Virtual private networks (VPNs) are presenting some agencies with added challenges as they increase remote work during the COVID-19 pandemic.
Some agencies had to make emergency acquisitions for more VPN licenses and are now looking to segment their data because the technology provides more internet exposure than advocates of models like zero-trust security are comfortable with. Infrastructure, not cloud, remains the focus as agencies attempt to remotely connect employees to network assets that may still be on-premise, and zero-trust security architectures are preferable, said Dan Jacobs, director of cloud adoption and cybersecurity within the General Services Administration Centers of Excellence.
“I know several organizations went through some crippling issues when COVID first happened,” Jacobs said during an AFCEA Bethesda event Tuesday. “They simply didn’t have enough licenses, and the ones that did have enough licenses didn’t necessarily have the throughput. And their VPN failed them.”
The Nuclear Regulatory Commission is considering segmenting its data as part of its VPN approach and changing the way it handles authentication and provides permissions due to security concerns, said Jonathan Feibus, the agency’s chief information security officer.
According to a Zscaler risk report released this month, among 357 IT and cybersecurity professionals — 25 of them in government — 93% said their organization had deployed VPN services despite 94% acknowledging cybercriminals exploit their vulnerabilities to access network assets. Social engineering, ransomware and malware are the most common ways to compromise VPNs.
“Right now VPN just throws open the fire hose and gives me access to everything I had when I was in the building,” Feibus said. “Do I necessarily need that when I’m remote?”
Of the professionals Zscaler surveyed, 67% were considering remote access alternatives to traditional VPNs and 72% were prioritizing zero-trust security. And 59% were accelerating those efforts because of increased remote work.
“It’s encouraging to see that enterprises understand that zero-trust architectures present one of the most effective ways of providing secure access to business resources,” Chris Hines, director of zero-trust solutions at Zscaler, said in a statement. “As organizations continue on their journey to cloud and look to support a new hybrid workforce, they should rethink their security strategy and evaluate the rising cybersecurity threats that are actively exploiting legacy remote access solutions, like VPN.”
A cloud-delivered, zero-trust service that brokers all user-to-app connections is the best approach, Hines said.
But agencies aren’t so sure. Maintaining ownership of infrastructure is often easier than using cloud services because then you have to work with the provider to adjust for efficiencies, Feibus said.
The Air Force is taking another approach with its software factories using DevSecOps to embed security into service mesh architectures from the outset. But that isn’t a “panacea” for VPN woes either, said Ron Ross, a fellow at the National Institute of Standards and Technology.
NIST wrote the Federal Information Processing Standard 199 back in 2004 to ensure all data in federal systems was categorized as high, moderate or low impact.
“We understood then that complexity was going to overwhelm us at some point and that making sure we could identify the things that were most important; we can separate those, isolate those resources and give them better protection,” Ross said. “That concept is still very much in play today.”
But even DevSecOps developers are reliant on code libraries imported from a variety of sources without much transparency or trust. Broad-based policies and strategies are needed to address that “systemic” problem, Ross said.
“How much trust do we have in those code libraries? Who manages those libraries?” he asked. “What’s in the libraries?”