There are countless articles outlining the dangers of VPN and how this is a prime attack vector used by hackers. In an interesting article I was sent recently, Only a third of companies know how many vendors access their systems, it is stated “the average company’s network is accessed by 89 different vendors every week.” This year’s Mandiant m-Trends 2016 Report, see subtitle page 23, recommends: “Don’t give your outsourced service provider a site-to-site tunnel. Give them access to only the application or device they need. Make them use multi-factor authentication.” Now consider over 3.7 billion records have been stolen since 2013, as reported by Breach Level Index. It’s safe to say that VPN tunnels, especially ones secured by just a username and password, are not very safe.
Why is this still a problem?
Clearly the world of remote access has grown significantly over the past several years. More people work from home or on the road. The amount of outsourcing for labor or IT services is increasing. BYOD users are also being granted network access en masse. As the means of connectivity changes, we still see companies connecting users to their networks over traditional firewall/VPN appliances. In 2013, Forrester created their Zero Trust Model stating “cybersecurity professionals must stop trusting packets as if they were people… In Zero Trust, all network traffic is untrusted.” Yet, we continue to see firewall/VPN appliances being used as the primary security control granting user access to an organization’s entire network.
Hackers show the world time and again that traditional perimeter defenses are not enough, so why do we keep using the same lame security controls, because it is EASY. The firewall/VPN market is very large, very mature and is the way we have always done it. I’m not claiming conspiracy but human nature — we like to do things the same way. Plus, I personally haven’t seen any major efforts put forth to propose a better solution.
What is the solution?
The solution is actually rather simple, easy and was already stated above. Don’t grant access to the entire network but just to the specified resources (server, device or application) needed. Traditional perimeter defenses aren’t enough, so view Identity as the New Perimeter — this is done with MFA (multifactor authentication). With MFA, IT knows that the actual authorized user is authenticating and not a hacker that grabbed one of the several billion stolen legitimate username/passwords mentioned earlier, off the Dark Web.
This is how I would propose to end VPN as we know it. Move away from the traditional firewall/VPN appliance and integrate identity as your access solution.
- Grant access to the app only.
- Use Centrify Identity Service to grant access to your cloud and on premise apps. This will give you single sign-on, provisioning and role based access from Active Directory (or the cloud directory).
- Grant access to the server or network device only.
- Use Centrify Privilege Service to grant IT admins context-aware access to servers, network devices and infrastructure as a service (IaaS). This will also give you some great auditing features and security around your shared accounts.
- Implement MFA Everywhere.
- With Centrify Identity Security Platform, IT is able to enforce multifactor authentication across all servers, devices and apps.
- If your use case still requires you to use your traditional firewall/VPN then at the very least implement Centrify MFA for VPN. This will provides multiple MFA options to prove the identity of the user accessing the VPN.
With these security controls implemented the ability of hackers to attack your network will be greatly diminished. Not to mention, you will have greatly reduced many IT headaches around identity management.