The evolution of the corporate VPN: How COVID-19 has redefined VPN security

March 16, 2021

The COVID-19 pandemic has forced network administrators back to the drawing board in 2020-21. Pre-pandemic, corporate VPN was a luxury provided to remote workers, travelling employees and C-suite management, which only formed a small percentage of the workforce.

Now, it has become the essential service upon which a whole organization relies. There are different ways that organizations are scaling their VPN capabilities. From integrating native user VPN solutions to deploying application VPN solutions, companies are looking to deploy physical device or cloud devices. Some organizations have utilized a hybrid approach, where cloud devices are added on top of existing infrastructure. This model works well with the option of scaling down virtual devices after more users start coming back to the office.

Corporate VPN solutions can be broadly divided into user VPN solutions or application VPN solutions. Both solutions have distinctive advantage. User VPN solutions focus on delivering secured remote access to users which require access to multiple resources. User VPN solutions are limited by the specifications of the firewalls. However, firewalls have a great control over the data that passes through them. Security policies and different threat protection policies ensure that devices connecting to the corporate VPN are regulated and meet the defined requirements. To reduce non-corporate traffic, split-tunneling can be enabled, which send only corporate traffic over the VPN tunnel. Exposure of different users and groups can be minimized by creating policies that allow them access to select resources.

Application VPN solution in contrast allows access to only an application or a resource. Application VPN solutions are deployed in the internal network, where they act as the gateway for users’ connections. Remote users authenticate themselves to the VPN’s cloud platform which redirects requests to the VPN gateway. Application VPN gateway communicates with internal resources and creates sessions for remote users. Hence, a single application can be made available for many users without compromising any other resource on the network. The solution is perfect for organizations with many users requesting access to fewer applications.

Regardless of the solution, the challenges for any Chief Information Security Officer (CISO) for building a secure and robust architecture for VPN service are greater then ever. User VPN solutions provide administrators control over more aspects of the remote device then application VPN solutions. Administrators can build security policies which can scan and identify different threats that remote devices can possess.

When firewalls are subscribed to threat updates, it ensures organizations are protected against newer threats. Though subscriptions come at a very steep price in some cases, to reduce operating cost of firewalls while providing same security capabilities, organizations tend to deploy the desired vendor’s firewalls on a cloud platform. Organizations can deploy virtual firewalls in different locations and utilize cloud platform’s network to deliver traffic back to the corporate network.

Organizations can scale up or down the virtual firewalls as needed, with greater ROIs compared with physical firewalls. In some cases, user VPN solutions have successfully identified an infected system. With the help of automation tools and features, firewalls can quarantine such systems until a complete analysis of the device isn’t completed. Such features along with regular security updates can strengthen any organization’s infrastructure.

Enterprise security teams deploy application VPN solutions when the costs of virtual or physical firewall seem too high. Application VPN solutions do not offer the same security capabilities as a traditional firewall. Such solutions have visibility into only the browsers, system OS and a few other systems. Hence, administrators must also rely on the firewall to inspect the traffic from the solution’s cloud platform to VPN gateway.

Organizations do not have to scale virtual infrastructure as they can utilize their solution provider’s global presence to deliver services to different geographical users. Application VPN solutions are independent of the native system and only rely on a browser. A vulnerability in a browser can cause a security concern in some cases. Application VPN solutions are drastically different from destination NAT policies or port forwarding, which may be less secure remote access solutions.

Keeping many different considerations in mind, enterprise security leaders must build their security infrastructure around users and applications. With many larger organizations opting for letting most of their users work remotely indefinitely, VPN services have risen in priority for any CISO. As health experts have pointed out that COVID-19 may stay longer then expected, the same can be said about the VPN.

Ankit Badani is CEO of SK Networks. He owns a small Managed Service Provider business which specializes in IT Security and Networking. When he is not working, he likes to watch movies, read and travel with family. His favorite sports organizations include F.C. Barcelona, Mumbai Indians and Cloud9.

With the advent of Internet of Things (IoT) technology and Industrial Internet of Things (IIoT), the cyber security practices are increasingly getting integrated with the physical security practices.

We will provide insight on NDAA Section 889 and how the act has evolved and impacted business, so that organizations can better mitigate risk and stay compliant.