VPN should not be a backstage pass

So sad to say that the impression that I get is that remote access solutions have become the backstage passes that they were really never intended to be.

I have been fortunate enough to have worked at many organizations over the years as both a full time employee and as a contractor/consultant. During my career I have encountered some recurring issues that have never really ceased to amuse/terrify. One of the worst in this regard has been that of remote access management. I have  was speaking with a friend this morning who was contending with this very issue.

At each organization I found that, with the exception of two, every single one of them had delegated (relegated?) the management and control of remote access solutions to the networking group. On the face of it that doesn't seem like such a bad thing. But as I have found  this is in fact a problem as network groups usually lack the inclination to provide any sort of management to the profiles in a VPN solution. Too often it was almost as if they had taken the default profile and added every user to it. This would grant every user unfettered access to the network. I had a chuckle from George Reese, founder of Enstratius, who said the following on Twitter,

If it requires a VPN, it’s broken.

— George Reese (@GeorgeReese) November 18, 2013

You know, I cannot argue with George on this point. VPN is a patch to permit broken systems to be accessed that otherwise do not have the ability to be exposed to the big bad Internet. With systems in such a state that they could not be safely accessed directly that they need a VPN why would you give a user unrestricted access internally?

To put this in perspective, why would Mark from Accounting or Jane from Engineering need to be able to access your intrusion detection system? This would also tell me in short order that you are most likely running your enterprise on a flat network. For those of you who may not be familiar with networking this would allow for a user to interact at some level with any system on the internal network. That's it in a nutshell. Network zone segmentation is apparently too hard for most.

Imagine that you are at a large rock concert. You have managed to score backstage passes for after the show of a life time. To say that you are ecstatic is an understatement. You make your way backstage after the last encore and you proudly wear your all access badge as if it were made of gold.

Once you make your way back there you find that there is basically a holding area for the VIPs like yourself. This is where the band will come out and do a meet and greet. At no point do you have the ability to help yourself to their instruments or drive off in their limo. When I worked for a record company years ago we knew how to maintain separation between the fans and the talent.

I compare that to the VPN deployments that I have seen I'm curious why so many enterprises suffer the indignity of an ill configured solution. I'm not anti-vpn. I'm just against crappy configurations. I'd hate to think what would happen is someone's VPN credentials were compromised. Imagine trying to explain to the C-Suite why the guitars are gone.

(Image used under CC from Joe Madonna)

Cybersecurity market research: Top 15 statistics for 2017