Remote Workers Demand VPNs

Posted: 23rd April 2014 by VPN Haus in Industry Commentary, IT policy, VPN
Tags: , , ,

With more companies going global, and more employees spread across multiple geographic locations, the demand for remote access technologies has never been greater. The good news is that telecommuting has the potential to be mutually beneficial to the increasingly mobile workforce and their companies. Remote employees believe they are more productive with a flexible schedule that allows them to work both in the office and at home, whenever they need to, and their employers obviously stand to benefit from this increased productivity. As Jeffrey Burt of eWeek explains, “Greater worker mobility is one of the key trends…changing the way corporate IT works.”

The current situation

BYOD is here to stay, that much has been known for several years now. However, thanks to research recently conducted by Pertino, we have a better understanding of exactly what it is that employees are looking for in terms of working remotely. One interesting revelation from the study is, though people want their jobs to fit their more flexible lifestyles, there are still some lingering frustrations with remote access to corporate networks that are falling behind the times, and are unable to deliver an optimized telecommuting experience.

In fact, a shocking 77 percent of survey respondents are not completely satisfied with the remote access capabilities they’re given, and 30 percent said they don’t have any remote access at all. That’s a major problem, as 99 percent said “they need to be able to access business files and applications via their computer or mobile device if they’re to get their jobs done.” Reading between the lines, it’s clear that there is substantial room for improvement with regards to the way enterprises are handling their remote access. So what can be done?

Give the people what they want

The fact of the matter is that VPNs enable worker collaboration that could not otherwise be accomplished. And interestingly enough, more than half (57 percent) said they prefer using a VPN over alternative data sharing technologies such as Dropbox. Unfortunately for remote employees far too many enterprises are not implementing the right VPNs that give employees the network access they need.

Truthfully, employees have a right to be disgruntled. With all of the remote access technology available today, there’s really no excuse for connectivity (identified as one of the top issues with VPNs currently) to be a problem at all. That includes when people change their connection from the Wi-Fi at a local coffee shop to a 4G network. This type of seamless roaming is currently a luxury service, delivering optimized connectivity and performance to employees constantly on the go.

As the research indicates, however, moving forward it will be imperative for VPNs to have this functionality and support all types of user devices and operating systems if enterprises hope to keep remote employees happy and efficient. It’s really just that simple.

By now, you’ve likely heard about the recently discovered Heartbleed bug. At its simplest, this bug allows cyber criminals to exploit a flaw in technology that encrypts sensitive information, making all types of communications sent over an “HTTPS” connection, including emails and online credit card payments, as easy for them to read as this sentence. But that’s not all – once that sensitive personal and/or company data is obtained, cyber criminals can then use the stolen online personas to gain access to other password-protected areas, such as online banking accounts, social media channels and corporate networks. Security expert Bruce Schneier said that “on the scale of 1 to 10, this is an 11.” Understandably, there’s a lot of media attention being given to this topic. But before hitting the panic button, read on to see how exactly your enterprise, or even you personally, might be affected.

What’s the Heartbleed bug again?

Secure sockets layer (SSL) and transport layer security (TLS) are widely used protocols that secure a wide range of communications across the Internet, from IMs to remote access, and Heartbleed is a vulnerability specific to an open-source implementation of these protocols aptly called OpenSSL. The bug gets its name from the nature of its attack, which involves piggybacking on an OpenSSL feature known as heartbeat. By exploiting this susceptibility, cyber criminals can compromise users’ cryptographic SSL keys, making what should be encrypted communications appear in plain text.

Why it’s a problem

According to Neil Rubenking of PC Mag’s SecurityWatch, the website “that was created to report on Heartbleed states the combined market share of the two biggest open source Web servers using OpenSSL is more than 66 percent.” And, as Douglas Crawford of Best VPN notes, “[Heartbleed] particularly affects websites that are powered by the Apache web server, but as this is over 50 percent of all websites on the Internet, this is of little comfort.” The threat to the average end user is apparent – cyber criminals exploiting this encryption flaw can easily intercept credit card information and other types of sensitive personal data. But enterprises are at risk, too, especially given the large number of organizations that have coped with BYOD by implementing SSL VPNs.

