In response to last week’s post, “Rainer on Ars Technica: Live, VPN!” some readers have requested the full article here on VPN Haus, so here it is. (reprinted with the permission of Ars Technica)
By Rainer Enders
The recent Ars Technica article Die VPN! We’re all ‘telecommuters’ now—and IT must adjust declares that we’re all “telecommuters” now, perennially connected to our corporate data via smartphones, laptops and tablets. This is certainly true, but this reality actually flies in the face of the article’s main point that VPNs should die. One of the commenters on the piece posted: “VPN isn’t going anywhere.” And the commenter is right—VPN is indeed here to stay, especially now that we’re all telecommuters. Here are some reasons why
The year of the data breach
From Sony to Gucci, high-profile companies became victims of hacking with incredible frequency in 2011. Corporate heists of this scale are typically complicated, but there are a few common lessons learned that we can glean from these breaches. For one, hackers are relentless and sophisticated, and will take advantage of every opportunity to sabotage a corporate network. This is the stark reality of today’s world, where stolen data is a billion-dollar business—not the climate in which businesses want to slack off on their VPN protection.
In fact, breaches have become so prevalent that the US Securities and Exchange Commission recently introduced guidelines that urge companies to disclose security breaches in order to protect investors. But this isn’t just about corporate IT policies. This is also about protecting the privacy of individuals. The Sony breach exposed the personal information of millions of users, while a Stanford hospital breach this past fall exposed thousands of ER records.
It’s simply irresponsible and absurd to say secure remote access is unnecessary when companies are crumbling and individuals are being violated, in part because of data breaches that a secure VPN could prevent.
It’s a hybrid world
The Die VPN! article is right to say that we are now using cloud-based email and calendaring more than ever before. But this isn’t the only way we access corporate information. Most people—and companies—still have a hybrid approach to their data storage. While some information is shared via Google Docs or on Salesforce.com, most companies continue to store the majority of their corporate information on private servers, hardware or virtual. This is a hybrid world: one in which the corporate firewall is alive and well. Any company that allows employees to access and transmit the information on its server without encrypting it first, are recklessly (not to mention unnecessarily) exposing themselves to a data breach.
Why passwords aren’t enough
With the number of smartphone users set to increase 49.6 percent from 2010 to 2012, and the ubiquity of WiFi, it’s often a simple VPN that stands between a company’s network and the slew of opportunistic hackers. Otherwise, employees would be sending private data over the Internet with no protection—unthinkable for enterprises all over the world that rely on VPN encryption. If companies want to improve their security profile, their best bet is to have critical servers and services not exposed to the Internet, and rather provide the access via a transparent VPN connection such as IPsec, avoiding the various SSL vulnerabilities and flaws. Unfortunately, many risks to exposing services to the Internet are simply overlooked.
Without a VPN, some organizations would rely on password protecting devices as a way to protect these devices. Yes, the password protection is a basic first line of defense, should the device be stolen. But it provides no security for the information that is in transit—for example, employees accessing corporate information from a WiFi hotspot, which increasingly means anywhere from a hotel lobby to a fast-food drive through. Even a “safer” wired connection, such as Internet from a hotel room or a café, is notably less secure than the office network. Only the end-to-end encryption provided by a VPN can truly offset this.
Case in point: the outrage over the lack of VPN support in Windows Phone 7.5 “Mango” is further testimony to just how critical VPNs are for an overwhelming number of smartphone users. Not only that, but a VPN is necessary for smartphones to live up to their full potential as productivity enhancers. After all, a major benefit of smartphones is maintaining the user connection any time, any place. This benefit, however, is meaningless to most workers if the connection isn’t secure—or if they have to do a cumbersome webmail log-in every time they want to check e-mail. And for workers who travel internationally, a smartphone with VPN support is the only option, since a VPN is needed to check Gmail and freely surf the Internet in censored countries like China.
The Die VPN! article says the biggest issue companies and IT have is “the lost laptop” problem, with the solution being full disk encryption. But if you take a look back at a high-profile breach of 2011, you’ll see that the biggest security issue is often a disgruntled former employee looking for opportunities to game the company’s network.
In April, a former Gucci IT employee, Sam Chihlung Yun, was charged with remotely taking over the haute-couture company’s computers, shutting down servers and deleting emails. To hack into Gucci’s network, Yun created a VPN token in the name of a fictional employee while still at Gucci, then once he was fired, he used his USB-based token to gain remote access. In the aftermath of Yun’s attack, Gucci staff were not able to access any documents, files or materials saved anywhere on its network. The breach caused Gucci to lose more than $200,000 in diminished productivity and repairs.
How could the Gucci breach have been prevented? With the implementation of a holistic security model. Full disk encryption isn’t enough. A security model must consist of several components, which together make a secure system. The disk encryption can protect data if a device is lost or stolen, as can a remote wipe tool. However such incremental technology may only be necessary if a certain risk profile is applicable, meaning sensitive data is stored on a mobile device. Otherwise why encrypt trivial data content?
Disk encryption also has major drawbacks in its implementation. Initially encrypting an entire laptop disk drive can take hours, not including the time needed to ensure backup of the laptop disk drive before beginning encryption. The long process of full disk encryption makes it useless for large-scale enterprise remote access projects. Additionally, some full disk encryption authentication methods interfere with other programs companies use to manage laptops, such as sign-in processes and asset tracking. Furthermore, the hard drive has a risk of being corrupted or damaged, which is extremely detrimental to data recovery.
On the other hand, with a VPN, you can protect your data with—in many cases—one click. This is especially ideal for enterprise remote access projects because it’s fully automatic, and a console monitors compliance to security policies as well as rollout and operation of the tele-workstations. The Die VPN! piece paints VPNs as a nuisance, but in reality, today’s technology is pretty simple to use for admins and end-users. A case must be made for more sophisticated, managed VPNs that tie in with Identity Management components to facilitate user/employee provisioning (which could have prevented the Gucci breach). A VPN can streamline the work involved with complex, high-volume, tiered provisioning, which is when not all employees get full access to the network, depending on job responsibilities. For example, in a healthcare organization, a lab tech might receive access to only a portion of a patient’s file, while the doctor would have more extensive access. If Gucci had used a holistic security approach consisting of risk assessment, planning and implementing the right set of technologies and tools, and a VPN for tiered provisioning, perhaps the breach never would have happened since the fictional employee would have most likely been highly restricted, and the former employee would have had his access immediately removed.
Here to stay
We in the tech sector are notorious for making grand statements about technology—whether it’s the death of one technology or the forecast of another that is so disruptive that it will destroy all that came before. But the reality is far more complicated, and while VPNs might not be a perfect solution to every problem, they serve a critical purpose in today’s world where, indeed, we’re all telecommuters. Abandoning VPNs because you heard they are inconvenient is, frankly, a reckless and potentially devastating mistake.