Remote working and cybersecurity: Why VPNs no longer make the grade

By Kurt Glazemakers, SVP Engineering, AppGate 

Remote working is far from a new trend but looks set to become an ever-increasing mainstay of how modern businesses operate. In response to the rapid spread of COVID-19 businesses have rightly prioritised the safety of their employees and working remotely has ballooned more than most businesses expected or prepared for. In fact, according to Gartner, 81% or more are now working remotely and 41% are likely to do so at least some of the time when they return to normal work.

The shift to mass remote workers was never meant to happen overnight. Naturally, this quantum shift, both solves and creates problems for even the most well-prepared business. Now issues such as maintaining network security across a distributed workforce – which has always been a security challenge – are amongst a new host of problems to solve. Without the right protection in place, remote working is simply not safe. With teams still needing to collaborate across geographies, businesses must ensure that any security solutions put in place not only protects employees but also maintains business continuity. This is true for any company but particularly for the financial services sector where compliance with regulations such as PCI DSS need to be closely adhered to.

The problem is, that tried and tested solutions such as Virtual Private Networks (VPN) are simply no longer making the cut when it comes to handling modern business challenges. For organisations that are serious about establishing secure and effective remote working, getting the right network security in place is vital, both for immediate and long term success.

The failure of the VPN

To understand why VPNs no longer make the grade it is worth reminding ourselves what it is that a VPN actually does. While VPNs do provide some measures of security and have served their purpose well in creating a basic level of security for point-to-point connection, they are out of their depth when it comes to the latest security approaches. VPNs were never intended for the level of remote working we are now seeing. Nor are they designed to handle the security threats that come from complex online environments made up of IoT devices, mobile networks and the flexible way that we now work. With the volume of today’s data, speed of access required and the scale at which businesses are working, they are unable to handle today’s business security needs.

What’s more, with VPNs, once a user is able to enter one element of the network, they then have full visibility of everything else – irrespective of whether they need to or not. This means that as soon as one user is compromised, it is extremely easy for attackers to gain access to the entire network. As was made evident by the National Cyber Security Centre when they discovered vulnerabilities in several SSL VPN products from companies such as  Pulse Secure and Palo Alto which ultimately resulted in attacks. In times of crises such as COVID-19, with the increased number of remote workers, the attack surface has drastically expanded. So once an attacker has access they can quickly spread across a network. In addition, with VPN ports always being open and ready for connections, they are increasingly becoming vulnerable access points to a network.

Time for an improvement 

Fortunately, there is a better way of enabling this ever-growing remote workforce to securely connect to their business’ network both quickly and at scale. To really combat the current security challenges faced by businesses today, especially in light of the sheer volume of people currently working from home amidst COVID-19, organisations need to ensure a zero-trust approach. This is something that VPNs are fundamentally unable to do. For solutions such as software-defined perimeters (SDPs) however, this is the foundation on which they are built.

Unlike VPN solutions, SDPs are designed to micro-segment network and application access, dynamically forming a one-to-one network connection between the user and the resources they are authorised to access. With an SDP system in place, only the resources a user needs are made available to them; all unauthorised network resources are simply made inaccessible.

To illustrate this, imagine a hotel with hundreds of rooms. With a VPN solution, any individual allowed through the main lobby is then able to access every single room. In contrast, with SDP solutions, the individual requires multiple keys to open the rooms which they are allowed to enter, any other door they don’t have a key for remains invisible to them.

As a result, zero-trust solutions such as SDPs make it significantly harder for attackers to spread across a network. Once a device or user is compromised, it can simply be sectioned off from the rest of the network, without impacting other users or business functions.

Keeping employees safe, secure and staying operational

For the financial services sector, working remotely is a new and challenging change. Navigating new regulations and a remote workforce while still maintaining a high level of security and business continuity will mean overcoming many hurdles. However, by moving towards a zero-trust approach with security and looking at the latest solutions on offer, businesses quickly and easily solve many of these issues. As SDP works across the traditional internal network as well as remote, businesses are able to enjoy its benefits once people return to working from the office again. Done right and security really can be the business enabler for today and tomorrow.