How to address the issue

We often discuss how the mobile security industry as a whole tends to be more reactive than proactive when it comes to identifying and mitigating threats. However, in a strange twist of irony, older versions of SSL are immune to Heartbleed. But that doesn’t mean that you shouldn’t take action. Rather, it’s a good idea to leverage ephemeral keys (a cryptographic key that is generated for each execution of a key establishment process) to further solidify an enterprises defense against the bug. If you are operating with a VPN that uses the compromised OpenSSL, ZDNet’s Steven J. Vaughn-Nichols hits the nail on the head – you need to revoke your old SSL digital certificate from your certificate authority (CA) and get a new one. If you don’t, “It would be like you replaced your old lock with a brand new one… that takes the same old key.”

Once the certificate has been renewed, the next step is to contact your VPN provider to find out how they’re handling the situation. If your VPN has central management capabilities, compromised certificates can be automatically revoked and replaced with new ones for all users by network administrators. A centrally managed VPN that can interoperate with other network and security technologies is a crucial component of a broader defense in depth strategy. If a user is compromised, technologies such as dynamic personal firewalls, a robust anti-virus solution, anti-malware software, etc. can work together to mitigate further risk and keep other users and the network safe. Despite its effectiveness, unfortunately it often takes a major revelation such as the Heartbleed bug to help enterprises recognize the importance of shoring up their network security.

If your provider is not hurrying to patch the hole in their OpenSSL implementation and/or taking steps to better implement a defense in depth framework, you may be justified in hitting the panic button. In these instances, it’s imperative to make your customers aware of the threat and what you’ve done to address it, in addition to outlining the proactive steps they can take to protect themselves. For more information, please reach out to NCP engineering via emailing or LinkedIn.

Virtual Private Networks as a Service (VPNaaS), Managed Security Service Providers (MSSP) and Cloud Remote Access are different solutions addressing the same market requirement – the ability for remote employees to securely access corporate networks via the Internet with a managed solution.  Many enterprises have realized the benefits of using cloud services in other areas of their IT infrastructure. As a result, they no longer want to absorb the costs and management effort involved in hosting their own VPN gateways, especially ones with large numbers of remote endpoints.

Striking a balance between giving remote employees the flexibility they desire while ensuring sensitive company data remains secure is admittedly a fine line to walk. Enterprises have faced that challenge for several years now as they’ve wrestled with the bring-your-own-device (BYOD) movement. Factoring the cloud into the equation only compounds the complexity of the situation. That’s why many companies today are outsourcing the operation of the VPN to a cloud solutions provider such as HOSTING. However, not all VPNs are created equal, and enterprises need to carefully examine what a provider is offering.

What to look for

Be sure the provider offers simple, yet efficient management of your cloud-based VPN. For example, centrally managed VPNs give administrators the ability to easily set up, add or dele
te users as needed. With this approach, all configuration parameters are centrally stored. This approach makes it substantially easier for end users to establish connections while making it nearly impossible for employees to bypass or manipulate them.

Will end users need to reestablish a secure network connection each time their connection channel changes? If the answer is yes, that remote access solution is probably not going to deliver the flexibility that you need. For example, your cloud VPN should make it easy for employees to change from Wi-Fi to 4G connections without stopping to reconfigure their settings each time the medium changes. If the solution is able to support the wide array of operating systems being used by your employees, that’s a major plus. So, too, are integrated personal firewalls that are capable of dynamically adapting to the type of connection the end user is leveraging.

And let’s not forget about the biggest allure to the cloud – cost-savings. Enterprises can save a lot of money by reducing their investments in hardware and software, as well as their specialist headcounts.  A cloud VPN enables them to do exactly that. Generally speaking, enterprises pay their cloud VPN providers a low per-user monthly fee. When that is combined with the cloud provider’s in-house staff, the resource savings can be substantial.

