as COVID-19 and digital transformation efforts have driven growing support for telework programs.
With the growth of telework comes a need for secure enterprise remote access solutions. Employees working from outside the office need a means to securely connect to the enterprise network in order to do their jobs.
Cybersecurity Threats of VPN Infrastructure
Virtual private networks (VPNs) are the traditional means by which organizations provide remote access to their employees. However, these solutions have a number of issues and shortcomings that put enterprise cybersecurity at risk.
-
Ransomware and Malware Infections
VPNs are designed to provide a point-to-point connection between two locations. In the case of an enterprise remote access system, one endpoint will be the employee’s computer and the other will be a VPN appliance located within the enterprise network.
For employees to use the corporate VPN for remote access, this VPN endpoint must be exposed to the public Internet. This makes it a potential target of attack, especially in a time where COVID-19 has driven many organizations to be heavily reliant upon their VPN infrastructure.
VPNs are prone to vulnerabilities, which are potentially exploitable by an attacker if left unpatched. Most organizations struggle to keep up with their patching programs, so these vulnerabilities are often left exposed. Combined with the high importance of VPN infrastructure today and the level of access that a successful exploit provides to an attacker, these VPN appliances are a perfect target for cybercriminals.
Cybercriminals are aware of this fact and frequently take advantage of it. In 2020, exploitation of VPN vulnerabilities is the second most common method of spreading ransomware (behind RDP, which enables an attacker to log into computers with employees’ weak or breached passwords). As long as VPNs remain unpatched and are a critical part of an organization’s infrastructure, they will remain a tempting target for an attacker.
-
Scalability and Security Tradeoffs
VPNs are designed to be a point-to-point networking solution, meaning that every user needs their own connection to the corporate network. This fact has caused a great deal of pain for many organizations who discovered during COVID-19 that VPN infrastructure designed to support a fraction of the workforce does not scale to meet the needs of a mostly or wholly remote business.
The use of split-tunnel VPNs is a commonly recommended solution to addressing the scalability issues of VPN infrastructure. With a split-tunnel VPN, certain traffic is permitted to go directly to its destination, while the rest is sent over the VPN for security inspection. The problem with a split-tunnel VPN is that it sacrifices enterprise security for VPN scalability. The portion of an employee’s traffic that is routed directly to its destination does not receive security scanning or the benefit of an organization’s cybersecurity deployment, making it vulnerable to malware infections or other cyberattacks.
Once a remote worker’s computer has been infected, the attacker can use it as a stepping stone to attack the enterprise network via its VPN connection using the compromised employee’s legitimate account. Split-tunnel VPNs, while a useful tool for increasing the scalability of VPN infrastructure, may do so at the cost of corporate cybersecurity.
-
Fragmented Network Visibility
VPNs are designed to provide secure point-to-point network connectivity. This means that every user of a corporate VPN has a completely distinct connection. This design results in a very fragmented VPN architecture. Maintaining complete visibility of the organization’s VPN infrastructure can be very complex, especially if employees are connecting directly to different corporate LANs.
This fragmented visibility jeopardizes corporate cybersecurity by making it more difficult to achieve a full view of the current state of the corporate network. The resulting delays impair incident detection and response, increasing the probable damage and cost caused by a cybersecurity incident.
-
The Need for a VPN Alternative
VPN infrastructure was designed to provide remote connectivity at a time when only a fraction of the organization’s employees worked off-site. Attempting to scale an existing VPN deployment to support most or all of an organization’s workforce for the entirety of their working day can be very difficult and expensive.
Secure Access Service Edge (SASE) provides an alternative means of creating a corporate WAN that is actually designed to support the modern network. SASE takes the networking capabilities of software-defined wide area networking (SD-WAN) – which is designed to optimally route traffic over multiple different transport media – and integrates it with a fully security stack within a cloud-based virtual appliance.
Users connect to the nearest SASE point of presence (PoP), where their traffic is inspected and then routed to the nearest PoP to its destination over the encrypted network and then on to its destination.
With SASE, an organization can deploy a corporate WAN that is scalable and optimized to meet the needs of the modern enterprise. This is essential as organizations move further and further away from the traditional networks that VPNs were designed for.
