In April 2021 a criminal group DarkSide successfully shut down major energy pipelines of the United States. How did the criminals get in? The Ransomware came via the VPN. The VPN (Virtual Private Network) is conceptually a ‘really long network cable from your house to the company’. People often believe it’s part of their security posture, but, in practice, it’s a risk. In hindsight, an unacceptable risk.
In this case, the VPN existed so that the team could work remotely, access the various and sundry internal services (email, wiki, reporting, HR, …) that they need to do their jobs. No one is questioning the need for remote access. But, a blunt tool of a VPN, it’s not fit for purpose. Ransomware transmits via the VPN too.
I’m sure the company in question is currently addressing the symptoms. The shared passwords, leaked. They are probably investing in multi-factor authentication. Perhaps they are even investing in some segmentation of their internal network. Some will be suggesting “blow it up and outsource it”, move to managed SaaS, etc. It’s not a panacea. Stitching together a single Identity and multi-factor across applications is not easy, whether they are SaaS or Self or Managed.
The real answer is to move to a Zero Trust architecture. Lower the blast radius. Authenticate the user. Authorise the action. Provide Access to a single resource. A user can now access what they need, but not more.
Zero Trust is part of a Defense In-Depth strategy. Imagine each component being breached, and, have a plan for what will happen next. An application gets breached? Well, it cannot reach the rest of the network. A user is compromised? They can only do their normal activities on their normal applications. No more ransomware spreading via the VPN.
How do you get there quickly? An identity-aware authenticating web application firewall as a reverse proxy is a good part of the solution. Quickly ramp up and enable single, strong identity with multi-factor on all legacy applications. Enable multi-factor without reworking them. Remove the need for the VPN. It’s not worth the risk.