Why user VPNs are putting your data at risk.

Protecting data on tablets and mobile devices

Employers and businesses willing to enable simple mobile access have a limited number of options: either change current software to a solution compatible with all devices, or bridge the compatibility gap and find a way to force the device to adapt to the existing software. Next, tackle the connectivity problem between various devices and the corporate network, and try to give access to  legacy software that is likely stored securely within the corporate environment.

As seen in our previous post “Why mobile devices are changing the game for remote connectivity”, companies cannot ignore the need to integrate mobile devices in their remote access policies.

Providing secure access to files and data is the key to delivering the right experience to these users. Most organisations turn to the traditional VPN response to enable remote access, usually because “we’ve always done it that way”. Unfortunately, VPNs do not fit the bill for businesses any more. What’s worse, they place data at risk.

Here’s why;

 

  • VPNs were designed for a world that no longer exists.

    VPNs started blossoming in the mid-1990s when the Internet was still in its infancy, with a very simple objective to connect devices securely, usually devices of the same type. PPTP to connect a Microsoft PC to a Microsoft environment, IPSEC to connect a network to a network. The idea was quite revolutionary and enabled remote connectivity for millions of users for years. This worked well while users were carrying their corporate laptop around and were happy working on one device. With IT controlling both ends of the VPN tunnel and limited devices per users, the connection was simple to set up and simple to trust: just connect your corporate Windows laptop to the Windows corporate environment, and all your links and applications work just like you were in the office.
    With users now switching devices, connecting does not operate so smoothly anymore. Employees often use devices that IT has no knowledge of, and is unlikely to gain control of, such as a home PC or a personal mobile device. As a result, these devices integrate poorly in the environment, and the functions accessible from an uncontrolled mobile device are limited, restraining users in their activities.
    The world has moved on but sadly VPNs have not, and the problem is only going to get worse as new devices are created and released.

 

  • Not all devices support all VPNs.

    With iOS10, Apple dropped support for PPTP VPN*¹, leaving thousands (and probably millions) of Windows users unable to connect back to the office using their VPN. With the war between operating systems raging, the support for each other’s specific protocols are likely to become weapons in this battle. Even when mobile devices do support VPNs, the configuration is far from simple and often requires robust technical knowledge.
    This does not necessarily apply to consumer-grade VPNs, used simply to work around geographical restrictions – there is little security involved in these VPNs, which share only the name with corporate VPN solutions.
    Mobility means there is a need for a device-agnostic solution, allowing users to access the same resources in the same simple manner, regardless of the device they choose to use. This is what cloud-based solutions provide, however cloud is not always the desirable answer to remote access.

 

  • “Trust the user, not the device!”

    Inherently, VPNs are designed to connect devices to devices. For user VPNs, this means trusting their entire device on the network, purely because the user has been authenticated.
    This is fine when the device is controlled by IT and is managed with an up-to-date anti-virus and the right security policies, but quickly becomes a problem when connecting from an unknown device, such as a personal PC or a mobile device.
    How do we verify the device is not fraught with viruses or trojans that will infect the entire network?
    How do we confirm the device will not scan our network and steal data it was never meant to see?
    How do we know we are not letting a wolf in with a pack of sheep?
    Worse still – when connected to a VPN, the device is accessing both the internet and the corporate network. While a connection can be restricted and all these hypothetical questions considered, nothing denies the simple fact that an infected device can easily become a gateway to the corporate network, rendering all firewalls and security measures in place completely useless.
    VPNs are not secure guarantees any more – they secure the connection between endpoints, but cannot determine what happens once the device is accessing data within the network.

 

  • “I am connected. What do I do now?”

    Users connecting from a corporate PC will usually be able to work straight away, finding their shortcuts in working order. When using a non-corporate device, however, all users face the same question – what next? The answer is usually to run a remote desktop session to server A, or to connect to specific file server B, and so on. Most non-IT savvy users are incapable of conducting these connections and waste valuable time trying.
    This problem becomes worse when using a non-Windows PC – how to connect to a file server, or to an application?
    Most users struggle once connected to a VPN with their mobile device, not because they can’t progress beyond this point, but because they don’t know how to.
    Here again, we see a sizeable limitation of VPNs in the new world: the difference between devices bring a difference in what can be achieved for remote workers.

 

  • VPNs leave a large footprint.

    A typical VPN connection from a new device involves:
    • Creating the VPN connection, entering credentials, etc.
    • Connecting to a file server, then opening and saving a file locally for modification – if it is not saved locally manually, chances are the office will do an automatic backup anyway.
    • Possibly connecting to remote desktop server, or an internal web server
    • Disconnecting

All of the above are sure to leave a footprint on the device, leaving valuable information to anyone visiting afterwards. At best, the next user will only gain access to the internal IP address of the file server. At worst, the user will have saved their credentials on the VPN configuration, allowing anyone using the same device to connect. Quite likely, the user will also have left a copy of their files on a local folder. Saving credentials on VPN is more frequent than we think, and very hard to police. This is where device loss or theft becomes a major corporate issue. VPNs do not protect the data, they make it available – even when it is not desirable.

 

  • “Don’t touch my device”
    Users are becoming more assertive regarding device privacy. As outlined, traditional VPN solutions leave a footprint, which many users react strongly to. Privacy concerns quickly escalate when corporate IT teams begin to implement MDM solutions to own and control these devices.
    The reality is, users are now in control of their devices, and will try and get around any limitation placed in their way. It is often far better to work with employees to find a middle ground than it is to enforce a new policy on their devices.
    There is a need for a solution that leaves no footprint on end-user devices and separates work and private information.

 

In summary – VPNs are not fit for purpose for the new world.

VPNs were a great solution when they were first invented. They remain a great solution for site to site connectivity, where IT can control both ends of the tunnel. They provide a solid use case for consumers to access geographically restricted material. They have, however, become something of the past when it comes to user connectivity;
Compatibility and technical complexities prevent their usage on most mobile devices
They represent a growing security risk by allowing entire devices on the network when only the user should be trusted
They leave a hefty footprint on devices
Users do not know how to use them on most mobile devices – and do not know what to do once they have accessed the network.
The direct result of the above is the underutilisation of mobile devices for remote work. Besides email and calendar, a company needs to migrate to a mobile-friendly set of software to enable remote workers. This can be a long, complex, risky and often not a desirable process.

The good news is, there is a solution – NetConnect. The 21st century VPN.
Much like an incubator in hospitals, NetConnect lets users interact with the data, but does not allow them to touch it directly – keeping it safe from virus or malicious attacks.

Want to hear more? Contact our team using the links below, or experience it directly through our free demo site.

Contact Us

Live Demo

 

*¹ Apple Support, July 2016 Prepare for removal of PPTP VPN https://support.apple.com/en-us/HT206844

Xavier
General Manager

Across all industry trends and changing ways of working, Xavier has his finger on the pulse when it comes to new technology and mobility. With a personal mission to break down the boundaries of the workplace, Xavier consistently integrates new solutions and features into the NetConnect roadmap, ensuring the product delivers what customers need.

Next Article


Previous Article


Share This Article?