I don't like VPNs. I take that back. I like them a lot, I just don't trust them. Ever had a friend like that? They're fun to be around, are really helpful, always there when you need them, etc. For the most part you're great friends, but…they can't keep their mouth shut. You always have to watch what you say around them because you know it will be repeated. Probably multiple times to multiple parties. That's the view I have of VPNs.
I've been using some sort of VPN for probably a little more than a decade now. Not just remote access but truly secured communication channels. The goal of a VPN was to make location irrelevant in the computing equation. We've done that. You can login to an application or system remotely from just about any device with a processor and operating system, including mobile phones and PDAs.
We've gotten more secure in how we transport the data but for the most part continue to ignore the endpoint. This is my concern.
I've worked with several organizations which have implemented VPNs either in IPSec or SSL form. They go to great lengths to secure the communication channel but completely ignore the endpoint on the remote end. They rely on things like internet history scrubbers to "erase" the sensitive data from the remote machine. Who are they kidding?
There all sorts of rudimentary ways to defeat this. The easiest is to mirror a read only copy of an OS to a removable drive. Presto…scrubber defeated. Another is an application that places a hook into your video driver and captures screen prints every 10, 15 or 20 seconds then stores it to a file. Combine this with a keystroke logger and you have a pretty easy yet effective way to defeat a history scrubber.
The point is, when you lose control of any part of your communication system, you lose control of your data. I routinely recommend organizations restrict access to their VPN from only devices which they control. This ensures there are other protections, such as malware detection and firewalls, in place which help limit exposure on these devices.
The biggest complaint I hear when I recommend this solution is the cost of providing laptops or mobile devices to employees who will work remotely. I think this argument is very short sighted and usually the entire risk environment is not being evaluated. My suggestion in these cases is to consider the risk of data leakage or security and privacy attacks from VPN usage and then recalculate the ROI. Typically this changes the discussion points. Sometimes even re-evaluating who actually needs remote access can reduce the risk and costs simultaneously.
If nothing else, organizations must understand that once data leaves a system which is completely within their control, they lose control of that data. If this risk has been evaluated and either accepted or mitigated then by all means forge ahead. My concern is with the organizations which haven't considered this risk and therefore have a false sense of security. Anytime risk is unknown, hidden or ignored, catastrophe will be lurking in the shadows.