To secure access to the company’s applications, CIOs often distinguish between the criticality of employees’ jobs. Strategic business for the company, those still accessing file servers, benefit from enhanced protection, with dual authentication. In general, it is the VPN option that is chosen, even if it consumes data center resources (preferably dedicated servers) and licensing costs.
For desktop-oriented users and consumers of SaaS cloud applications (CRM such as Salesforce, HR, etc.) many have chosen alternatives such as enhanced proxies but especially solutions specific to web and multicloud applications – with the use, in particular, of a unique authentication type SSO (Single Sign-On), as advocated by Google.
The most critical point is the case where you have to support non-company terminals – it’s the byOD (Bring your own device) approach that is less and less accepted. Because locking the remote, intrusive station is difficult if it’s used as a family at home – unless you’ve anticipated it with a VDI (Virtual desktop infrastructure) infrastructure , like Citrix’s HDX – ex ICS).
This explains why the majority of companies have chosen to reinvest in the terminal – a laptop most often, configured by the CIO.
The limit of “proxy” solutions
For small structures with insensitive and stingy bandwidth data, a proxy associated with a good antivirus may suffice. It hides IP addresses by inserting an anonymous IP. In addition, Smart DNS has added the ability to delete location data.
Ideally, encryption would be needed between the workstation and the proxy, and the credentials should be able to be erased after use (the antivirus offers it).
Proxies are often free. It is better to ensure the integrity of the platform that offers them.
Providers like Team Viewer offer equivalent all-in-one solutions for remote access to a Windows or Mac station at one-third of the cost of a VPN. They allow you to share important files and access the company’s servers remotely. They can also be turned off or turned on remotely. And a “black screen” function hides the remote computer.
Leased connections, MPLS or other private networks
In contrast, some large organisations – defence, aeronautics, space – still have the means to bear the cost of a private network based on specialized links (LS) dearly leased to operators. This is the case with MPLS (Multiprotocol label switching) offers. There is also the case of fully private infrastructure on black fibre, typically closed metropolitan networks (MAN) or PPN (Physically private networks).
The reassuring trivialization of VPNs
“The VPN solution remains the right one provided that the number of simultaneous communications is sufficient, that the IT infrastructure has been sufficiently sized,” sums up Antoine Buhl, CTO of D-Edge, SSII specialist in hotel and marketing technologies (Accor group).
The VPN (virtual private network) solution remains the most common and has been widely used by companies to generalize telecommuting. Its advantage is to create a secure connection regardless of which network or networks are used – RTC, RNIS, ADSL, Cable, Radio Link, LS, etc.
Dedicated IP addresses are provided and traffic is routed and encrypted by specialized, private and dedicated servers – for performance reasons, depending on the volume of data transferred and the number of users simultaneously connected. The further away these VPN servers are, the lower the connection performance.
The security of a VPN depends in large part on the level of sophistication of encryption (256-bit keys, symmetrical or not, etc.) Cryptography algorithms include encryption and authentication algorithms.
Key management is usually provided by one of the public key infrastructures, known as PKI, giving rise to certificates (see VeriSign, Thawte, etc. or certified SSIIs such as Atos, Thales). Many suppliers offer to provide the service. You just have to trust them…
Tunnels VPN IPsec or SSL / TLS?
Licensed suppliers such as Fortinet offer the choice of VPN tunnels in IPsec or SSL. By the way, as with proxies, we will be wary of free VPNs, many of which are the source of data theft.
IPsec (IP security protocol, developed by the IETF) secures the TCP/IP connection by authenticating and encrypting IP packages in a virtual tunnel, with key exchange – thus on the “transport” layer.
SSL (Secure socket layer), renamed in 1999 TLS (Transport layer security), remains the most common universal security protocol for web browsing. As a reminder, HTTPS corresponds to HTTP on SSL and FTPS is an extension of FTP (File Transfer Protocol) using SSL. However, SSL is not compatible with all applications.
Unlike the IPsec tunnels, SSL VPNs are “clientless”; access is made from a web browser, so transparently with regard to the firewall dam.
The “Zero trust” in addition
Creating a secure perimeter with firewalls and virtual VPN tunnels remains a good solution. But what to do, with applications spent on the remote cloud, out of the company and with terminals not controlled by the CIO?
Security officials invoke the “zero trust” principle. In other words, it is also necessary to foresee that a hacker has managed to enter a VPN. It is necessary to be able to detect and block abnormal, intrusive behaviors – copies of systematic files, etc.
With the spread of cloud access, hyperscalers (AWS, Google, Microsoft Azure) also offer their alternative or VPN-inspired offering.
For example, Google’s Cloud VPN allows you to build one or two PCVs, Virtual Private Cloud via IPsec VPN gateways at entry and exit (“classic” or high-availability in a region, with a speed of 3 Gbps per tunnel).
Some recommended VPN providers such as Permieter’81 also offer their VPN Cloud with SSO unified authentication for Google Suite (Google Cloud Identity), Okta Identity Cloud, Microsoft Azure AD and Active Directory/LDAP.
Citrix: a cloud alternative without VPN
Finally, there are cloud-free alternatives. This is the case with the Citrix Access Control offer: it provides secure access to the application layer. It is defined as a “fully managed and globally available cloud service.”