Going from “or” to “and”

By leveraging a VPN that offers a centrally managed, flexible and cost-efficient approach, enterprises can better cope with BYOD. The truth is, security and flexibility are not mutually exclusive. It’s not a matter of choosing between the security of a VPN or the flexibility and convenience of the cloud. Cloud VPNs provide enterprises with both the security and flexibility they need to tackle the complex challenges of today’s continuously evolving and increasingly mobile remote access space. Will your organization adapt, or will you be left behind?

**This post originally appeared on HOSTING. NCP engineering is part of the HOSTING Cloud Crew Partner Program.

Patrick Oliver GrafPatrick Oliver Graf has more than 18 years of technology sector experience in product and project management, marketing and international direct and channel sales. Since September 2011, Patrick has been general manager of secure remote access VPN solution provider
NCP engineering



At one point or another, we’ve all been blindsided by news that has literally changed our lives. Though we’re often left momentarily stunned, it’s imperative to figure out how to adjust and carry on. It’s not always easy, but you know the expression – where there’s a will, there’s a way.

However, the discontinuation of support for Windows XP is not news that should take anyone by surprise, as its April 8, 2014 retirement date was officially announced almost a full year ago. Cyber criminals surely have the date circled on their calendars, as the security risks posed to the numerous users and enterprises still using Windows XP beyond that date have been well documented. Recently, these risks have become both more prominent and dangerous. ZDNet reports that, using a form of malware called Backdoor.Ploutus, hackers are starting to remotely access a portion of the 95 percent of ATMs in the United States still using the soon-to-be deceased operating system (OS). “By simply sending a text message to the compromised system, hackers can control the ATM, walk up to it, and collect dispensed cash.” Clearly, this is a major cause for concern.

End of XPAnd it’s not exactly as if Microsoft has been trying to sweep the retirement of XP under the rug, either. In addition tosending pop-up dialog boxes encouraging users of the 488 million systems still using XP to upgrade to another Microsoft OS, the corporation even went so far as to recruit tech-savvy friends and family to help “old holdouts” make the transition. Unfortunately, the results have been lackluster. HelpNetSecurity reports that many users call these efforts a “poorly disguised sales pitch,” and, according to The Indian Express, as of February 25, 2014, 16 percent of large enterprises were still stuck on the old OS. What will it take to convince them to upgrade to newer, more secure operating systems?

Making the Migration from Windows XP

Tim Green of Network World put it bluntly, yet eloquently, “If you haven’t retired Windows XP and you haven’t been fired, get busy.” CIOs know that migration is far from a simple or quick process, and Green correctly observes that the larger the enterprise, the longer the migration to a newer OS will be. As Gregg Keiser of Computerworld explains, “If every PC sold in the next 12 months was one designed to replace an existing Windows XP system, it would take more than a year and a half – about 20 months – to eradicate XP.” Essentially, it boils down to this: getting end users and enterprises to make the OS switch will take some time, but it is a necessary evil.

The good news is there are some steps that can be taken to minimize the mobile security threats inherent to XP while that migration is taking place. For example, as Green observes, Network Access Control (NAC) will play an important role in “isolating XP machines on corporate networks and limiting what devices they can communicate with.” Securing these endpoints with a centrally managed remote access security solution is essential to safeguard against data breaches, especially for organizations with a BYOD policy in place. That’s because IT administrators can easily adjust network access settings for XP device users and revoke access in case of a breach. IT can also ensure that a device using the discontinued OS has the required antivirus and anti-malware programs or otherwise, place it within a quarantine zone until the OS or security software is updated. With the proper precautions, IT may even be able to remotely wipe the compromised devices.

Mobile Security in the post-XP World

In the end, though, it’s worth noting that best practices for secure remote access should not come to a screeching halt once the migration to a newer OS has been completed. Today’s increasingly skilled hackers will continue to exploit every potential security flaw they can identify, including devices using newer OSs, such as Windows 8, for example, to insecurely connect to a corporate network. Using a VPN is a tried and true way to ensure communications between corporate networks and end devices are protected via an encrypted tunnel, making it substantially more difficult for cyber criminals to intercept or manipulate the data being shared. The retirement of Windows XP marks the end of an era, but it also presents enterprises with a chance to fortify their mobile security strategies. Will your organization seize this opportunity?

