Why VPN security is still a thorny topic for IT

It often seems like you can’t go more than a few days without hearing about another organisation which has been compromised, and it’s not small companies with lax security who are suffering; in the last 12 months alone the US Postal Service along with retailers Target and Home Depot, have all suffered from significant compromises.

It’s not just a system breach which these high profile organisations have in common. In each case the attackers gained access through their virtual private network (VPN) and once within the network, they’ve moved laterally, attempting to gain access to sensitive information or destroy critical data.

> See also: Netflix changes terms to terminate accounts that use a VPN

The VPN has been a staple of corporate productivity since the 1990s, providing employees with wide access to protected resources when outside of the organisation’s physical walls.

But business has changed since 1990, the volume of sensitive data organisations now hold within their networks is growing at an exponential rate and new architectures are causing IT organisations to spread their attention across many vulnerabilities.

Unfortunately, this temptation has made the VPN a prime target as an organisation access point for criminals and a thorn in the side of any IT department.

For a long time the username and password have been the cornerstone of IT access security and the reliance businesses still have on this aging combination for access security is astounding. In a recent survey we found that one third (33%) of UK respondents were relying solely on username and password for secure access control, a worrying thought for anyone when you consider the number of data breaches over the last 12 months which resulted from compromised user credentials.

As the modern attacker continues to dig for a way into the corporate network there’s no doubt that a username and password just won’t keep the VPN safe enough. Many organisations have already wised up to this fact and security teams know they need to do more than this to protect what is arguably one of the most critical resources a business owns.

In recent years we’ve seen new authentication methods emerge such as biometrics, risk based analysis and even behaviour analysis. However, access gateways and VPNs have not fully modernised with respect to natively supported authentication methods.

To address this gap, many VPN vendors are now enabling external sources to authenticate users and pass them to the VPN, opening up a new set of options for strong authentication and better protection of your infrastructure.

Emerging best practices call for layering several of these emerging ‘adaptive’ factors as part of strong authentication strategy that enables organisations to get a step ahead of attackers by intelligently building risk profiles of those attempting to gain access to resources, both legitimately and maliciously.

> See also: How Home Depot and JP Morgan could’ve avoided the worst

With attacker capabilities continually advancing it’s these innovative authentication techniques which are transforming how security teams protect our most prized business resources. By examining the context of the identity and leveraging live threat intelligence, organisations are able to better identify who the user is and who the user is not, without simply relying on credentials which can easily be stolen or replicated.

Through this better understanding of who is accessing their systems and from where, IT departments may finally be able to stop seeing the VPN as a thorn in their side and instead rest in the knowledge that their gold mine of data is safely protected from the slew of bad actors trying to take corporate information.

Sourced from Tim Arvanites, Vice President, Technical Services, SecureAuth

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...