There’s no simple solution, that will allow access to applications, that reside inside the corporate network, from outside the company premises. While the need to access such applications (like corporate email, or data that is hosted on corporate PC) is undeniable. In this post we will give an overview of existing solutions, and in the end, we will present the Beame Gatekeeper , as a tool to be used to make corporate applications accessible, while keeping them protected.
There are quite a few aspects to be addressed when protecting a software application.
Among other complementary measures, common practice for protecting business (web-)applications on corporate network is to limit the network access: only computers in the office’s network are allowed to access corporate applications. In theory, this blocks potential attackers as only authenticated employees have the access.
How these applications can be used by an employee when he/she is at home? The employee can’t be inside corporate network when at home, right? There is a work-around for that. It’s called VPN.
VPN is a software that secures traffic between two communicating sides. Each side can be a single computer or a computer network. Typical VPN bridges between corporate office network and a laptop of an employee. When connected using VPN, the employee can access applications that reside on the corporate network because the employee appears as if he/she is on the corporate network.
The distinction of “on corporate network” vs “outside of corporate network” should not be a factor for any security decision.
Some years back the network security perimeter was clearly defined and aligned with physical limits of corporate campuses.
Today, due to distributed workforces, mobile workforces and cloud usage the network perimeter is not only outside the premises, it’s also less controllable.
Employees often work remotely and also access corporate resources via mobile phones. This fact does not fit into network segmentation security model. VPN is a workaround so that remote users might appear as if they are on the corporate network.
The right thing to do is to review and replace the security model as it does not meet the requirements anymore. Enterprises should follow Google’s lead regarding security: get rid of network segmentation based model.
VPN can be OK as a temporary measure while the underlying system is replaced.
VPN requires complicated software to be installed on the connecting device. This software must interfere with networking as it’s exactly the purpose of VPN: mangle network traffic so that the device would appear to be on the corporate network (in our case).
“Better performance, more reliable connections, and improved ease of use topped the list of most-wanted improvements.” — networkcomputing.com
Spear phishing, viruses and malware which are designed to penetrate the network perimeter are getting better. So are the defences. That’s a race. As in any race the attackers lead from time to time, even if it’s for a short period of time. So corporate network is very likely to be penetrated at some point.
If access decisions are based on the fact that the requesting entity is “inside corporate network”, knowledge of mechanism of taking these decisions helps the attackers to proceed with next steps.
For those who’s eager to read more about how VPN approach is bad, below some links. Skip it to the last chapter if you more interested in solution than in a problems.
There’s an open source framework, called Beame Gatekeeper, by Beame.io , that allows easy management of credentials. All based on pure cryptography, the Gatekeeper uses mobile phone based identity and turns access control from centralized to distributed.
Let’s summarize all the above and define criteria for creation of secure VPN like network: