VPNs in a Remote Workforce

COVID-19 is pushing many organizations to suddenly need to support a remote workforce as a way of ensuring business continuity. To date, most organizations use VPNs to authenticate and secure remote devices. VPNs were never intended to connect and maintain this many remote employees.  This tool was originally intended to be a larger server on each side to connect two large offices as a private trunk to extend the network. Over time this moved to a client/server relationship, where a large server or servers in a main office connect to a multitude of micro servers (services) on the client. Instead of maintaining one trunk, they now maintain thousands of simultaneous connections. Companies like Yahoo, Amazon, Google, and Twitter are testing their VPNs capacity now with mandatory work-from-home policies. These tests will tell us whether existing VPNs are capable of meeting the suddenly increased traffic demand. The security world is already seeing the impacts of adversaries targeting VPNs and remote employees.

What does a VPN do? How does a VPN work?

A VPN, or virtual private network, is a way of extending what would normally be a private network across a public network. This allows an organization to create a secure connection to another network via the Internet. VPNs ensure that traffic remains encrypted when it is outside the edge of your organization.


When you connect your device to a VPN, the computer acts as if it’s on the same local network as the VPN. All your network traffic is sent over a secure connection. Because your computer behaves as if it’s on the network it allows you to securely access local network resources even when you’re on the other side of the world. It also allows you to use the Internet as if you were present at the VPN’s location, which has some benefits if you’re using public Wi-Fi or want to access geo-blocked websites. VPNs are frequently used by business travelers and remote workforces to access the business’ network, including local network resources, while outside the organization’s walls. This keeps the local network and resources from being directly exposed to the Internet, which increases security.

VPN Stress Test

VPNs provide a strong, but limited way to authenticate a user and allow them access to your organization’s infrastructure. This carries its own set of advantages and disadvantages.

To start, VPNs allow remote and traveling employees to securely access the resources they need regardless of location. However, this comes at a cost. VPNs typically require a license fee to use similar to any appliance or software a company may have. They also incur a “friction fee” on users. End users on a VPN will typically need to log into the VPN themselves, have increased restrictions on internet sites, and slower speeds. VPNs were never originally created to support a completely remote workforce. Their original intent was to allow remote offices to connect to and access the resources of another office or network. This architecture would typically have a larger bandwidth server positioned between the two points. In today’s world, we have shifted to a client/server relationship where each endpoint has a piece of client software installed that communicates with a central server, or servers.

With COVID-19 putting VPNs feet to the flames, organizations may find that their solution for the occasional remote workforce may not be able to bear the burden of the entire workforce. If VPNs fail to provide enough bandwidth, organizations will quickly face a situation where employees are unable to connect, or worse, refuse to connect to a corporate VPN. This introduces a host of challenges securing and maintaining the organization’s infrastructure.

What are the VPN alternatives?

There are alternatives to a VPN using IAM/PAM tools. These tools fall under the umbrella of Zero Trust. Zero Trust is a new approach to identity and authentication that requires that every entity that might access business data establishes its trustworthiness and permission to do so, every single time it seeks access. Trust is never assumed, and all points of access — mobile devices, desktops, virtual machines, and so on — are monitored and fortified whether they’re internal or external to the company.

Zero Trust arose a few years ago as a response to today’s diverse cyber security threats and quickly changing IT architectures. IT leaders found themselves with a frustrating lack of visibility and control as mobile workforces and cloud services become the norm. The legacy approach to security began to fail. Much like today’s sudden shift in business and IT operations requirements, a new framework is needed.

Traditional VPN is a good example of how remote workforces are changing security and why something like Zero Trust has become so important.

If you’re like many businesses, you might currently be trading a VPN for cloud computing, often embracing BYOD. As a result, you’re left with many more points of trust-checking to worry about. Each endpoint’s security vulnerability might differ in type and severity.

Contrast that with a VPN breach. Once a VPN is compromised in a traditional security deployment, the scope can be massive, since the connection is a stand-in for trust with huge amounts of data, applications, etc. Your single point of trust has failed, so no trust can be assumed. You can already see the security challenge we’re left within a Zero Trust model: Many more points of trust that differ from each other. And while Zero Trust is better suited for modern, distributed workforces on a conceptual level, it doesn’t actually mitigate this increased quantity of vulnerabilities, it just helps us see it. in the face of a suddenly remote workforce, new approaches to patching and cyber hygiene need to be considered.

Why Automox Automated Patch Management?

Automox is a cloud-native cyber hygiene solution with support for Windows, Mac, and Linux from a single console. It enables continuous connectivity for local, cloud-hosted, and remote endpoint fleets with no need for on-premises infrastructure or tunneling back to the corporate network. In other words, it takes care of the software, hardware, configuration, remote endpoint, monitoring, analysis, and compliance issues (and more) that are such important parts of successful Zero Trust initiatives (and cybersecurity more generally). It does this automatically and affordably.

For organizations under modernization and digital transformation pressures, Automox can be a powerful and resource-saving ally. It can remove an important pain point before the organization gets there, preserving the Zero Trust initiative and creating a sustainable, systemic security posture.

For most companies, Zero Trust takes place a layer removed from patch and configuration management and the other elements of cyber hygiene. If your Zero Trust initiative is going to succeed, your cyber hygiene has to succeed first.

With Automox:

  • Patching and configuration management take place with automation and speed.
  • IT has a single-pane visibility into every endpoint, software, hardware, and operating system in use.
  • IT environments are free of obsolete architectures and systems.
  • Remediations take place inside of a week, not the still-typical 100+ days.