Now that so many employees work from home or another location that isn’t the office, the call for safe remote connections increases. Often, companies choose the well-known VPN to fulfil this need. Thanks to VPN, remote workers get to log in to company systems from wherever they are, which makes them happy and their employers feel flexible. But happiness and flexibility don’t equal safety. To put it even more strongly: VPN connections are like snipers, causing serious threats to company systems without the user even realising it. In this blog, you’ll read about the reason behind the problem with VPN, how to disarm your (very innocent) employees and protect your company network.
What’s wrong with VPN?
Actually, it’s not so much the VPN that’s causing trouble. Sure, they’re often slow in their start-up, complex and almost impossible to manage by IT managers, but VPNs themselves are quite well protected by their own security software. This is the very reason why they’re believed to be safe tools. However, the problem lies in the connection that VPNs make between an outsider and the company network. They form a direct connection between someone’s (privately owned) laptop and the computer network, bypassing all controls. This makes it feel like the user is physically present at the office, which sounds convenient, but is also the problem. Because, in terms of IT, an employee using a VPN connection actually is physically present. This means that he can transport all kinds of troublemakers such as malware into your network, which is tough for you to detect, let alone stop.
The deadly combo of VPN and public Wi-Fi
Of course, there are different degrees of VPN risks. For example, imagine an outside computer being located in the living room of an employee. If the home network of this employee is safe, the VPN connection to your company network will be relatively safe too. However, this doesn’t change the fact that malware comes in many forms and also targets household networks, meaning there’s always a risk. But now imagine another employee taking his laptop and phone outside to work from a café, a train or an airport: then what? In this case, an unsafe public Wi-Fi is added to the mix, creating a freeway for malware to travel from an unknown computer to your company network. Suddenly, all of the security risks increase, such as the chance to fall prey to the infamous Man-in-the-Middle. Both scenarios differ in terms of risks, but they have two things in common: they create a hull breach in your well-protected company ship and they’re out of your control.
So, what am I to do with remote workers?
There are plenty of tools you can use to fight VPN related problems, such as virus scanners. But shouldn’t the question be how you can avoid these problems in the first place? Because, if you think about it, remote workers don’t really need access to the physical company network. They need e-mail, files and access to a couple of systems, but they don’t need to be inside the network.
Whether you work in manufacturing, local government, healthcare or a completely different industry, it’s clear the IT security landscape is changing. Evolving and growing cyber security threats, combined with new, hybrid working patterns, mean you have an opportunity to explore a new approach to enable business and securely connect remote users to internal systems and applications. Enter Zero Trust.
Zero Trust isn’t an easy concept to understand. It means moving from a traditional security architecture that assumes trust based on certain devices, individuals and locations toward a model that instead trusts nothing until it is verified, requires new tools, methodologies and most importantly a different way of thinking.
Zero Trust: What’s it All About
Implementing Zero Trust Security can feel like it’s going to be a large, challenging process — but it doesn’t need to be. The answer lies in our roadmap to success, which outlines everything to look for when researching your options:
- Bridge the gap between your IT resources and your human resources.
- Futureproof your infrastructure, as you transition to a hybrid world
- Stop attacks from happening in the first place
- Empower IT to work for the company again
- Bring IT to users, without intrusion on your network or for your users
Zero Trust Security protects the enterprise by enforcing granular controls over user access permissions, allowing only access to applications defined and within defined security policies.
Whether a user is trying to view, copy/paste, upload, or download, the company will have direct control, independent of the device the employee is using. Zero Trust policies control access permissions on a very granular level based on verified user context. This ability to connect users to applications but block access to specific features in real-time enables the flow of business while still protecting companies from potential data breaches.
Unlike VPNs or network-centric Zero Trust access approaches, G/On can operate without agents on the endpoints, easily scales as traffic increases, and doesn’t require reconfiguring your network. This is what enables fast deployment and simplicity to manage; and removes all barriers for BYOD/CYOD/COPE device strategy.
Is this the end of VPN?
Then a last question: what to do with a good old VPN? Should right-minded IT managers ban them altogether? Not per se. But if you use them, don’t look at them as if they facilitate remote working (leave that to the SDPs of this world). VPNs facilitate network access, meaning you need to treat them like they’re a network access point, just as cable company Wi-Fi. More on that in our white paper, which you can download below.
Originally published 11 July 2019, updated on 17 May 2023 for relevancy and freshness