Today, more than ever before, organizations around the world are relying almost entirely on VPNs to ensure their workforce can securely connect to the corporate network.
While COVID-19 measures have sent the bulk of the U.S. workforce home to work, as SC Magazine points out, most businesses only have the resources for about 20-30% of their workforce to securely work from home but are being forced to support 100% of them.
For most organizations, work can't come to a grinding halt while we wait out the pandemic, so this means an all-out reliance on personal devices, or allowing for a bring your own device (BYOD) policy.
The security concerns with BYOD are well known, and in this case are being outweighed by the need to simply continue operations.
As Dark Reading notes, “the most significant issue for companies is whether employees' devices have been secured before they connect to internal networks, as well as the security of the services themselves.”
SC Magazine reinforces this concern, pointing out that “using a VPN does not by itself make working from home more secure,” and goes on to discuss the very nature of remote work, explaining that “with people linking in from all over the world, possibly through an insecure router, a company’s attack surface is vastly increased.”
All sources agree on one major thing, and that is the prediction that COVID will introduce a massive increase in the number of attacks coming through remote workers, their personal devices, and a focus on attacking the methods those workers use to connect back to the organization’s network.
In the same article referenced above, Dark Reading cites recent examples of VPN breaches, and notes that in terms of breaches, “a VPN breach is about as bad as you can get.”
Consequences of a VPN breach
The team at Dark Reading is certainly not wrong. All one has to do is look at examples of some of the most catastrophic breaches in history to see just how true this is.
Both the Target and Home Depot breaches, widely considered to be some of the largest and most financially damaging breaches in history, were achieved through a network perimeter breach with stolen third party credentials, the very thing VPNs are designed to protect.
InfoSecurity Magazine’s coverage of the Home Depot breach showed that “53 million email addresses were stolen along with the previously disclosed 56 million credit and debit card details. And, the goods were lifted from its network due to stolen credentials from a third-party vendor. Criminals used a third-party vendor's user name and password to enter the perimeter of Home Depot's network.”
And their coverage of the Target breach showed that “110 million in-store customers [were] compromised” and Target themselves confirmed that the server “was compromised by a third party using stolen credentials,” with sources linking to their HVAC provider.
As the Dark Reading article notes, “the ability for someone to travel internally from VPN infrastructure into sensitive data is extremely easy.”
Breaches resulting from VPN compromise allow access to your organization’s most sensitive data, making the decision of which VPN you use, particularly if you have to trust personal employee devices, incredibly important.
Hardware VPN features that protect against breaches
VPNs are sold as both hardware and software. There are quite a few things to consider when comparing hardware and software VPNs, but here we will limit ourselves to focusing specifically on the features of hardware VPNs that help them provide greater protection against breaches.
Firewalling and isolation
The end user devices connected through a hardware VPN never actually touch the networks they connect to.
For instance, Attila's GoSilent Cube is built to act as a firewall between the device it is connected to and the outside world. No other devices on the same network as that end user device can even see that the device itself exists. This makes the end user device virtually impossible to target for attack.
No software is required for end user devices
This is one very clear benefit for both organizations and end users alike.
As long as you select the right hardware VPN, there is nothing to install, nothing that requires training, and nothing that requires maintaining updates on the end user device itself.
This makes it very simple to connect both organization-provided devices and personal devices alike.
Read the Hardware VPN Buyer's Guide
Which Kind of Hardware VPN is Right for You? Find out!
No software compatibility concerns
Because no software is required on end user devices, there is no concern about which versions of applications or operating systems are running on those devices.
With a software-based solution, there is a long list of requirements to ensure the VPN can work correctly in the environment -- and that poses particular challenges, especially in cases where employees are using their own home computers or smartphones.
Smaller attack surface
Because the end user device is completely obfuscated from the network, the applications and operating system that are running on that device no longer offer an attack surface.
Typically, operating systems -- like Windows for instance -- will have a large number of potential entry points because the software is doing so much. This means more opportunities for attack.
