Virtual Private Networks (VPN) have long been a trusted and popular solution for securing remote access to company resources. While they have been trusted and popular, they may not be the best fit for today’s changing workforce. They now must be considered one of the tools in the toolbox and one which carries more risk than before.
A full VPN is based on an enterprise trust model where the endpoint is trusted, and all network traffic is flowing across the tunnel. If you control and trust the whole network and VPN ecosystem from end-to-end, a full VPN is a solid option. If you do not control or cannot control the whole ecosystem, a full VPN introduces the risks of lack of visibility and control.
Where there is an untrusted device, the endpoint will become a full participant on the network. In the case of a privileged or administrator level user, this poses a high-security risk. If an administrator’s remote endpoint is compromised — with a full VPN tunnel — access is wide open for the attacker. Malware could easily execute over the tunnel and propagate to other systems bringing your business down.
External partners, suppliers, third party staff, and BYO (Bring Your Own) using a full VPN into your environment introduces risk, as you likely do not have total control of the connection from end to end.
More businesses are seeing the value in allowing users to use their device of choice as it can boost productivity and employee satisfaction while reducing enterprise endpoint and access costs. BYO, by definition, means an untrusted device — allowing full VPN connectivity to an untrusted device is inadvisable at best, a security nightmare at worst.
The use of third-party companies to handle items such as payroll, benefits and help desk support is similar to BYO since the users are not part of their company, controlling and securing the endpoint becomes an issue.
The Journey to Cloud is becoming more important for companies as they search for efficiencies, possible cost savings and competitive advantages. Of course, clouds introduce different types of applications, access methods and identity entities.
If your application set includes SaaS apps, cloud-based resources or hosted web applications, a full VPN is likely not a feasible option. Routing traffic back through your datacenter for cloud access is counterintuitive to a cloud journey.
With the changing workforce, application landscape and changing datacenter strategies/cloud journeys, legacy security models struggle to adapt and provide great security with the added task of not hampering the user. Traditional VPNs anchor the users to their specifically configured devices. Modern workforces are changing into highly mobile, device-flexible teams. Therefore, traditional security approaches are changing (or need to change). IT can no longer FORCE the user into certain security models. I.T. needs to have security models that FOLLOW the user. Traditional VPN access models limit user flexibility and often impede productivity. If using a full VPN is inefficient for a user, they will likely find a way around – introducing risk – or, they may choose to only do work in the office, thereby reducing efficiency and productivity.
Mobile devices introduce another challenge for security, as they mainly operate on untrusted networks in coffee shops, hotels and airports. Full VPN clients also tend to drain battery life, can erode privacy as personal information is sent over the corporate VPN – and generally make for a cumbersome user experience.
Intrusions, breaches, compromises or hacks all start somewhere – and usually with an endpoint.
With today’s mobile workforce using untrusted networks in coffee shops, hotels and airports, the endpoint is exposed to more threats. Because applications and data are stored on the endpoints, they are a HIGH-VALUE TARGET. Even with disk encryption, passcodes and other security measures, the value of the data justifies a wrong-doers efforts in cracking them. Think of a doctor’s laptop, a financial adviser’s laptop or laptops your sales staff uses. Data loss could be financially devastating and personally embarrassing.
What if we can decouple the endpoint from applications and data and make those endpoints low value targets? Would using a basic Chromebook allow your executive teams to sleep easier at night when representatives travel to those “untrusted” countries?
There is much to discuss on this topic, so please engage us with your comments and questions. We make I.T. easy.
Article source link: https://www.citrix.com/blogs/2018/10/22/to-vpn-or-not-to-vpn/