When most people think of threats to their computer systems and networks, the usual suspects come to mind — malware and keystroke loggers that are meant to steal passwords to remotely access corporate networks and online accounts. Then, of course, there are the viruses designed simply for the sake of destruction, rendering one’s computer little more than an expensive, oversized paperweight.

But perhaps the most dangerous threat of all is one that, while it has been around for a long time, is only now coming into prominence. It’s called “ransomware,” and if it sounds scary, that’s because it is. CryptoLocker is a well-known example circulating today. Ransomware is an accurate moniker, as this breed of malware encrypts the contents of your computer and then its creator offers to provide the decryption key — for a nominal fee, of course.

Thinking of booting up in safe mode and deleting the ransomware from your computer? That’s all well and good, except your files are still encrypted and you still don’t have the key to unlock them.

Ransomware Threatens Enterprises on Multiple Levels

Encrypting your most important files isn’t the only method that cyber criminals employ, however. They can also place files on your computer that put you in an awkward position. Common practice includes downloading indecent materials on a computer that one uses for work. Employees fearful of losing their jobs for having illicit content found on their devices are that much more likely to pay the “ransom.”

And if it works against one employee, cyber criminals have good reason to suspect that others in the same organization will acquiesce, meaning the organization’s entire workforce has now become a target. Not to mention the fact that if machines used to access the corporate network are being infiltrated by the likes of CryptoLocker, the next logical step is for the cyber scoundrels to target the company directly, holding critical files on the network for ransom, and likely at a much higher ransom than the individual employees were “invited” to pay. Even more worrisome is that beyond individual files, the network itself could be held for ransom, if a hacker gained the necessary read and write privileges by infiltrating a network administrator’s device. Cybercrime goes where the money is, and eventually, all roads lead to the enterprise.

The Link Between Ransomware and BYOD

So why is ransomware gaining so much momentum among cyber criminals? Well, its rise to prominence has paralleled the explosion in popularity of the bring-your-own-device (BYOD) movement. The number of personally owned mobile devices connecting to corporate networks and being granted access to critical files is at an all-time high. It’s what you would call a “target-rich environment,” where hackers and their ilk have no shortage of potential victims to choose from.

What makes for an even scarier scenario — as if there wasn’t enough already — is that an individual looking to deploy CryptoLocker or similar machinations doesn’t even have to be an expert in encryption algorithms. As a recent CSO article points out, ransomware toolkits can be developed and sold to those willing to pay the price tag. This means that anyone with a few bucks and ill intent, regardless of their hacking know-how, could start targeting people and companies.

Defense in Depth vs. Ransomware

As the threat landscape continues to evolve, enterprises need to adjust their approach to security in kind. Remote access and BYOD have become too ingrained in the working world to disappear now. The top-level talent that every company wants to attract will only sign on the dotted line if they are afforded what were once considered luxuries, but are now simply expected.

The answer is for enterprises to implement a comprehensive, defense in depth information security framework that allows for BYOD and remote access without compromising the corporate network. Because IT staff can’t monitor everything employees do on their devices, enterprises should invest in interoperable solutions that can work together to prevent threats like CryptoLocker. The first line of defense would be to require best-of-breed anti-virus and anti-malware solutions on employee devices to protect them against a range of malicious software. Next, those solutions could work in tandem with other network and security solutions such as firewalls blocking access to known CryptoLocker servers, Intrusion Prevention Systems which can block the malware from interacting with the remote command-and-control server and a robust VPN solution that offers central management capabilities to monitor endpoint devices and ensure anti-virus tools are up-to-date. With a centrally managed VPN, users with old versions are sent into a digital quarantine zone until their software has been updated, ensuring that every device accessing the corporate network is properly secured. Central management also means that IT administrators can roll out security and remote access policy updates across the whole company than working their way manually through one device at a time.

With a defense-in-depth strategy that includes network and security components working together to prevent and mitigate threats, enterprises will be well on their way to defending against the rapidly expanding threat vector known as ransomware.