Once the staple for securing employees working remotely, VPNs were designed to provide secure access to corporate data and systems for a small percentage of a workforce while the majority worked within traditional office confines. The move to mass remote working brought about by COVID-19 in early 2020 changed things dramatically. Since then, it has become the norm for large numbers of employees to regularly work from home, with many only going to the office sporadically (if at all).
VPNs are insufficient for the remote working and hybrid landscape, and an overreliance on them to secure large numbers of employees working from home poses significant risks. “VPNs originally helped companies manage a few employees or third-party contractors who needed remote access to certain systems while working remotely,” Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, tells CSO. He adds that it has also led to negative impacts on employee productivity and user experience, all adding to increased friction.
“Using VPNs at such a large scale could never have been predicted, and it has created a security nightmare for IT teams as it widened the surface area for potential attacks,” says Netacea’s head of threat research Matthew Gracey-McMinn.
“With the COVID-19 pandemic, most companies were forced to quickly adapt to a full remote work environment, and some of those did insecurely, just deploying generic VPN solutions to enable their employees to access the same systems from their homes and blindly trusting their devices,” says Appgate security researcher Felipe Duarte.
With remote and hybrid working set to be the norm for the foreseeable future, it is vital that organizations not only recognize the shortcomings and risks of VPNs in the remote working era but also understand how alternative options can better secure the future of remote and hybrid working.
[Editor's note: This article, originally published on October 11, 2021, has been updated with information on VPN-less remote connection products.]
Shortcomings of VPNs for remote working
Because VPNs typically extend an organization’s network, if the network that the user is on is insecure, there is greater potential for an attacker to leverage it, says Sean Wright, application security lead at Immersive Labs. “Home networks have more security vulnerabilities, making this risk heightened,” he adds.
Wave Money CISO Dominic Grunden points to another shortcoming: the fact that VPNs only provide encryption for traffic passing between two points, requiring a standalone full security stack that must be deployed at one end of every VPN connection for traffic inspection. “This is a requirement that grows increasingly difficult to meet when enterprise resources are increasingly hosted in the cloud and accessed by remote workers. VPNs also don’t provide an avenue to secure third-party access, which is perhaps the weakest attack link.”
Gracey-McMinn says most VPNs provide minimal security with traffic encryption and often do not enforce the use of multi-factor authentication (MFA). “If a member of staff’s computer has been compromised while working at home, this could lead to a malicious actor gaining access to a company’s network via the VPN using staff credentials, which would grant them full trusted access—activity less likely to be detected by a security team due to not having a full security stack layer while working from home.”
This was observed in the recent Colonial Pipeline ransomware attack, says Duarte. “In that case, the attackers got access to the internal network just by using compromised username and password credentials for an insecure VPN appliance.” He also notes instances of attackers targeting and exploiting known VPN appliance vulnerabilities. “Most recently, we observed the exploitation of CVE-2021-20016 (affecting SonicWall SSLVPN) by the cybercrime group DarkSide, and also CVE-2021-22893 (affecting Pulse Secure VPN) exploited by more than 12 different malware strains.”
Another significant issue is that of malware-infected and unpatched devices. “This scenario is generally related to human-driven malware, like botnets, backdoors, and RATs [remote access Trojans],” says Duarte. “The attacker creates a remote connection with the device, and after the VPN is connected, the malware can impersonate the user, accessing all the systems it has access to and spreading through the internal network.”
Wright agrees, adding that devices are only going to be sufficiently secure if they are actively updated. “You can have the world’s most secure VPN connection, but if the device is not sufficiently patched it will represent a risk to your organization, and the VPN connection will make little difference.”
VPNs also have significant drawbacks from a usability and productivity standpoint, says Grunden. “A common complaint about VPNs is how they reduce network speed because VPNs reroute requests through a different server, and so it is inevitable that the connection speed would not remain the same due to increased network latency.” Besides that, other performance issues sometimes arise relating to the use of kill switches and DHCP. “The security provided by VPNs, while being necessary, often comes with undue complexity, particularly for organizations using enterprise VPNs,” he adds.
