COVID-19 Crisis: How to Manage VPNsPractitioners Share Insights on How They're Addressing VPN Shortcomings
Security practitioners around the world are struggling to cope with the challenges posed by remote workers heavily relying on virtual private networks during the COVID-19 pandemic.
See Also: Coronavirus Age for CIOs
"Remote working using a VPN was designed to cater to a mobile workforce, usually 10 percent to 20 percent of overall enterprise users," says Sudip Banerjee, director, transformation strategy at Zscaler, a cloud security company. "Now, with all users working from home simultaneously, there is a tremendous load on internet bandwidth and inbound gateway devices like remote access servers and load balancers."
Another challenge: Home networks and web access devices, including Wi-Fi routers, lack the level of security provided in an enterprise network. "This is a double-whammy of managing network traffic load spikes as well as an increase in security risks," Banerjee says.
Key security steps to take, experts say, include:
- Deploy data loss prevention as well as endpoint detection and response technologies;
- Allow only a limited number of employees to use the remote access servers at any given time;
- Plan for backup VPNs;
- If possible, configure security into the cloud;
- Adopt a 'zero trust' approach;
- Rework the network architecture to connect users to applications using the internet as the transport layer;
- Segregate and identify those workers who do not have access to sensitive information;
- Conduct weekly threat hunting exercises;
- Carefully prioritize risks to manage.
The Essential Steps
Deploying data loss prevention as well as endpoint detection and response technologies are essential steps in the current environment, says Mahesh Sogane, global lead, cyber defense, monitoring and incident response at the oil company Shell. Organizations also should conduct periodic risk reviews on remote access solutions and cloud hosted apps, he adds.
Some organizations are taking the extra step of dividing the workload on VPNs by allowing only a limited number of employees to use the remote access servers at any given time. This helps to ensure that those accessing critical and sensitive information are able to do so without facing network issues.
Banerjee notes that VPN deployments in enterprises today are not able to handle the traffic generated by a workforce that's now entirely remote, thus necessitating the addition of more RAS servers and load balancers "which will take weeks to order, deliver and provision."
And VPN gateways "draw traffic from miscreants, which can significantly increase the chances of a malware attack," he adds. "Given the sudden increase in load from managed and unmanaged devices, the chances of such breaches are only increasing."
Anish Ravindrananthan, security and cloud architect at Tata Digital in Mumbai, says that a company moving from say, 300 employees using a VPN to 1,000 "has become a major challenge."
As part of his business continuity plans, Ravindranathan had planned for a backup VPN device. "Most advanced enterprises also go for an active-passive VPN setup. By doing so, we can shift load between two devices."
Ravindranathan also advises accompanies to revisit the service level agreement they had with their vendors. "This is the right time to speak to your hardware provider and ask for an extra device. The option of backup hardware should be made part of every SLA."
New Approaches to Security
With the sudden growth of the remote workforce, organizations must take new approaches to security.
"Instead of protecting the data center and internal networks using a stack of security appliances, it is time to configure security in the cloud to connect users to applications in a safe manner," Banerjee says.
"To transform traditional network and security architecture to an internet and cloud-centric one requires evaluating the applications landscape. SaaS applications, internal applications that can move to the public cloud should be moved," he says.
He also advises organizations to evaluate current security effectiveness against external threats along with measures for protecting enterprise data from exfiltration.
Another key step, he says, is to rework the network architecture to connect users to applications using the internet as the transport layer and inspecting the traffic and applying business policies.
"In a cloud environment, typically there are site-to-site connections. One needs to do VNet tunnelling with a specific cloud provider," he says.
"Suppose, you have 1,000 employees working from X office. In such cases, the provider generally whitelists the public IPs and allows the traffic to access the cloud network. But now, people from home do not get static IP, since home internet has dynamic IP. So that site-to-site connection will not happen. In such a situation, instead of logging in though VPN, one can log in to the cloud portal. There are built-in solutions where you do secure connections to a remote desktop, or RDP with your virtual machines."
In light of more workers accessing data from the cloud, many organizations are taking a "zero trust" approach, including the use of multifactor authentication.
"To access databases which are hosted in the cloud, it is important to look into PIM/PAM [Privileged Identity Management/Privileged Access Management]. Here, classification of data becomes important, as this will help in implementing the right controls," Singh says. "Employ a DLP solution as well. It will ensure that unnecessary data does not get downloaded."
Banerjee says cloud security technologies are managing this complexity by providing a full stack of security capabilities, including a next-generation firewall, full SSL inspection, advanced threat protection, a cloud sandbox and DLP.
"Enterprises need to focus on creating business policies and rules specific to users, locations and applications they need to access, thus reducing a lot of overhead and costs of managing disparate appliances from multiple vendors and running around for troubleshooting issues," he says.
Some organizations are taking short-term steps to improve security for the remote workforce.
"Segregate and identify those people who do not have access to sensitive information," says Jagdeep Singh, CISO at NIUM, a fintech company based out of Singapore. "For a short period of time, their access can be removed and given to those who handle sensitive information."
A CISO from an insurance company headquartered in Mumbai, who asked not to be named, says he is taking a "workforce stagger" approach to ensure that people accessing critical and sensitive information are able to do so without facing network issues. "I have divided their time. So 'Business A' can access information from 9 a.m. until noon, while 'Business B' can access information from 1 p.m. until 4 p.m."
Tom Kellermann of VMware Carbon Black suggests deploying endpoint protection platforms and conducting weekly threat hunting exercises. Plus, he recommends leveraging "just-in-time administration" to ensure that system administrative privileges are not too widespread.
Sam Curry, CSO at Cybereason, says it's important for security practitioners to prioritize risks. "There will usually be a long list of risks. But it is important to look at the things that are at the center, the biggest risks of them all," he recommends.