What happens to cybersecurity when remote office workers become home workers, connecting to remote customers who are themselves working from home? VPNs are not the solution. Zero trust networks are.
National security agencies and the military know that there is only one sure way to protect an IT device from malware, and that is to isolate it completely. “Air gapping”, rather than networking, means that there is no room for connections to allow malware to spread between devices. Unless, of course, some malicious or fallible human carries it over – but that is another story.
Humanity is currently threatened by its own version of malware – the coronavirus. Scientists have advised governments that humans must be “air gapped” to reduce the risk of it spreading. The tactic is to enforce social isolation via lockdown. Office workers, for example, must now work from home – and phone, social media, messaging and conference calls have replaced the business meeting, the open-plan office, the family reunion or friendly handshake.
The irony is this: now that people are (relatively) safely air-gapped, the attack surface across their means of communication systems has ballooned. Consider an online financial transaction: this process would normally entail a call via the office through to the financial services company or its helpdesk. But under lockdown, the office worker is now calling from home, and the finance staff are also working from home.
How can we ensure edge to edge security when the edge can be anywhere?
The Virtual Private Network (VPN) is not up to the task
There used to be a sure way to connect branch offices to headquarters: you lease a private line between them. As a dedicated private line, it was intrinsically “air gapped” from other communication lines and so very secure. But it was a costly solution, requiring manual connection at either end, and very inflexible. It took time to fix contract details and install and, if you needed a little extra capacity, it would require setting up a second leased line.
For the last twenty or more years VPNs have been the de facto solution for securely connecting business to business and home users across the Internet. A branch office could sign up for a VPN offering secure connection to the VPN provider’s nearest server, from there it can be securely connected across the globe to a server closer to company headquarters, from where a final VPN connection links to head office.
VPN looked like the ideal solution, except that cybercrime has since become so much more sophisticated and pervasive. As remote workers become even more remote in response to coronavirus social isolation, criminals are turning their attention to vulnerabilities in this ballooning attack surface.
On March 13th 2020, the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning to business about the growing security risks: As organisations elect to implement telework, the Cybersecurity and Infrastructure Security Agency (CISA) encourages organisations to adopt a heightened state of cybersecurity. In particular, they warn that:
- As organisations use VPNs for telework, more vulnerabilities are being found and targeted by malicious cyber actors.
- As VPNs are 24/7, organisations are less likely to keep them updated with the latest security updates and patches.
- Malicious cyber actors may increase phishing emails targeting teleworkers to steal their usernames and passwords.
- Organisations that do not use multi-factor authentication (MFA) for remote access are more susceptible to phishing attacks.
- Organisations may have a limited number of VPN connections, after which point no other employee can telework. With decreased availability, critical business operations may suffer, including IT security personnel’s ability to perform cybersecurity tasks.
There are several problems here. A VPN connects the endpoint blindly to a public or private data center and imposes no access or authentication restrictions. Malware travelling through the VPN gets full network access and can start hunting for vulnerabilities in any server on the network. 63% of network breaches are traceable to third party access.
There are other limitations too. As VPNs divert traffic between servers they trade performance for security, adding latency and reducing bandwidth. Whereas it is easy to establish a single VPN between two offices, setting up and managing hundreds of VPN tunnels to every home worker becomes a major headache.
Is there a better solution?
The Zero Trust Alternative
“In today’s business, it is critical to give everyone in the organisation the ability to access all apps whenever they need them, no matter where in the world they are. To have this access securely is no longer optional but a must.” According to Chakib Abi Saab, CTO of OSM Maritime Group – who might as well be speaking for every organisation currently adapting to social isolation and home working.
There is now a proven alternative to VPN links. It is a software-only solution available as Software-as-a-Service (SaaS). No additional hardware is needed, you just install the software – already available for Windows, Mac, Linux and mobile – in each endpoint.
Every endpoint now has secure, strictly-controlled access directly to permitted private cloud, public cloud and SaaS services. It is a “zero trust’ network, only allowing specific, authenticated application sessions. You are no longer “tromboning” data around your corporate infrastructure, adding latency, packet loss and failure points. Instead of digging new VPN tunnels to every shifting endpoint, you become an air traffic controller, with simple, centralised visibility and control of the organisation’s entire network.
VPNs are notorious for impairing app performance. It is even worse now because of VPNs tromboning apps to a few VPN concentrators, then to a corporate network and then finally to the cloud. A “scenic route” – but the added latency and failure points are not so pretty. The Zero Trust solution, however, routes data directly along the best performing paths. Application performance is noticeably improved, and your home or remote workers are no longer at any disadvantage.
For the most critical business, such as financial services, it really is possible to ensure secure, high-performance communications across the globe.