Digital Craftsmen share best practice on how to secure VPN access across your business organisation.
Working from home is fast becoming a business norm, with more employees now enjoying the flexibility it offers them, and businesses, in turn, realising cost savings and increased employee satisfaction. According to figures from the Office of National Statistics, the numbers of employees telecommuting has increased to 4.2 million, with 34% of these working for a large organisation.
This has added another level of access and security responsibility to the already busy IT team workload, as employees need to access company information when working remotely.
Virtual Private Network (VPN) connections provide access to a company’s private, internal network to their remote users or regional offices. VPNs securely tunnel the data between the remote user and the company network, to ensure the data and files you are sending over the VPN are secure.
Although VPNs are designed to secure your company’s private network, using encryption and other security measures, there are some important details and best practices to secure your Virtual Private Network.
Do I need to secure connections with a VPN?
Operating in the cloud comes with its own challenges around access and security. Some of these challenges are dictated by company policy and others are externally mandated; typical examples are PCI compliance and sensitive data storage.
Most large deployments in the cloud are within ‘Virtual Private Clouds’ that use private IP address ranges and this immediately restricts the types of access your team can have to the system. The solutions are generally a fixed/private line into your cloud systems or a VPN to ‘tunnel’ traffic through an encrypted session between two points.
If you’re working with teams who need to connect into an environment\system and you have specific security requirements, then the answer to the question; whether to have secure connections to the business VPN, is invariably: YES.
Why Secure with VPNs?
The traditional method for accessing such a remote site would be a bastion host\jump box which administrators connect to, and then make onward connections to your servers. The modern weapon of choice for system administrators is VPN connectivity and for good reasons:
- Ease for VPN users to connect to cloud instances
- Enhanced and consistent security
- Site to site and individual user connectivity
- Firewall and timed access restrictions
Using VPNs to connect into your cloud environment allows developers and users of those systems to transparently connect over encrypted tunnels to the systems to which they have been granted access. Access can also be logged and audited regularly if required, which is typically essential when processing financial information.
Types of VPN available
- IPsec – For Site to Site VPNs the de facto method is IPsec\IKEv2 encrypted tunnels; which allow for multiple networks to be connected between each site. IKEv2 has several advantages and security improvements over older IKEv1 connections and should be preferred where possible. IPsec Tunnels can be secured with certificates or a pre-shared ‘secret’ key. Access for VPN users can be restricted on a schedule using firewall restrictions, IPsec VPN connections offer a robust alternative to a fixed line.
- Open VPN – Based on OpenSSL and public/private keypairs, OpenVPN uses similar security methods as those used when browsing HTTPS secure websites, modern implementations utilise TLS encryption, and these VPNs can be used to connect sites and individuals to a network. Client connections require an OpenVPN client is installed on a user’s computer, however once installed, and the certificates imported, a user has reliable connectivity into a network which can be optionally secured with Active Directory or two-factor authentication.
- Point-to-Point Tunnelling Protocol (PPTP) VPNs – Deserve a posthumous mention, made popular with Windows Routing and Remote Access Server (RRAS). In the modern security landscape. PPTP VPNs are considered insecure due to their password exchange methods and should now be phased out of use.
Improving VPN Security
Operating your own VPN infrastructure can be a complicated undertaking, there may be improvements you can make to enhance reliability, security and availability – speak with your administrators and check what is possible with your systems:
- Check you are running the latest Cryptographic Ciphers and Encryption Algorithms – Encryption technologies used 3-5+ years ago may now be considered vulnerable or ‘weak’.
- HA Failover – remove single points of failure from your access system by ensuring more than one device provides your VPN connectivity.
- Two Factor Authentication (2FA) – Users connecting over OpenVPN can optionally be secured using two-factor authentication, this is a requirement for PCI compliance and a common ‘add-on’. It requires the user to have a physical ‘PIN’ generating device and know a password.
- Central Logging – Tamper proof logging in a central location for firewall and VPN devices enhances the reliability of your audit trail and satisfies additional PCI requirements.
Who to Trust with VPN security?
Choosing a provider to manage these services for you is a sensible option, as transferring such risks to a third party removes this overhead from your already busy IT team. You should opt for a company with ISO 27001 accreditation who manage risk in a consistent and auditable way.
ISO 27001 provides internationally recognised confirmation that security best practice is being followed and organisations have taken appropriate steps to secure personal information in line with the requirements of EU data protection laws, including the forthcoming EU General Data Protection Regulation (GDPR), which will supersede the EU Data Protection Directive.
Digital Craftsmen offers specialist cloud managed services, so if you’re looking to migrate a legacy IT system or application to the cloud, we can support you.
Contact Digital Craftsmen now to see how we can help with keeping your business secure in the cloud.