Introduction
Virtual Private Networks have traditionally been used to protect all system, network, and application traffic originating from a remote device and terminating on a corporate VPN gateway. Whether or not the device is under the control of the business, VPNs, when properly configured, ensure the traffic is protected end-end, and therefore meets several regulatory requirements. Of course, they also add peace of mind!
Per NIST SP 800-46, VPNs are used for “remote access”, and should be employed with the common principles of all security programs: Confidentiality, Integrity, Availability. With regards to VPN and remote access, these principles have nuanced, important definitions:
- Confidentiality—ensure that remote access communications and stored user data cannot be read by unauthorized parties;
- Integrity—detect any intentional or unintentional changes to remote access communications that occur in transit; and
- Availability—ensure that users can access resources through remote access whenever needed.
Context
The term “VPN” in the age of our Cloud-first Customers takes on a different meaning than traditional thinking. Unfortunately, Regulatory Compliance is very traditional! So, if your aim is to achieve Compliance, you’ll likely need to consider deploying and managing VPN solutions. We can certainly help with those considerations, as they imply their own set of challenges, and we also believe in a proper balance between budget and the “right amount” of security Controls. Regardless, VPN implies fundamentally two Use Cases:
- Access to internal corporate assets for administration
- Access to other corporate intra/internet resources needed for job duties
“VPN” also implies tunneled traffic, meaning all traffic along the path from the device to the destination is “tunneled” and therefore hidden within the normal LAN-->WAN traffic flow.
Assumptions
With these principles in mind, let’s explore some key assumptions:
- Unencrypted/poorly encrypted WiFi traffic (“Free WiFi”) is visible to anyone on/near the network
- Remote devices will use “dirty” WiFi networks
- Usage of SaaS HR, Payroll, and other systems
- HTTPS for most communications (including ‘Cloud administration’)
- Before a secure session is established, the traffic is unencrypted
- All other traffic from the device routes through the local wifi and open Internet
Risks of not using VPN
With these principles and assumptions in mind, let’s now explore the Risks:
- Full control of Device traffic is not possible
- Device is open and susceptible to all LAN traffic/hosts
- All device traffic is visible, including encrypted traffic, and potential for capture/storage
- ISPs and other entities can see/store the traffic
Guidance
As with every Cybersecurity decision, it boils down to making risk-informed decisions. We recognize that most communication with “the Cloud”, whether that’s your environment or external SaaS tools, is using HTTPS. Further, Digital Certificates verify the authenticity of the SaaS/Cloud solution, and consequently full HTTPS trust (by the device) implies CIA.
However, the device must still have other key components to mitigate general and WiFi Risk:
- Firewalls with default deny
- No local administrative privileges
- Advanced endpoint security
- Proper vulnerability, patch, and configuration management
VPNs serve as critical ‘chokepoints’ to quickly contain a compromised host, and a centralized audit trail for remote access into corporate assets, such as databases or servers. We love these features, and as Security professionals, our guidance is to always use VPNs for remote employees.
But practical wisdom is also part of our toolkit! So, if you’re going for Compliance, you need VPN for remote users. If you can tolerate the Risks outlined, and you have secured the ‘remote administration’ front door like Ft. Knox, then you don’t need a VPN!