A fundamental cornerstone of security is layers. We use passwords to authenticate our users, run antivirus to keep malware off our endpoints, monitor our networks, and implement firewalls so we can have multiple defenses against attackers.
Then, our team members travel for business or work from home and sit outside of all of those layers of security. How do we layer security for remote workers working on unsecured networks? And what happens if an employee’s credentials are stolen—how vulnerable do we become?
These issues have become even more critical in an age of remote work.
Meanwhile, our corporate data still exists within the corporate data center, but some might also be migrating to the cloud or to SaaS applications that are out of our control. The many solutions available mirror the breadth of possible use cases, but we can achieve a high-level understanding by reviewing the four most common solutions: RDP, VPN, VDI, and DaaS. All these technologies can present security challenges, which makes zero trust principles important in any remote access solution.
RDP: A Pre-Cloud Solution
The most common way to access work computers from outside the network used to be Remote Desktop Protocol (RDP). While still widely used, RDP’s security vulnerabilities make it challenging to secure, and as such, RDP has faced a decline in popularity.
In its default configurations, older versions of RDP do not use encryption to pass through credentials and session keys. This makes the protocol vulnerable to man-in-the-middle attacks where an attacker can intercept and see all information packets. Administrators can enable transport layer encryption to mitigate this issue, but this is just the start of the problems.
A main weakness is credentials. RDP sessions often store credentials in memory, where they can be stolen by an attacker who gains access. However, even without access, attackers often gain success using credential stuffing, which is when attackers use stolen credentials on other sites where users might have reused passwords. Administrators do not typically manage RDP and therefore users may pick their own credentials.
Sadly, employees often simply reuse their login credentials for convenience. A LastPass survey found that while 92% of users know they shouldn’t, 65% reuse credentials or variations in many different ways. Even large security companies suffer credential stuffing breaches from old or reused passwords, so the average company can be assumed to be vulnerable.
Additionally, many of us don’t keep their RDP software updated. A year and a half after Microsoft released patches for the BlueKeep RDP bug, researchers detected hundreds of thousands of RDP devices unpatched and vulnerable. Attackers frequently target open firewall ports commonly used for RDP to take advantage of exposed vulnerabilities and gain access to both the endpoint and the network.
However, these security weaknesses can be countered. Admins can use multi-factor authentication (MFA) or single sign-on (SSO) to reduce issues from weak credentials or RDP desktop passwords, and can be managed to improve user authentication security.
To limit attacks on the firewall, IP address ranges can be limited to approved locations. However, this approach is labor intensive. For every employee on the road, each hotel, airport, and coffee shop require a new IP address to be whitelisted and then later removed when the employee moves on. It is just easier to run RDP through a secure tunnel instead.
VPNs: An Imperfect Solution
While there are many private RDP and Secure Tunnel applications, the most common category is the Virtual Private Network (VPN). VPNs address the issue of unsecured networks by creating encrypted point-to-point connections and avoid many of the data intercept issues of RDP.
Since VPNs encrypt communication, our corporate security effectively extends past our firewall and onto the remote-work endpoint. However, this does not really provide extra layers of security because the VPN servers typically lie behind the protection of the firewall.
VPNs remain vulnerable to stolen credentials, zero-day attacks, and sloppy updating. As with RDPs, user security can be tightened through MFA or SSO access; however, in both cases a breach of the endpoint device places the attacker within the corporate network and behind other layers of defense.
Additionally, VPNs typically require dedicated virtual or physical hardware, which still can only manage a modest number of connections. This scalability issue is complicated by other costs in terms of licensing, hardware, corporate bandwidth, and the labor costs for IT management.
Lastly, dialing into the corporation with RDP or VPN only to reach back out through the firewall to access cloud applications doesn’t make operational sense. Nor do employees always do so. Sometimes they directly access cloud applications and forgo security protection. For many organizations, it makes more sense to consider cloud-ready solutions.
One new technology that’s been touted as a replacement for VPNs is zero trust, which assumes that no user should be trusted until verified, a promising approach that can wall off critical applications and data even from hackers who are already inside your network.
Also read: Best Zero Trust Security Solutions for 2021
VDI: A Virtualized Solution
Virtual Desktop Interface (VDI) sessions offer the option of virtual computers within the corporate data center or on the cloud. Similar to VPN, these sessions create end-to-end encrypted access to a desktop that can be further secured with MFA or SSO—but virtualization adds additional benefits.
First, if attackers steal credentials and breach a virtual desktop, they no longer have bypassed the corporate firewall and gained access to the network. Attackers instead need to navigate a virtual environment, which can be locked down with limited access (again, zero trust principles at work).
Also, VDIs can be launched as instances so there is no hardware sitting around waiting to be pinged by attackers. Instead, VDI managers can launch systems as needed and save resources for the organization.
Launching VDIs in the cloud eliminates the operational inefficiencies for access to cloud resources such as websites, cloud storage or cloud applications like Office365, GoogleDocs, and Salesforce. For smaller businesses with tighter budgets, many cloud providers also offer Desktop-as-a-Service (DaaS). DaaS offloads infrastructure management to the service provider and permits rapid scalability to meet large increases and decreases in demand.
Which Remote Acces Solution is Best? It Depends
RDP, VPN, VDI, and DaaS all provide tradeoffs between security, cost, deployment resources, and accessibility. Each organization will need to consider their own resources, employees, and legacy investments to determine both what is the appropriate solution for today and the target solution for the future.
Regardless of which you choose, zero trust needs to be on everyone’s radar. Limiting access to critical apps and data is the very best last layer of defense.