The expansion of BYOD (Bring Your Own Device) across the business landscape has meant that all enterprises have had to re-evaluate their security systems.
And with WYOD (Wear Your Own Device) also making itself felt, ensuring the security of data that moves to and from these devices is vitally important. Research by Crytzone concluded that:
- 91% of respondents said that VPNs are still the main form of security for controlling network access, despite the fact that VPN technology was created almost 20 years ago
- A majority (51%) noted that their access control technology was greater than three years old, and 11% said it was more than 10 years old
- Only 21% of companies rely on attribute-based controls to secure access – most rely on authentication (93%) and session authorisation (46%)
"It's remarkable that many organisations are still utilising network security technologies developed in the nineties – a time when the internet was still in its infancy," said Kurt Mueffelmann, president and CEO for Cryptzone.
He continued: "Organisations need to accept that outdated access control technologies are not working against today's sophisticated adversaries. The default position should be to make your infrastructure invisible, and then grant access on a case-by-case basis, only after user identity, posture and context have been validated.
"Organisations must stop giving out the keys to the kingdom when it comes to privileged user, third-party and employee access."
Information is often the most precious commodity for any business. Think about how your company currently manages its data. A mixture of desktop PCs and a plethora of different mobile devices are likely to be common across your enterprise. How secure are the connections between these devices and the servers they exchange data with?
A VPN or Virtual Private Network is a secure method of connecting a remote computer or other devices to a server. With a geographically dispersed workforce that needs to access what could be highly sensitive personal or commercial information, using an ordinary internet connection – usually a public Wi-Fi hotspot – is simply not secure enough for business use.
VPNs all operate in the same basic way: A secure bridge is created between a tablet or smartphone, for instance, and your business' servers, which can be on your premises or in the cloud. The level of sophistication you will need in terms of choosing the right VPN will depend on how many remote devices you want to connect.
From a simple browser-based VPN that uses SSL, to more complex systems, there is a VPN for every need. Use this checklist to help guide your decision-making:
1. Perform a data audit to assess the VPN features that are needed
It is important to understand who will connect together using a VPN, and what kind of data they will exchange. This will guide your business to the right VPN protocol to use.
2. What kind of internet connection does your business have at the moment?
VPNs can easily use large quantities of bandwidth, so ensure your business connection can cope with this additional traffic. And don't forget you'll need static IP addresses to avoid the need to set up a new VPN each time a connection is required.
3. The maintenance of a VPN is vital to ensure it stays secure
It is essential to focus on the security aspects of the VPN connection. As a VPN could be in front of or behind a firewall, its security is of paramount importance. Antivirus software should be in place and up-to-date.
4. How to use public Wi-Fi and VPNs
5. Ensure that any VPN client is secure
A VPN will use its own client to make the connection to another device or server. The user ID and password will be stored on these devices, which of course could be stolen. Use a personal firewall, or a password on the computer's BIOS to prevent unauthorised personnel using the VPN client if the device was stolen.
Steve Roberts, service development manager at business communications provider Vtesse Networks, advises: "When setting up a VPN, organisations must ensure that their provider meets basic security standards such as ISO 27001, which may be required for governance purposes and data protection obligations.
"This is certainly true for PCI certifications too. If the organisation is handling credit card information, it can't afford to fall short when it comes to meeting these regulations."