With a hardware VPN, you no longer offer up this attack surface at all.
Lower risk of “VPN hijacking”
Software-based VPNs make it much easier for VPN credentials to be stolen and used at a future date -- think similar to the stolen third party credentials in the breach examples above.
Hardware VPNs help to protect against this problem because, again, the end user device is completely obfuscated from the network. This means attackers can’t access the device where credentials are being entered to try and intercept said credentials.
Greater control over where traffic is sent
A hardware-based VPN can be configured to only allow traffic to flow to a single endpoint meaning, once connected to an end user device, it can ensure that any and all traffic can only go to the central network.
Software-based solutions don’t offer the same degree of control, and it is more difficult to be assured that traffic isn’t going somewhere it shouldn’t.
Reduced risk of misconfigurations and user error
Because there is nothing to configure on a GoSilent, there is nothing to misconfigure, which becomes especially important if you need your users to be able to set it up themselves on their own devices.
In the case of the GoSilent Cube, it is as simple as plugging the Cube into the end user device (or connecting the two over the GoSilent Cube's LAN).
Read the Case Study: Transitioning to Secure Remote Work
ASSETT employees were able to self-provision GoSilent Cubes in minutes, on their own and without the need to install or configure any software, in the comfort of their homes.
With software, there are usually plenty of settings that can be set incorrectly and far more training a user will need in order to make sure they are using everything correctly.
If a user misconfigures the software or does not know how to use it, the risk of unauthorized access to your data increases considerably.
Less user maintenance
Software-based VPNs require consistent updates, patches and maintenance.
One major benefit of using a hardware VPN is the fact that you don’t have to rely on your users to install updates anymore in BYOD deployments.
I don’t know about you, but when is the last time you actually trusted an employee to keep applications on their personal device up to date? If you are relying on this behavior to protect your organization from a breach, you aren’t going to find yourself in a good situation.
Using a hardware-based VPN can make BYOD a reality
By using a hardware-based VPN, along with a few simple configurations or settings on the device itself, you can quickly and easily secure personal devices for use with remote work.
There are many different solutions on the market for hardware-based VPNs, each with different features and functionality, so for the purposes of this discussion I’ll limit myself to Attila’s hardware-based VPN solution in order to speak about specific features rather than in general terms.
Using this example, here's how a hardware-based VPN can address the most pressing risks organizations face when allowing for BYOD:
- Malware on the Device: The end user devices connected through our GoSilent Cube never actually touch the networks they connect to. The GoSilent device acts as a firewall between the device it is connected to and the outside world. This means that no malware can cross from the device to the network. It also alleviates the risk of having VPN keys stolen, as the user must have the physical device as well as VPN keys in order for the VPN connection to work.
- Installation, Set-up and Configuration: Most hardware-based solutions are much easier for users to set up and use on a day to day basis. On a GoSilent specifically, there is nothing to configure at all. And when there's nothing to configure, there's nothing to misconfigure. It is as simple as plugging the GoSilent Cube into the end user device (or connecting the two over the GoSilent Cube's LAN). That’s it.
- Split Tunneling: Our hardware-based VPN by default only allows traffic to flow to a single endpoint. Meaning, once connected to an end user device, it ensures that any and all traffic can only go to the central network.
- Interoperability: Because no software is required on the end user devices when using a hardware VPN, there is no concern about compatibility with the applications or operating systems that are running on those devices. A hardware-based VPN is completely software agnostic, so you can use it to secure any IP-enabled personal device. This alleviates the need for a very complex and rigid policy for the devices themselves.
Whether we want to accept it or not, COVID has forced us to re-evaluate the methods by which organizations allow remote access.
VPN usage has soared in the current environment, and the looming risks posed by BYOD aren’t going anywhere.
This doesn’t mean there is no solution, or that we have to accept breaches as a foregone conclusion.
What it does mean is that your organization should be diligent about the secure connectivity solutions it employs, and select one that is user friendly, can be quickly deployed and provides the highest levels of security.