Remote workers- drop your VPN or we’ll shoot!

Category: network access control, VPN / Date: 11 July 2019

Remote workers drop your VPNNow that so many employees work from home or another location that isn’t the office, the call for safe remote connections increases. Often, companies choose the well-known VPN to fulfil this need. Thanks to VPN, remote workers get to log in to company systems from wherever they are, which makes them happy and their employers feel flexible. But happiness and flexibility don’t equal safety. To put it even more strongly: VPN connections are like snipers, causing serious threats to company systems without the user even realising it. In this blog, you’ll read about the reason behind the problem with VPN, how to disarm your (very innocent) employees and protect your company network.

What’s wrong with VPN?

Actually, it’s not so much the VPN that’s causing trouble. Sure, they’re often slow in their start-up, complex and almost impossible to manage by IT managers, but VPNs themselves are quite well protected by their own security software. This is the very reason why they’re believed to be safe tools. However, the problem lies in the connection that VPNs make between an outsider and the company network. They form a direct connection between someone’s (privately owned) laptop and the computer network, bypassing all controls. This makes it feel like the user is physically present at the office, which sounds convenient, but is also the problem. Because, in terms of IT, an employee using a VPN connection actually is physically present. This means that he can transport all kinds of troublemakers such as malware into your network, which is tough for you to detect, let alone stop.

 

The deadly combi of VPN and public Wi-Fi

Of course, there are different degrees of VPN risks. For example, imagine an outside computer being located in the living room of an employee. If the home network of this employee is safe, the VPN connection to your company network will be relatively safe too. However, this doesn’t change the fact that malware comes in many forms and also targets household networks, meaning there’s always a risk. But now imagine another employee taking his laptop and phone outside to work from a café, a train or an airport: then what? In this case, an unsafe public Wi-Fi is added to the mix, creating a freeway for malware to travel from an unknown computer to your company network. Suddenly, all of the security risks increase, such as the chance to fall prey to the infamous Man-in-the-Middle. Both scenarios differ in terms of risks, but they have two things in common: they create a hull breach in your well-protected company ship and they’re out of your control.

 

So, what am I to do with remote workers?

There are plenty of tools you can use to fight VPN related problems, such as virus scanners. But shouldn’t the question be how you can avoid these problems in the first place? Because, if you think about it, remote workers don’t really need access to the physical company network. They need e-mail, files and access to a couple of systems, but they don’t need to be inside the network. This means that, in most cases, you can implement a solution where remote workers only come “near” the company network. Instead of gaining access to remote workers, you could install a sort of “stockroom attendant” or “proxy” that runs back and forth to get the remote worker the information he or she needs. Technically speaking, this doesn’t require network access, meaning you don’t need VPN either. This shuts down the tunnel between outside users and the company network, meaning public Wi-Fi is no longer a threat.

 

Software Defined Parameter (SDP)

Not letting remote workers in by letting them come “near” sounds good, but also a bit vague. So, here’s how it works. You use a Software Defined Parameter (SDP), a so-called Black Cloud. This is a virtual border between the company network and the outside world and works according to a need-to-know model, which means a user can’t enter the network before his identification is verified. SDPs do so by actively checking the identity of users and what they do and where they do it. They pass on information to workers outside the physical network but encrypt it in a way that it’s useless to hackers. They also keep track of safety policies in real time, which means that if users leave the office permanently (and their rights expire), they can no longer access any company data. The same goes for devices: if they’re being sold or thrown out, their information cannot be decrypted.

 

How do SDPs handle authentication?

The great thing about SDPs is that authentication can take place in the same way as VPN, so through a user name and a password (or even a smartcard). But this is where the similarities stop. The SDP concept is very different from VPN as the latter creates a tunnel with unlimited data exchange, whereas a Software Defined Parameter leaves the user in the dark of everything that goes on in the network. All he gets, is access to the right files and systems, meaning he can’t do the network any harm. How different compared to VPN, which will get a user on the actual network! Thanks to SDP, all end users can work remotely and safely, without jeopardising the company network. You, in turn, get a lot of control: you get to see who can access which parts of the network and under which conditions. And there you have it! Employee happiness, flexibility and safety all in one. We told you this would work.

 

Is this the end of VPN?

Then a last question: what to do with good old VPN? Should right-minded IT managers ban them altogether? Not per se. But if you use them, don’t look at them as if they facilitate remote working (leave that to the SDPs of this world). VPNs facilitate network access, meaning you need to treat them like they’re a network access point, just as cable company Wi-Fi. More on that in our white paper, which you can download below.

White paper Network Access Control made easy