As the pandemic makes remote and virtual work the norm, organizations have had to find ways to provide better and more secure access to critical apps and data to support work at home. Given the need to change virtually overnight, many organizations moved quickly to implement virtual private network (VPN) solutions for their employees. This was a start, but VPNs alone just can’t offer the level of protection organizations and workers require. The limitations of VPNs are causing many firms to opt for a digital workspace solution to replace basic remote access via a VPN. There are five key reasons why a VPN isn’t the right solution.
- Attackers can have full network access from any compromised device. Once attackers breach a device and have access to the network, the VPN will give them the ability to move among many different apps or databases. This kind of attack may also have substantial dwell time within corporate infrastructure, as attackers go undiscovered on the network for a long time. And attackers can use such breaches to bring down the entire network if they choose to do so. VPNs essentially provide carte blanche to attackers once they are breached.
- VPNs were never designed for this kind of use. VPNs were designed to support a small remote workforce that had reasonable skills for using remote access VPN tools. This is not the current scenario. In broad use, VPNs can often act as a bottleneck for remote access and substantially restrict performance, particularly if the application demands greater bandwidth. In addition, the user experience with a VPN is suboptimal for most workers. It is likely that the number of support tickets will increase, and, with the huge variety of home infrastructure that workers use to connect, remediating issues may demand multipronged solutions and more support resources.
- Unmanaged and undocumented devices will use VPNs. Many employee devices are unmanaged, so that IT has no visibility into the status of the device, how it may or may not be secured, and if there is any malware already resident on it. IT is left in the position of having to trust that the worker is using good security hygiene and that the device is not compromised. Using a digital workspace solution that is designed to protect application sessions at a higher level and to mitigate the threats from keyloggers or other malware that try to harvest credentials is essential to protecting the organization. A good example of the protection a digital workspace provides is the scrambling of keystrokes recorded by keyloggers so that attackers only get text strings of nonsense, not usernames and passwords.
- VPNs have no monitoring or breach detection capabilities. If a user’s VPN credentials are compromised, there is no efficient and fast way to know it. Worse, there is no monitoring by the VPN, so if sensitive data is being exfiltrated, VPNs can’t detect it or take action to remediate the problem. Putting the problem of monitoring and analysis for this huge amount of traffic back on SecOps and IT can overwhelm those teams. Modern digital workspaces, such as Citrix Workspace, have analytics for security that can quickly and effectively detect risky behaviors and take automated actions to protect the organization in real time.
- VPNs backhaul personal data to the data center. VPNs are not selective. All data, both personal and private, is sent to the data center. The result is that personal employee data becomes the responsibility of the organization. This is not what most firms want. It’s a lose-lose proposition. A recent HR Metrics & Analytics Summit survey found that 52% of employees don’t trust their organization to protect their data. This scenario also creates an unacceptable level of corporate risk for data that has no value or use for the business. Using a digital workspace that separates personal and business traffic is essential. There are enough security issues with the increase of working from home without adding more potential risk by storing employee’s personal data.
VPNs were designed for a different time and use case than what has arisen during the pandemic. Organizations need to understand that while VPNs may offer some protection, they create more threat potential and new risks for the business. Using a purpose-built digital workspace that offers the protection, scalability, management/monitoring tools, and worker protection necessary is the only sensible choice in the current environment.