The Dangers of Using a VPN for Remote Work: Zero Trust to Replace It

When it comes to the current state of our society now, we see now more than ever that employers, as well as employees, are embracing flexibility within the workspace with remote work. The norms and expectations surrounding remote working have shifted from the first quarter of 2020 to now.

With that in mind, a lot of remote employees need access to their companies resources and the primary way to do that would be by accessing the companies network. For any company with remote workers, a VPN is most likely their primary solution. Virtual Private Network, or VPN for short, allows remote workers to securely establish a connection to the business network. It creates a secure tunnel between the remote employees, or clients, computer and your corporate network, or the host. I'm sure there are multiple reasons why a company would implement a VPN for their employees and here are a few for reference: 

• Protect remote employees when they are on the move (Coffee Ships, Airports, Anywhere besides the office or home)
• Access company resources within the network

Nowadays, with COVID and various other diseases lurking, companies look to use a VPN to keep their remote workers safe and healthy as well as improving employee retention. However, as beneficial as it may sound to use a VPN within businesses, it is also important to understand and acknowledge the dangers of using a VPN for remote employees. In this article, we will explore the dangers of doing so and why Zero-Trust is helping ease issues with using a VPN.

How Do VPNs Work?

An effective VPN works by routing all your internet traffic through another computer, for all intents and purposes, it makes it appear that you are browsing the internet through that remote computer. This means that if you use the internet with a VPN, the remote computer/server in which traffic is being routed through becomes the source of data. With a VPN, not even your ISP or other third parties can see which websites you visit or the data you send and receive online. All your data traffic is routed through an encrypted virtual tunnel. An effective VPN connection is also secure against external attacks.

Despite this, VPNs do not completely mask your online identity. For instance, there are several ways for advertisers to recognize and follow you when you browse the web. Website trackers and cookies attempt to identify you specifically and then keep an eye out for your next appearance. Sites and advertisers can also recognize you by taking note of a number of distinctive details such as os, device, browser version, so on and so forth.

Scalability

As enterprises continue to encourage remote workers, and the more employees that continue to embrace it, the more complex things will become. In simple terms, the complexity impedes the room for scalability. It adds complexity to the network and similarly, not only does it add more costs but the VPN might also start to become more difficult to configure once companies decide to add more clients. Furthermore, management tools and security tools must be used in conjunction with VPN servers because they offer remote access but lack enterprise-grade security and monitoring. Even more configuration and maintenance are required as a result of these extra appliances and programs. The network grows more complicated and challenging to scale as more solutions are added on top of one another.

Security

Enterprises' approach to security when using a VPN for remote workers is very castle-and-moat. Castle-and-moat is essentially a network model that prevents users from accessing data inside the network from the outside, but allows users inside to do so. Think of a castle, where the outside is surrounded by a moat which is meant to keep users out. Once in, people are free to do as they please. Similarly, a user effectively has unrestricted access to the rest of the subnet once they establish a VPN connection. This results in non-admin users having improper network access to crucial infrastructure for some businesses. The risk of malware infection and data breaches is also increased by this castle-and-moat strategy. Enterprises frequently need to deploy extra security point-solutions to add granular security controls to remote access VPNs, but doing so increases expense and complexity and leaves a lot of possibility for misconfiguration and human error.

Authorization & User Management

Managing users and authenticating users is important within an enterprise, however, with the implementation of a VPN, this raises many issues. Enterprises do not have the authority nor the resources to manage employees’ computers. An enterprise can allocate network resources and implement network solutions to validate users. Take for example an employee who uses a shared computer within their home. There are very limited options for ensuring that the one employee is the only one with access to company resources and moreover, there are alot of attack vectors when an employee uses a shared computer. Not only does this raise authorization and authentication issues, but this could give attackers leverage against organizations.

System Hardening

When companies use a VPN and allow remote workers to access network resources, it is very hard for enterprises to manage these endpoints. Although with VPNs the traffic is encrypted and you are considered secure, there are many ways an employee's computer can be vulnerable. Within a company's office, they can easily manage the computers and ensure the system is hardened, especially for Linux. However, within an employee's personal device, there can be many software vulnerabilities, data-leakage, screen capturing softwares, malware, rootkits, etc, that can put the enterprise at tremendous risk. Enterprise security is crucial and when they are not able to secure multiple endpoints, endpoints being remote workers connecting to the network, this causes some serious problems for companies.

Zero Trust: Next Best Thing

Zero Trust is a security framework that mandates that before granting or maintaining access to applications and data, all users—whether inside or outside the organization's network—must first authenticate, authorize, and undergo ongoing security configuration and posture validation. Zero Trust is based on the premise that there is no such thing as a traditional network edge and that networks can be local, in the cloud, hybrid, or a combination of both, with people and resources spread around the globe. Essentially, Zero Trust does not believe in perimeter security but it rather believes in keeping people on the outside from getting in. By forcing each person, device, and application to successfully complete an authentication or authorization test before they can access any network resource or corporate resource, zero trust seeks to fix all of these issues.

Why Zero Trust?

Traditional VPNs make the assumption that every person or device connected to the corporate network who has been authenticated by perimeter security measures is automatically trustworthy. With a Zero Trust approach, system administrators and enterprises alike can follow a different method: until its identity is fully validated and authenticated, no user or device is trusted to access any resources. Even then, a user's or device's access to resources like servers, programs, and data is restricted to what that role or other classification allows. Additionally, to tackle the issue of VPNs being difficult to configure as soon as scalability is inserted into the equation, ​​enterprises can fix this with a little cloud implementation. Every user and device must normally be manually configured when using a VPN, and managing ongoing changes can become troublesome for enterprises. No matter the actual location of the user or device, enterprises may have a more flexible, scalable, and automated solution to restrict access and safeguard resources when using a cloud infrastructure along with a Zero Trust policy. Furthermore, technologies such as Single Packet Authorization can be implemented to enforce higher security.

Our Thoughts

Since the start of the pandemic, remote working has become more popular, and adoption of the cloud and a "Zero Trust" policy has expanded. These trends have necessitated changes to networking and security. Old methodologies for remote workers using a VPN are starting to be thrown out the window and more enterprises are embracing a Zero-Trust approach when implementing a VPN, especially with cloud implementations. Mixing in cloud infrastructure with a vpn allows for better management of users, allows for enterprises to decide what resources to allocate per user, allows for better network monitoring and management, and drastically reduces various attack vectors and protects the enterprise as a whole amongst other things. Understanding the downsides of using a VPN within an enterprise and learning why you should implement and adopt a Zero-Trust mindset will allow you to make the best possible decision for your company.