VPN not-great for everything?
I don’t know if you heard about a high-profile case several years ago related to an ongoing investigation of unauthorized code found in Juniper software. It acted as a gateway to launch a cyberattack on the devices that worked under it. The report concluded that most likely an unauthorized software vulnerability had been placed there on purpose. It was designed in a way so it’s really difficult to detect it. Bloomberg has recently been informed about new facts related to the Juniper case.
Does a VPN make sense?
Why am I writing about this and how does this relate to the strong authentication that we deal with at Secfense on a daily basis? We observe that in many cases, and especially in the now widespread remote work, companies trying to adapt to the new reality use VPNs to let external employees into their network. This can be dangerous. And although VPN has a wide range of uses, and only one of its roles is to let outsiders into applications, Juniper has found this to be harmful. If the company decided to put the application outside and just protect it with strong authentication, the attack surface would be much smaller.
When to use VPN?
Po pierwsze, stosowanie VPN-a do wszystkiego, co możliwe jest nie tylko nieefektywne, ale również niebezpieczne. Po drugie, „rozciąganie” go na zabezpieczanie aplikacji webowych jest zupełnym zaprzeczeniem zasad projektowania efektywnego cyberbezpieczeństwa, które właśnie ze względu na różne podatności i backdoor-y, powinno budowane być warstwowo, czyli na tzw. cebulę i w sposób dywersyfikujący metody zabezpieczeń.