Trends in Technology
Security professionals have the privilege of making various decisions on security architectures, implementations, technology, and policy. Over the past three decades, the world of cybersecurity has transformed completely, but even when cutting-edge, secure, and innovative decisions made by IT and security professionals, they still end up making decisions that are laden with risk.
One of the biggest IT security blunders that organizations continue making to this day is allowing the installation of an organization’s virtual private network (VPN) software on the home computer of an employee for remote access. It’s an acceptable practice in the eyes of some security professionals, but that doesn’t excuse the fact that it’s a high-risk policy with undesirable outcomes for the organization.
Think about it, organizations today are willfully ignorant about the threats posed by employees access their environment. There are massive risks with this policy because of the following:
1. Multiple Users
Personal home computers are generally shared among multiple family members, and even if they have multiple profiles, there’s nothing to prevent the poor judgment of an individual and a possible virus being uploaded to the virtual network of the organization. Apart from that, techniques such as fast user switching end up compounding the issue by keeping other profiles in memory. That makes them vulnerable to a variety of attacks based on the activities of the other profiles.
A user not related to the organization could easily compromise the virtual network of an entire organization due to the active VPN session connected to the organization.
2. Inability to Secure Host
Most corporate VPN solutions generally embed a certificate into user profiles or a connection to validate the connection. That is done separately from the authentication users must provide through credentials and another form of two-factor authentication to get a secure connection.
The security of the certificate and the credentials for authentication won’t do much because they are only as secure as the security maintenance implemented by the organization. These become a prime target for cybercriminals, who can initiate their own connections or even hijack sessions of remote employees.
It’s a big security risk because if you’re unable to secure the host, you won’t manage to secure the connection software as well.
3. Lack of Authority
Organizations don’t have any authority to manage the home computer of their employees. Network access control solutions do validate antivirus signature versions and basic hardware characteristics. However, they can’t inventory a home computer and ensure that it is maintained and hardened like an asset of the corporation.
These gaps and lack of authority may allow data leakage from screen-capturing malware and keystroke loggers who can place the data and the organization at risk.
4. Lower Malware Defense
Remote access workers or home users are generally local administrators for their personal computers, as they don’t use any secondary accounts for daily usage. That makes them vulnerable to malware attacks because most malware requires administrative rights to inspect a system.
Most home users don’t place any restrictions on their access because of convenience, and the older the operating system running on the computer, the worse the operating system will be at defending against malware that asks for administrative rights to exploit the system.
5. No Protective Resources
Most home users don’t even have a decent antivirus installed on their computers. You can forget about having endpoint, detection, and response (EDR) or endpoint privilege management (EPM). They don’t have vulnerability or patch management solutions that protect their assets by ensuring they are properly secured and not at risk of any threats.
Home users generally operate as independent workstations without any monitoring from security professionals, who won’t be able to respond if something goes woefully wrong.
Even with all these security threat elements, most organizations have accepted the risk of VPN software on resources that aren’t maintained by the organization. In response, they have developed highly secure virtual desktop infrastructure (VDI) environments and bastion hosts to proxy the connection and shield sensitive data and applications.
They have built isolated networks and resources in the cloud for managing these connections and, in most cases, spend tens of thousands of dollars in licensing costs to mitigate these risks. In most cases, they are effective, but they are still allowing the VPN software of the organization to run on untrusted assets that are maintained by home users.
The best solution would be to revisit the decision to allow VPN software on home assets, and organizations should consider the following ways to allow remote access with fewer risks:
· Don’t allow employees to work remotely
This isn’t as difficult to work around as it sounds, and even though more organizations are allowing employees to work remotely from their homes, there’s no need to jump on the bandwagon. Corporations such as Yahoo required all employees to come into the office during their restructuring, and even some governments require by law that employees can’t work from home after hours to prevent labor abuse.
Even though this option may be the most controversial, it will result in less employee fatigue, allow a happy work-life balance, and ensure overall better security for the organization.
· Give employees corporate-owned and managed laptops with docking stations
If you don’t want to stop employees working remotely, you can ensure that they’re not accessing the organization’s VPN through traditional desktop computers. Give them a corporate-owned laptop, which would operate as a regular desktop, and it could even be a managed asset that would minimize risk.
There are so many factors to consider when it comes to whether you should allow home users VPN access from their personal computers. It is puzzling to IT security professionals as to how many environments allow this practice to continue when a company managed tablet could offer a more secure experience compared to the runtime costs of a bastion host and VDI environment.
Percento is a Professional IT Consulting, Implementation and Management firm. To find out how we can help your organization, please contact one of our friendly sales representatives for a review of your system and a comprehensive (No Obligation) proposal of services. Call today toll-free at 800.614-7886 [Austin | Dallas | Houston | League City | Sugar Land | The Woodlands | San Antonio] or email us at firstname.lastname@example.org.