Organizations transitioning to a remote workforce need a secure remote access solution. However, the significant security issues associated with virtual private networks (VPNs) have inspired many organizations to seek a VPN alternative.
Patch Management is Challenging (and Unsustainable)
Ideally, all vulnerabilities in software would be detected and fixed in production. However, this is not the case. Each year, over 23,000 new vulnerabilities are discovered and publicly reported in production code.
For these vulnerabilities in released software, patching is the most common and effective method of managing them. By applying an update that fixes the security hole, an organization can eliminate the potential for it to be exploited by an attacker.
However, keeping up with patch management is difficult for most organizations. Some of the main challenges associated with managing vulnerabilities through patching include:
- Vulnerability Identification: Before an organization can apply a required patch, they need to know that they need it. This requires checking for available patches with software manufacturers and lists of known vulnerabilities (which are often incomplete). As corporate networks become more complex, this process scales poorly.
- Patch Availability: Zero day exploits get their name from the fact that they are used on “day zero”, the day that a vulnerability is publicly disclosed. If a software manufacturer only learns of a vulnerability when it’s being actively exploited by attackers, there is a window where patching can’t help to protect against attacks because no patches are available.
- Testing and Deployment: If an organization has access to a patch, the process of applying it can be time-consuming. A patch must be tested to ensure that it doesn’t break the system, applied across the enterprise, and tested again to ensure that it effectively fixes the vulnerability. This process must be repeated for each patch, which adds up quickly.
- Patch Volumes: While an organization may not be affected by all of the 23,000+ vulnerabilities discovered each year, even a small percentage comes out to a huge number of patches. With lean security teams, organizations can easily be overwhelmed and fall behind.
- Other Responsibilities: Patch management is an important job, but it’s one of many for a security team. In many cases, personnel are focused on combating active threats or dealing with support tickets rather than vulnerability management.
All of these factors contribute to the fact that most organizations are behind on patching with little hope of catching up. As a result, their digital attack surfaces are full of potentially-exploitable security gaps.
VPN Vulnerabilities are a Serious Problem
A variety of different systems have exploitable vulnerabilities. However, VPNs are some of the biggest security threats, especially in the wake of the surge of remote work inspired by the COVID-19 pandemic.
In April 2021, the National Security Agency (NSA) made an announcement about vulnerabilities that required immediate attention because they were actively exploited by Russian advanced persistent threats (APTs). These five vulnerabilities were all in VPN software and covered many of the major VPN vendors.
A notable fact about these VPN vulnerabilities is that most were two years old at the time of the announcement. This means that patches were available to correct them and had been for some time. However, the fact that the vulnerabilities were actively under attack meant that threat actors still found them a valuable target, so many organizations must still have vulnerable VPN software present within their networks.
When it comes to applying patches for vulnerabilities, high-impact targets like VPN infrastructure should be at the top of most organizations’ lists. However, this is only relevant if the organization knows that its VPNs need patching and are actively working to do so, something that a two-year delay puts into question. The combination of poor patching practices and the use of VPN infrastructure (which provides full access to the enterprise network if compromised) puts an organization at serious risk.
A Better Approach to Secure Remote Access
As remote work becomes part of “business as usual”, secure remote access solutions like VPNs are a critical resource for an organization. However, the vulnerability of VPN software to exploitation – as well as its other issues – means that organizations accept significant risk with a VPN deployment.
The issues associated with VPNs mean that organizations should consider alternative options for secure remote access. One option is secure access service edge (SASE), a cloud-based solution that integrates software-defined WAN (SD-WAN) and a full security stack. One of these built-in security solutions is zero-trust network access (ZTNA), a secure remote access technology.
ZTNA provides a number of advantages compared to VPNs, and some of these are directly relevant to the VPN patching problem. As part of a SASE solution, ZTNA can be offered as a managed service, meaning that responsibility for patch management is transferred to the service provider (who is more likely to keep it up to date). Additionally, ZTNA works on a zero-trust security model, meaning that a compromised account does not provide full access to enterprise systems (unlike a VPN).
Secure remote access is a critical solution for the modern enterprise. And for most organizations, VPNs are not the right choice.