How can I safely free myself from my VPN?

[et_pb_section][et_pb_row][et_pb_column type=”4_4″][et_pb_text]

KEY FIGURES

The Covid19 crisis and its corollary, the brutal confinement of companies, led many CIOs to urgently deploy security solutions to enable employees to work from their own computer terminals at home. Faced with the need to secure company data, IT managers have generally relied on virtual private networks, or VPNs. But in a world where telecommuting is becoming the norm and the IT environment is undergoing a revolution, the security model based on network protection and its Internet corollary, the VPN, the Alpha and Omega of the traditional corporate data security model, are becoming the object of all evils. In conclusion, we outline a number of possible solutions, depending on the company’s needs.

What is a VPN?

Let’s go back to the Wikipedia definition: ” A virtual private network, abbreviated VPN, is a system for creating a direct link between remote computers, isolating their exchanges from the rest of the traffic taking place on public telecoms networks. The term is used for remote working and cloud computing.  
VPN at cross-purposes
First of all, it’s important to clear up the initial confusion surrounding VPNs. One of the uses of VPNs is to surf the Internet from an internal network using someone else’s IP address – a way of taking responsibility for your employees’ activities off your hands. Taking out such a subscription with a VPN provider in no way protects internal company data, which is even exposed to the Internet. With the exception of hotels, railway stations and public services, the use of a VPN is rarely professional.
VPN: the drawbridge of a moated castle
An SME, on the other hand, is looking to reconnect its employees accessing its protected internal network from the Internet, and wants to give them access to all the company’s services as if they were on its premises. The analogy of a fortress surrounded by a moat and accessed by a drawbridge is apt. The traditional security model remains unchanged: those outside the protected network are the enemy, and those inside belong to the trusted perimeter. The internal network is the castle, the bastion and firewalls are the moat, and the VPN is the drawbridge. In a nutshell, an “on-site” VPN is a function on a company’s router that bridges the gap between a company’s private network, the LAN  (Local Area Network) , and the outside world, the WAN (Wide Area Network) . It enables access from the Internet to machines only present on the LAN.

The VPN perimeter security model is reaching its limits

The press regularly reports cases of companies whose important data has been breached because an employee or service provider has been tricked by phishing; because an eavesdropper has managed to plug a listening device into the company’s internal network; or because a hacker has managed to control sensitive data servers remotely. With the rise of mobile devices, and telecommuting taking employees outside the company’s physical walls, it’s becoming impossible to ask employees to connect from a limited number of central VPN servers. In such a centralized organization, the VPN, as the only gateway to corporate data, becomes a bottleneck for the employee; because in this telecommuting situation, where more and more autonomy is required, employees are encouraged to use their own computing machines, even when traveling for business purposes. This situation of latency and very slow, even unstable, VPN connections generates a great deal of frustration and complaints to IT departments. Users who can no longer cope with these constraints inevitably set up their own workarounds: unsecured drawbridges over the moat, providing hidden access to the castle. One of the lesser paradoxes is that excessive security becomes the main vector of the dreaded risk: the insecurity of sensitive corporate data. Last but not least, the online VPN channel generally passes through the ears of governments and their extraterritorial laws, such as the American Cloud Act, exposing companies to legal insecurity and potential regulatory problems.

The teleworking environment is undergoing a revolution

Physical distance makes a lasting difference work organization :
  • Telecommuting is becoming the norm; open space and office buildings the exception.
  • The physical personal workstation ( ” Bring Your Own Devices ” or BYOD ) becomes the default tool for accessing corporate IT, and the old business desktop joins the typewriter in the museum of tools of the past.
  • Internet access is becoming the norm, while intranets and private networks are becoming mobility handicaps.
  • Public Cloud and SaaS applications, “L ow Cost “, thanks to their agility and scalability, are becoming the norm, provided that the security of exchanged data can be controlled, as mobile adaptation situations are less and less predictable. They enable us to adapt very quickly to change. On-premise or dedicated infrastructures will become the exception.
  • The new secure collaboration ecosystem needs to do better for less, while providing ergonomics and ease of use: security must not come at the price of increased complexity, or be immediately rejected by the average user.
This new organization of human relations via the Internet increases the scope of threats. Data security in this new ecosystem needs to be built on the principle of “trust”.  Trust Nil “or Zero Trust ” with a micro-perimetric protection approach. The RGPD further reinforces this requirement. What’s more, extraterritoriality laws threaten the sovereignty of states and create legal insecurity for executives. Sensitive exchanges must now take place with a paradigm of ”  Confiance Nulle ” on potentially hostile networks and servers, and on the Public Cloud. Finally, we don’t know who we’ll be working with tomorrow. Exchanges of sensitive data must be structured like resistance networks during wartime: centralized data management must be banned, and groups of people and organizations must be compartmentalized. In the extreme, the directory becomes invisible.

Zero Trust Security” or trusting only yourself

Since VPNs are no longer the Alpha and Omega of data security for SMBs, since the security model is no longer based on the perimeter protection of a fortified network, and since the threat is present both inside and outside the network, on the public cloud and with outsourcers, what alternatives are available to SMBs for sharing sensitive data from any terminal with Internet access? The concept has a name: ”  Zero Confidence Security or Zero-Trust Security . From now on, it’s all about minimizing exposure to trusted players such as public clouds, administrators and networks, while using their services for what they provide in terms of efficiency and cost-effectiveness.

