India Inc. has other options if VPNs are banned

With many businesses now using on VPNs to support the move to hybrid working and secure access to corporate data by employees working from home, a proposal by a parliamentary standing committee to ban their use in India could force enterprises to find new ways to secure remote access to their networks.

“The Committee notes with anxiety the technological challenge posed by Virtual Private Network (VPN) services and Dark Web that can bypass cyber security walls and allow criminals to remain anonymous online,” the Parliamentary Standing Committee on Home Affairs told the Rajya Sabha in a recent report.

The report recommended that the Ministry of Home Affairs coordinate with the Ministry of Electronics and Information Technology to identify and permanently block such VPNs with the help of internet service providers. It further recommended to develop a coordination mechanism with international agencies to ensure VPNs are permanently blocked. Section 69A of the IT Act, 2000, gives the government powers to block information (such as VPN apps ) from public access under certain conditions, but MeitY will only do this after it receives a specific request from an authorized Nodal Officer, according to the submission..

The proposal to ban VPN could not have come at a more inopportune time, says Shweta Baidya, senior research manager for software and IT services at IDC India.

“Data security and privacy will pose a major threat to organizations if the use of VPN is banned. An outright ban on its usage will act as a huge dampener to the organizations that require secure connectivity to stay connected globally,” says Baidya.

“This is a contradiction to the earlier relaxation of VPN connectivity norms by the government, albeit for a brief period, to support remote work across sectors such as IT/ITeS and BPO,” she says.

As a large percentage of enterprises across the country continue to work remotely, the reliance and dependence on VPN for secure connectivity has multiplied amidst the rising cyberattacks, Baidya says.

Other researchers agree. A report from Research and Markets notes, “The enterprise mobility trend and the need for providing ubiquitous access to company networks especially for the remote workforce is also enhancing adoption of VPNs,” while according to Atlas VPN, India is one of the countries with the highest VPN adoption rate, with a significant increase from last year.

Although VPNs won’t defend enterprises against all cyberattacks—and nor, despite the fears of the standing committee, are they involved in the commission of many—they do play a role, for better or worse, in an increasingly hostile online environment.

Cybersecurity crimes are on the rise, the government warned in July. The Indian Computer Emergency Response Team (CERT-In), the nodal agency that deals with cybersecurity threats, observed 6,07,220 cybersecurity incidents in the first six months of 2021, and according to a Sophos report, one in two Indian organizations fell victim to a successful cybersecurity attack in the last year.

In addition to securing connections between home workers and office applications, VPNs are also used to secure access to critical network equipment and servers in the cloud, enabling remote configuration and maintenance. VPNs create a private network from a public internet connection, encrypting the flow of data in a tunnel that can also be used to mask the user’s originating IP address.

Fabio Fratucello, CTO at CrowdStrike for Asia Pacific and Japan, says that the VPN ban could increase operational risks as businesses would now need to identify new access method for employees that may not provide the same confidentiality or defensive benefits as VPN. “They would need to find an alternative way for employees to remotely log in to the system that has the same security features as the VPN they were previously using.”

VP of research and innovation at Cyware, Avkash Kathiriya echoes those thoughts: “A VPN ban could lead to a lot of operational challenges for enterprises in order to maintain the security of their remote/hybrid work environments without allowing the use of VPN connections for their users.”

If India does ban VPNs used by enterprises, it would pose a great security risk to companies with staff who regularly work online on non-company networks, such as salespeople or remote workers, says Simon Migliano, head of research at VPN review site Top10VPN.com. “Any ban would prevent employees from using a VPN to encrypt their connection on public Wi-Fi networks in hotels, airports, and train stations, for example, leaving sensitive commercial data vulnerable to interception. Remote workers on their home networks would also no longer be able to encrypt their internet connections. Home networks are typically shared with others in the household, which creates confidentiality issues around data transmitted over that network that a VPN easily prevents.”

India wouldn’t be the first country to ban VPNs—Belarus, China, Iraq, North Korea, Oman, and Russia have all banned them in the past.

Cybercriminals would gain from a VPN ban

Cyware’s Kathiriya says that VPN ban might lead enterprises to resort to insecure methods to connect with their internal networks: “This can open up pandora’s box of security risks that can lead to network intrusions, data breaches, and operational disruption.” Cybercriminals can exploit insecure network connections to spy on users, gain unauthorized access to sensitive data, conduct fraud and extortion, and even infect systems with malware to achieve their malicious goals.

Top10VPN.com’s Migliano says that if VPNs were banned, cybercriminals would simply need to focus on sniffing public networks with a high proportion of business users. They can then intercept sensitive credentials or information that can be used in lucrative scams, such as business emails for phishing or database log-ins for data theft. “There’s also the potential to drive around neighbourhoods with high concentrations of professionals working from home to look for vulnerable home Wi-Fi networks, in order to intercept sensitive data.”

IDC’s Baidya is also of the opinion that a VPN ban can contribute very little towards reducing cyberattacks. “Banning VPNs will not resolve the cybersecurity threats, as cybercriminals will identify new ways to break the backbone of the enterprises by creeping into the networks and systems. There have been instances in the past wherein highly organized cybercrime groups have leveraged sophisticated ways to breach the perimeter. A VPN-less environment will only make organizations more susceptible to attacks, as cybercriminals exploit the flaws and gain access to confidential information.”

Banning VPNs could open other risks too, says Prateek Bhajanka, senior principal analyst at Gartner. With the news of VPN services being banned, a lot of users would want to search for ways to bypass the VPN ban. “That’s when cybercriminals can put lures on the internet to scam or deceive unsuspecting users, just like in the beginning of the COVID-19 pandemic in March 2020.”

The government will need to identify ways to enhance monitoring and detection of such criminal and nefarious activities instead of banning VPN usage in its entirety, says Baidya.

However, are enterprises using VPN really safe? Not really. The recent Colonial Pipeline cyberattack is a result of a leaked password that was then used to access its IT system through an inactive VPN account. While VPNs are advantageous to enterprises, it’s important that enterprise realize their limitations and explore other options.

VPN alternatives

“Unfortunately, there is no convenient alternative to VPN for the use case of staff needing secure access to non-company networks,” says Migliano. The only real option, he says, is to ensure employees only ever use their own mobile hotspot, never using insecure Wi-Fi networks or allowing other users to access their hotspot. “There are obvious drawbacks to this approach, such as increased data costs, individual data caps and reduced connection speeds,” he says.

When it comes to connecting to the corporate network, however, there are other options: CSO Online has seven VPN alternatives for securing remote network access, beginning with the establishment of zero-trust network access.

Migliano too suggests implementing a zero-trust network, although, he cautions, “It requires authentication and verification of all users, even those physically on the network. This does require overhauling existing systems however, with the associated costs that brings.

Another option, Remote Desktop Protocol (RDP), has vulnerabilities that make it less than ideal, he warns.

IDC’s Baidya adds identity management solutions and software-defined wide-area networks (SD-WAN) to the list. Replacing VPNs will take time, though. “This is not an overnight journey, and needs to be well planned and implemented,” she says.

Gartner’s Bhajanka says these and other alternative technologies such as cloud access security brokers (CASBs) and secure access service edge (SASE) for cloud-oriented security technologies are already in use in conjunction with existing VPN services.

If VPNs are banned, then enterprises shouldn’t see that only as a bad thing, says Cyware’s Kathiriya: “A ban on VPNs will also bring opportunities for enterprises to explore options like zero trust for secure access to their networks.”