VPN security: Where are the vulnerabilities?
SOX compliance mandates have pushed organizations to deliver end-to-end VPN security. This means that the VPN itself is no longer enough. Robbie Harrell explains how organizations can apply security policies to the VPN in this tip.
Everyone is focusing on security. As a matter of fact, there has been an entire sub-industry developed that focuses on providing products, services, audits and risk/risk-mitigation assessments for Sarbanes Oxley (SOX) compliance. I have discussed SOX before but it bears repeating.
SOX compliance has changed the way organizations approach security. It used to be all about asset protection and securing of sensitive data by utilizing authentication, encryption and intrusion detection. This still holds true; however, the advent of SOX has created the need to push security measures far out into the end-user environment and to focus on a holistic security approach. By holistic, I mean that organizations must monitor, lock down and continually evaluate the security policies, security architecture, security management and incident-response capabilities of the entire enterprise environment.
So how does this affect the VPN world?
VPNs have always been considered a secure mechanism for transmitting sensitive data between client and server applications for remote workers. VPN technology is well known and is widely deployed across the world. How have SOX compliance mandates impacted VPN solutions? In a nutshell, the SOX mandates have pushed organizations to deliver end-to-end VPN security. This means that the VPN itself is not enough.
There need to be specific, granular security policies that can be assigned and enforced on an individual or group level. This is directly related to SOX, as SOX requires organizations to articulate the security policies for different organizational entities such as executives, sales or end users of the infrastructure. If you have different security policies (which you should) for different groups or individuals, the differences should be reflected in your security deployment as well.
In addition to VPN policy granularity, organizations will need the ability to validate or verify that the end-client systems are "clean" before being granted VPN access. This is a major differential in VPN services as the client was considered a host that utilized the system, not necessarily an integral part of the security of the VPN system. This has changed significantly with the advent of SOX and end-to-end VPN security. VPN systems that do not have the ability to verify or validate security configurations on the end client may present challenges to SOX compliance. "Clean" access can be verified by several different vendor technologies (Cisco Clean Access being one); however, VPN vendors are moving their products towards integrating this into the overall VPN service delivery.
Finally, many VPN systems do not provide the ability to easily manage and maintain the security of the clients utilizing the VPN solution. This includes visibility into client-loaded software to ensure the clients are up to date, as well as the ability to "push" out updates to the clients. There are mechanisms such as SMS for doing this; however, SMS is not necessarily considered a security policy enforcement technique. It can be, but the VPN industry is moving towards integrating this into the VPN systems themselves.
So, as can be seen from these examples, the regulatory security eye (SOX) is beaming brightly on the VPN world and is driving significant developments in VPN technology. Remote access is the window to the corporate environment, and security (up front and ongoing) takes on a whole new meaning with SOX. Be very cognizant of these factors when evaluating a VPN solution in terms of security.