How Secure Are VPNs? Given Increasing Successful Attacks, It’s Time to Take a Hard Look at PAM for Zero Trust Solutions
By: Mohie Ahmed
Since the early 1990s, VPNs (Virtual Private Networks) have been central to providing remote users with access to the corporate network.
Thirty years later, in 2020, when legislation and population health initiatives mandated work-from-home, bad actors recognized and acted upon their massive opportunity to attack VPNs and initiate data theft and ransomware attacks as applications, in the heat of the moment, moved outside the traditional perimeter.
“Corporate VPN is an aging technology as organizations shift to more cloud-based services…However, in the wake of the global coronavirus pandemic, companies are realizing they have to fundamentally change the way they work,” wrote Rob Smith, Senior Director Analyst, Gartner.
VPN became the heart of remote access, but with only a small fraction of workers working outside of the office, only recently have CIOs and other IT leaders seen VPNs as a source of risk, leading IT decision-makers to reassess their long-term access strategy and use of VPN.
Due to the COVID-19 pandemic, the use of VPNs skyrocketed, expanding the enterprises’ attack surface.
A Cybersecurity Insiders 2021 VPN Risk Report surveyed 357 cybersecurity professionals, providing insight into the current remote access environment, the state of VPN within the enterprise, the rise in VPN vulnerabilities, and the role that zero-trust will play in enabling access to apps going forward.
- 93% of companies are leveraging VPN services, yet 94% are aware that cybercriminals are targeting VPNs to gain access to network resources.
- 72% of organizations are concerned that VPN may jeopardize IT’s ability to keep their environments secure.
- 67% of enterprises are considering a remote access alternative to a traditional VPN.
- 72% of companies are prioritizing the adoption of a zero trust model, while 59% have accelerated their efforts due to the focus on remote work.
There is no question that enterprises and organizations will need to support remote work as more employees and managers opt-in to the work-from-anywhere model. This dramatically adds to the burden of IT security teams, who are already overwhelmed, and now must make sure who is accessing their applications, from what devices, and from where.
We all felt the impact of the COVID-19 pandemic, including the surge in remote workers, which, according to the report, forced 71% of companies polled to increase their VPN capacity.
Increasingly large and pervasive VPN-targeted attacks by cybercriminals have, in part, been made possible by the lack of Privileged Access Management (PAM) essential services, such as enabling access without exposing superuser/system credentials or auto changing shared/system passwords and making them invisible to users, which leads to unauthorized access to network resources or late discovery of a breach. According to IBM, the average time to identify a breach in 2020 was 207 days.
The adoption of a zero-trust strategy through Zero Trust Network Access (ZTNA) has rapidly gained adoption in recent years, starting well before COVID-19 with the general increase of mobile workers.
The CyberSecurity Insiders report confirmed that zero-trust adoption has become a priority for many organizations, with 72% of companies interviewed sharing their plans to adopt a zero-trust model.
“The shift to zero-trust and work from anywhere has been a catalyst to changing how organizations protect remote access,” the authors explained. “When asked about their outlook for remote access, 77% of organizations say their future workforce will be hybrid, with greater flexibility for users to work remotely or in the office.
Fast forward to 2022; what does remote access look like at your company?
Employees have greater ﬂexibility to work remote during the week
15% Employees are now fully remote
8% Employees have returned to solely working in the office
While VPN has benefited from 30 years in the spotlight, the increase in VPN-targeted attacks, along with the continued shift towards mobility and cloud, has impressed on organizations the need for change in their secure remote access strategy, one built upon a foundation of zero trust principles.
In conclusion, here are the key takeaways:
With remote work expanding, users are everywhere, accessing apps from any device, and are accessing apps both in the datacenter and cloud.
VPNs are increasingly risky as socially engineered, ransomware, and malware attacks continue to advance, exposing the business to greater risk.
Businesses are concerned about VPN’s level of security and are looking to adopt a modern remote access approach, namely a zero trust model.
PAM is a mission-critical part of a robust IT security strategy, enabling enterprises to protect what they connect. It’s one thing to develop tools for a hybrid workforce and another to deliver ultra-secure remote access.
Zero-Trust can be combined with Zero-Touch, with the right level of AI and machine learning, with the right human-machine interfaces, and architectures that scale to support more automation driving more productivity while addressing risk by ensuring only those who should access corporate resources can access them.
We have all found ourselves in a different world of work given the events that have defined 2020, and few professionals are feeling the pressure more than IT and OT teams.
Just as cyber risks evolve, the evolution of risk appetite frameworks is more active than ever. With more sophisticated adversaries, more digital transformation initiatives, more mobile works, ecosystem partnerships and connectivity to multiple clouds and services, enlightened management teams and their boards are updating their levels of “risk tolerance.”
Two-factor authentication has been around for decades – requiring an additional step between entering a username and password, for example, then entering a one-time security code sent to a mobile device – to access applications, systems and data.