Say ‘Goodbye’ to VPNs and Passwords

Okay…we will admit it. Emerging and evolving cybersecurity trends and related topics have received significant coverage in this blog lately. But when it comes to cybersecurity in general, there is another side of the coin that also merits attention: cybersecurity methods—and two in particular—that have lost their effectiveness and should be replaced.

Here’s a deeper dive into what those methods are, why they are inadequate, and the best replacement options.

VPNs Very Secure? Not Really

Earlier this year, technology research and consulting firm Gartner predicted that 60 percent of all enterprises will replace their remote access virtual private networks (VPNs) with zero trust network access by the end of 2023.

This should come as no surprise. VPNs are designed to serve as secure tunnels that link remote users with enterprise systems, including, of course, systems where sensitive data may reside. Their popularity soared during the pandemic as more and more entities used them to provide work-at-home employees with what they perceived as a secure remote access to enterprise resources.  However, contrary to what some payment industry players may believe, VPNs don’t entirely deliver on the cybersecurity promise because:

  • The “attack surface” is expanding. VPNs are adequate protection for devices and solutions that are used on-premise only rather than in remote fashion, and that have been approved for employee use. However, whether working from home or at an office, employees leverage other devices and solutions, such as unprotected smartphones and tablets. They also rely on cloud, software-as-a-service (SaaS), and web-based apps (including those whose use has not been sanctioned by their employer)—apps that can be accessed anywhere, on any network. VPNs just cannot protect such a wide attack surface. They cannot discern if a connecting device is infected or whether stolen credentials are being harnessed for illicit purposes.
  • Authentication is oversimplified. VPNs “assume” that internet traffic is safe. But once users have obtained entry to the network via VPN technology, they have total access to it—and can get their hands on any and all sensitive data. There is no role-based control or restriction, and no application layer security.
  • Ability to scale and secure the corporate network is limited. VPNs are limited to remote access. This means they do not scale and secure the corporate network when users are working on-premise, putting corporate data resources in a vulnerable position. Free VPNs with ad tracking and malware jeopardize data security to an even higher degree.

Gartner and other experts advocate swapping out VPNs for a Zero Trust IT security model that requires strict identity verification for every user, whether they are working within a network perimeter (for example, at the office) or outside it (such as at home, on a remote device). Key principles of Zero Trust include:

  • Continuous monitoring and validation. Zero Trust works under the assumption that attackers exist inside and outside a network and, consequently, that no users or machines should be automatically trusted. User identity and privileges—as well as device identity and security—are always verified. Logins and connections time out periodically after they have been established, and users and devices must be continuously re-verified.
  • Least-privilege access. Under this umbrella, users are given only as much access to networks and devices as they need.
  • Device access control. Zero Trust systems monitor the number of different devices that are trying to access their network and ensure that each device has been authorized to do so. They also assess all devices to ensure that they have not been compromised.
  • Micro-segmentation. Micro-segmentation is the division of network security parameters into small zones, so that separate access to different parts of the network is maintained.

Passing on Passwords

Passwords, too, should be eliminated “wherever possible,” in favor of passwordless authentication, according to global market intelligence firm IDC. Statistics from Verizon’s 2021 Data Breach Report underscore this assertion. The report indicates that 80 percent of data breaches are the result of poor or reused passwords.

Saying “goodbye” to passwords is a good idea because it:

  • Quashes nefarious activities. No passwords means reduced risk for a data breach because fraudsters’ ability to use them—and engage in the activities that expose them—is reduced. For example, credential-stuffing—using compromised credentials from one breach to gain access to another organization’s data—is a common act of fraud. But if an organization has eliminated passwords, it is impossible for perpetrators to further their fraudulent activities within that organization by leveraging credentials they have obtained elsewhere to access its systems and data.
  • Reduces the likelihood of succumbing to a phishing attack. When there are no passwords, employees cannot accidentally provide cybercriminals with information they can use to gain access to data by responding to a phishing email, or be tricked into doing so.

Passwordless authentication methods require users to input something they have  or prove that they are something. Both are more difficult to “fool” or circumvent than password authentication. Methods for verification on this front encompass:

  • Biometric authentication utilizes people’s unique physical traits to verify that they are who they claim to be, without requiring a password. Facial recognition and fingerprints fall into this category.
  • Magic links. With this form of passwordless authentication, users enter their email address into a login box. They then receive an email that contains a link they can click to log in to the system. Users must repeat this process each time they log in.
  • One-time passwords (OTPs) and one-time codes (OTCs). These are similar to magic links, but with both, users must input a code sent to them (via email or text) by the entity whose system they wish to access. As with magic links, the process is repeated at each login.
  • Push notifications. A dedicated authenticator app (such as Google Authenticator) is harnessed to send users a push notification on their mobile device. Users then open the app through the push notification to verify their identity.

E-Complish will continue to monitor cybersecurity trends and methods—those that are on the way in, and those that are on the way out. Meanwhile, learn more about our secure payment processing services and solutions here.