The triple trust paradigm

First and foremost, and whatever the choice of security architecture, it’s important to understand that data security requires triple trust: 1) Trust in security, which guarantees that the person accessing a service is indeed the person he or she claims to be. There are several answers to this problem, well resolved both technically and functionally
  • Identity federation, coupled with a two-factor authentication mechanism, meets this need; it must itself be based on a secure directory, generally coupled with a key management infrastructure adapted to the company’s security requirements. This type of service is ideal for organizations wishing to centralize their IT and have complete control over their data. It is not suited to “multi-organization” architecture, where people are not expected to know each other.
  • Key auto-generation on the work terminal, coupled with a trusted enrolment mechanism, responds to a much more fragmented “resistance network” type of organization. It does not require a central directory. This is the concept of  CCYOK or Create and Control Your Own Key 
2) Confidence in network and transport security, which guarantees that a third party cannot intercept the data flow. There are several answers to this problem, the main ones being VPN, dedicated or proprietary networks, and HTTPS:
  • VPNs partly meet this need, because as we’ve seen, governments have the ability to intercept data.
  • HTTPS is universally used on the Internet: it’s the most efficient and least expensive way of securing transport.
3) Trust in the security of data sharing guarantees that exchanges between several regularly authenticated people will remain honest and confidential with regard to IT service providers, administrators, hosts, clouds, networks and even foreign states.

Data security requires a delegation of trust

Security involves reducing identified risks by relying on a trusted third party commensurate with the identified threat. – If I don’t trust my machine and its operating system, I’m going to reduce my exchanges to a sealed network with no communication with the outside world; – If I don’t trust Amazon Web Services, Microsoft Azure or Google because of the CLOUD Act, I’m going to organize myself on an infrastructure labeled SecNumCloud by the ANSSI ; – If I don’t trust anyone, but for material or economic reasons need to access my services from the Internet, I’ll have to encrypt all my exchanges point-to-point, while remaining under the threat of my machine being compromised by a “Zero Day” flaw.

A first candidate solution: The dedicated or delegated “Zero Trust” physical network

Some service providers who have applied for the status of trusted supplier offer access to a company’s internal infrastructure from anywhere in the world connected to the Internet, using their own proprietary physical network, independent of the Internet. The client company provides its own internally-hosted applications and identity federation system. The service provider provides its proprietary physical networks, Internet access points and application security system. This is undoubtedly a good “network zero-trust” solution for the secure operation of a legacy application infrastructure, but it requires trust in a new player who may also be subject to the CLOUD Act. This solution does not provide a satisfactory answer to our security problem.

A second solution: “Zero Trust” and “Zero Knowledge” software security by design

Zero Knowledge” is a basic building block used in cryptology for authentication and identification. By extension, PARSEC is “Zero Knowledge” because everything that leaves the terminal is totally unusable by a third party.

PARSEC, Trust the cloud

PARSEC enables sensitive documents to be shared and partitioned securely in private or public clouds. It is a set of open-source software components, available as desktop software, for collaborative file management. “PARSEC offers an original concept of a “Zero Trust” and “Zero Knowledge” software solution by design that only requires you to trust your terminal to the exclusion of any other trusted actor.”How does it work? Secure sharing is carried out by mounting point or via a dedicated user interface. PARSEC secures sensitive data before it is stored on public clouds, guaranteeing: – Confidentiality, – Integrity, – Historization, – Access control, – Non-repudiation, – Authenticity and – Concurrent operation management. Documents are encrypted end-to-end using personal keys auto-generated by the user’s terminal. PARSEC enables micro-peripheral control of data and multi-organizational data sharing, even with organizations outside our trusted perimeter. PARSEC is an Open Source, AGPL-licensed high-security component, developed with the support of the French Ministry of Defence and in partnership with the research community.Scille is a company specializing in the digital transformation of key accounts and the sharing of sensitive data in the cloud.
[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]

You may also like these articles

Secure public data management with Parsec

Public administrations manage a massive volume of sensitive data, from tax information to medical records and administrative data relating to citizens. The increasing digitization of public services calls for secure solutions to protect this information against cyber attacks. Administrations are

Collaborate smoothly while checking your colleagues’ actions

In hospitals and other healthcare establishments, collaboration between medical teams is essential to ensure quality patient care. However, the sensitive nature of the information exchanged – be it medical records, test results or treatments – places stringent demands on data

Looking for other items?

Chiffrement Zéro Trust

Collaboratif

Anti ransomware

Stockage

Intégrateurs

Banque et assurance

Industrie

Expert comptable

Santé et Structures hospitalières

Grand Groupe

Administration

Startup

Certification CSPN

Hébergement cloud

Zero Trust encryption

Collaborative

Anti ransomware

Storage

Integrators

Banking & Insurance

Industry

Chartered Accountant

Health and hospital structures

Large Group

Administration

Startup

CSPN certification

Cloud hosting