[et_pb_section][et_pb_row][et_pb_column type=”4_4″][et_pb_text]
[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]
KEY FIGURES
The Covid19 crisis and its corollary, the brutal confinement of companies, led many CIOs to urgently deploy security solutions to enable employees to work from their own computer terminals at home. Faced with the need to secure company data, IT managers have generally relied on virtual private networks, or VPNs. But in a world where telecommuting is becoming the norm and the IT environment is undergoing a revolution, the security model based on network protection and its Internet corollary, the VPN, the Alpha and Omega of the traditional corporate data security model, are becoming the object of all evils. In conclusion, we outline a number of possible solutions, depending on the company’s needs.What is a VPN?
Let’s go back to the Wikipedia definition: ” A virtual private network, abbreviated VPN, is a system for creating a direct link between remote computers, isolating their exchanges from the rest of the traffic taking place on public telecoms networks. The term is used for remote working and cloud computing. “VPN at cross-purposes
First of all, it’s important to clear up the initial confusion surrounding VPNs. One of the uses of VPNs is to surf the Internet from an internal network using someone else’s IP address – a way of taking responsibility for your employees’ activities off your hands. Taking out such a subscription with a VPN provider in no way protects internal company data, which is even exposed to the Internet. With the exception of hotels, railway stations and public services, the use of a VPN is rarely professional.VPN: the drawbridge of a moated castle
An SME, on the other hand, is looking to reconnect its employees accessing its protected internal network from the Internet, and wants to give them access to all the company’s services as if they were on its premises. The analogy of a fortress surrounded by a moat and accessed by a drawbridge is apt. The traditional security model remains unchanged: those outside the protected network are the enemy, and those inside belong to the trusted perimeter. The internal network is the castle, the bastion and firewalls are the moat, and the VPN is the drawbridge. In a nutshell, an “on-site” VPN is a function on a company’s router that bridges the gap between a company’s private network, the LAN (Local Area Network) , and the outside world, the WAN (Wide Area Network) . It enables access from the Internet to machines only present on the LAN.The VPN perimeter security model is reaching its limits
The press regularly reports cases of companies whose important data has been breached because an employee or service provider has been tricked by phishing; because an eavesdropper has managed to plug a listening device into the company’s internal network; or because a hacker has managed to control sensitive data servers remotely. With the rise of mobile devices, and telecommuting taking employees outside the company’s physical walls, it’s becoming impossible to ask employees to connect from a limited number of central VPN servers. In such a centralized organization, the VPN, as the only gateway to corporate data, becomes a bottleneck for the employee; because in this telecommuting situation, where more and more autonomy is required, employees are encouraged to use their own computing machines, even when traveling for business purposes. This situation of latency and very slow, even unstable, VPN connections generates a great deal of frustration and complaints to IT departments. Users who can no longer cope with these constraints inevitably set up their own workarounds: unsecured drawbridges over the moat, providing hidden access to the castle. One of the lesser paradoxes is that excessive security becomes the main vector of the dreaded risk: the insecurity of sensitive corporate data. Last but not least, the online VPN channel generally passes through the ears of governments and their extraterritorial laws, such as the American Cloud Act, exposing companies to legal insecurity and potential regulatory problems.The teleworking environment is undergoing a revolution
Physical distance makes a lasting difference work organization :- Telecommuting is becoming the norm; open space and office buildings the exception.
- The physical personal workstation ( ” Bring Your Own Devices ” or BYOD ) becomes the default tool for accessing corporate IT, and the old business desktop joins the typewriter in the museum of tools of the past.
- Internet access is becoming the norm, while intranets and private networks are becoming mobility handicaps.
- Public Cloud and SaaS applications, “L ow Cost “, thanks to their agility and scalability, are becoming the norm, provided that the security of exchanged data can be controlled, as mobile adaptation situations are less and less predictable. They enable us to adapt very quickly to change. On-premise or dedicated infrastructures will become the exception.
- The new secure collaboration ecosystem needs to do better for less, while providing ergonomics and ease of use: security must not come at the price of increased complexity, or be immediately rejected by the average user.
Zero Trust Security” or trusting only yourself
Since VPNs are no longer the Alpha and Omega of data security for SMBs, since the security model is no longer based on the perimeter protection of a fortified network, and since the threat is present both inside and outside the network, on the public cloud and with outsourcers, what alternatives are available to SMBs for sharing sensitive data from any terminal with Internet access? The concept has a name: ” Zero Confidence Security or Zero-Trust Security . From now on, it’s all about minimizing exposure to trusted players such as public clouds, administrators and networks, while using their services for what they provide in terms of efficiency and cost-effectiveness.The triple trust paradigm
First and foremost, and whatever the choice of security architecture, it’s important to understand that data security requires triple trust: 1) Trust in security, which guarantees that the person accessing a service is indeed the person he or she claims to be. There are several answers to this problem, well resolved both technically and functionally- Identity federation, coupled with a two-factor authentication mechanism, meets this need; it must itself be based on a secure directory, generally coupled with a key management infrastructure adapted to the company’s security requirements. This type of service is ideal for organizations wishing to centralize their IT and have complete control over their data. It is not suited to “multi-organization” architecture, where people are not expected to know each other.
- Key auto-generation on the work terminal, coupled with a trusted enrolment mechanism, responds to a much more fragmented “resistance network” type of organization. It does not require a central directory. This is the concept of CCYOK or Create and Control Your Own Key
- VPNs partly meet this need, because as we’ve seen, governments have the ability to intercept data.
- HTTPS is universally used on the Internet: it’s the most efficient and least expensive way of securing transport.