VPN & Compliance: Now You See Me, Now You… Still Do

Contrary to common belief – even among IT professionals – VPN technology is a poor choice to protect an organization’s data and ensure IT security when employees and contractors connect to the corporate network and the web.

In theory, VPN can make connecting with networks and resources more secure. It creates an encrypted data tunnel between the user’s computer (at home or a public WiFi hotspot, for example) and a secure server (on the corporate network) that can also serve as a springboard to the web.

In reality, incident reports of data breaches and privacy violations tell a darker story. VPN still passes web code to the locally installed web browser. Because of the inherent security weakness of traditional browsers, this often defeats VPN’s very purpose and facilitates malware and spyware infiltration, as well as data exfiltration and deanonymization by third parties.

From “Better Than Nothing” Fix…

The inherent flaws and limitations of VPN are well documented.¹ They have become apparent over the more than 20 years the technology has been around, yet even in regulated fields such as the financial sector or health care, VPN is still promoted as a “quick fix” to protect corporate digital assets and remote access for mainly three reasons:

1. Privacy, anonymity and location masking – The organization wants to ensure that the IP addresses and geolocations of employees remain concealed and their IP addresses aren’t disclosed to websites, for example to prevent targeted “watering hole” cyberattacks² or to avoid tipping off the target of web research by AML/BSA specialists or FIU investigators.³
2. Protection against malware and spyware – The company expects VPN to provide an insulation layer between the user and the web that prevents compromising the local IT environment, for instance when remote workers connect via public WiFi.
3. Manageability – IT or the compliance team hopes that VPN nodes help them eliminate the widening web use blindspot⁴ in their organization and to regain control over how users access the web and corporate network resources, often from BYOD devices.

Recently, more companies that deployed VPN based on one or more of these considerations are reconsidering that approach. What is causing them to have second thoughts?

Multiple factors seem to come into play here. Recent warnings by the Department of Homeland Security⁵ and security firms⁶ highlight VPN shortcomings. Such alerts prompt many IT, compliance and risk professionals to reassess the “better than nothing” approach to online security that VPN still represents in many organizations.

What they find is that VPN may not be what they need going forward.

… to Compliance and Security Risk

One key advantage of VPN services is that many encrypt much of the data transmitted from point to point within the VPN. Others – and this is the bad news – don’t. With some VPN services, not all data gets encrypted. Admins are shouldered with the burden to verify exactly what a given VPN service is encrypting – and what it’s not.

Another feature of VPN services that is frequently misunderstood is their capability to conceal the user’s true identity and location. In some cases, but not all, someone accessing the internet can appear to be somewhere entirely different than their actual physical location.

You’re Not as Masked as You Think

Serving up the information of the server at the VPN “tunnel exit” instead, VPN is supposed to hide such information about the originating user or network. For anti-money laundering (AML) specialists or fraud investigators, for example, the latter capability would be crucial – if it reliably worked.

The problem here is that it frequently doesn’t and also depends on basic factors such as connection quality.⁶

As a result, AML/BSA compliance specialists or FIU analysts who rely on VPN risk disclosing their IP address, corporate network information or location coordinates to a suspicious website, and information leaked from the local browser used with VPN lets adversaries identify the users and their intent via “browser fingerprinting.” This can put compliance and operational security at risk and also lead to incomplete or contaminated research results.

VPN: Tunneling Malware to Your IT

A common misconception about VPN still is that it protects against malware, such as keyloggers, ransomware or executable phishing attachments. It does not.

VPN merely protects data in transit, which includes malware encountered on an infected website or in an email. Once it gets downloaded and processed by the local browser, it can infect the user’s computer and spread from there. In a white paper titled “VPNs Are Not As Secure As You Think,” security researchers at content delivery network Akamai concluded: “VPNs are a weak security solution.”⁸

New Risks, Fragmented Policies

On the enterprise level, VPN is known to introduce new network vulnerabilities. One example is enterprise apps that are deployed in different locations, on-site or in the public cloud. They frequently require separate VPN gateways that need to be configured manually.

The current shortage of IT security professionals compounds the challenge. If policies are not applied consistently across all gateways, security suffers. In their white paper, the Akamai researchers point out the consequences: “VPNs result in fragmented security policies for distributed enterprises.”⁹

“We Love Our VPN”

…said no one ever. Instead, employees are complaining about slow connection speeds, which make VPN synonymous with “productivity loss.” In organizations that depend on fast and secure web access, consistent access policies and non-attribution when team members access external websites, VPN has failed to deliver on several levels.

Warnings about VPN, such as a bipartisan letter from two U.S. senators in February to the Department of Homeland Security¹⁰ or the DHS alert mentioned earlier, gave companies more reason to reassess VPN.

Fed Up With VPN?

Another major factor driving this change seems to be the availability and growing popularity of a solution that delivers where VPN falls short. Many organizations had initially turned to VPN for lack of a better alternative. They no longer have to.

Just like other point solutions (think anti-virus tools or web filters), VPN is usually added to an increasingly bloated security stack. Most of its components aim to protect the organization against the risks associated with the use of traditional, locally installed browsers.

In many banks and investment houses, leading law firms and more than 100 government agencies, that picture is rapidly changing since the arrival of the secure cloud browser. With remote browser isolation technology, all web content is processed remotely, isolated in a cloud container.

This enables organizations to maximize security and compliance while avoiding the problems associated with VPN. Remote browser isolation technology truly affords the benefits VPN only purports to provide:

• Privacy, anonymity and location masking – With a compliance-ready cloud browser, the user’s IP address and geolocation remain completely concealed. As an example, with Silo, the cloud browser made by Authentic8, which pioneered the technology, only Authentic8’s IP address is disclosed to websites.
• Protection against malware and spyware – The right cloud browser creates a perfect isolation layer between the user and the web while preventing web code from entering the local IT environment or reaching the end device. No code from the web can touch the endpoint. Only visual display information (pixels) gets transmitted back to the endpoint. This effectively disconnects the organization and its users from the web’s risk zone.
• Control, oversight and auditability – By embedding policies in the centrally managed remote browser – from access controls to data loss prevention to compliance auditing – IT regains control over employee activities on the web, regardless of device, network or location of the user.

Browser isolation outside the firm’s IT perimeter offers compliance-friendly protection instead of the weak assurances offered by VPN. In the financial services sector, it enables organizations to implement the recommendations of the OCIE.^[11] Last but not least, one year after the General Data Protection Regulation (GDPR) went into effect in the European Union, organizations with business interests in the EU have even more reason to consider a cloud browser.

GDPR compliance has been a sore point for many VPN services as much as for the traditional browsers they work with. By comparison, a centrally managed cloud browser for use in this space should have no problems to provide privacy controls that fulfill the requirements of the European Union’s Data Protection Directive (Directive 95/46/EC) and meet the requirements of GDPR.