TL;DR - Has anyone else run into employees using low-cost VPN providers and how have you dealt with it?
We recently implemented a robust security platform and have since discovered that about 10 of our work-from-home users are using low-cost VPN providers to connect to our corporate resources ( We do not have or require a corporate VPN in place for access as all of the resources are publicly web-based). We found that a few of them are choosing to have endpoints in South America and Europe. Despite the increased latency from the VPN and the subsequent latency from the endpoint location they are picking (we are US based), 9 out of 10 of these people aren’t technical and have no idea why they are using a VPN apart from it making them “safer”.
Much like other employers, we now state that employees must have their own reliable internet connection at home, but that’s where it stops. Keep in mind that these low-cost VPN providers are not being installed on any corporate-owned devices and are either being installed on their personal PC that they are then accessing things like OWA or other web-based resources, or a few that have installed and setup the VPN inside their home firewall and is funneling all traffic from their internal network through the VPN. Please refrain from suggesting to just shut their access off. I am looking for how others have handled this situation and not suggestions on how to screw the users over.
The real-world impact of the users using these VPN providers is that it affects their performance, sometimes creating “impossible travel” alerts when they switch endpoints, and possible blindspots to security threats (as explained in the next sentence). I am hesitant to create policy exceptions in the security platform as the threat hunters indicated that a lot of real-world bad actors use these VPN providers to help add an extra layer of obfuscation when attacking a target.
I mean you could probably go through the effort of blocking the ip ranges for each provider but that almost doesn’t seem worth. Either use split tunnel or don’t worry about it imo.
We ran into the same ‘impossible travel’ alerts and ended up running through countless security investigations that turned out to be harmless VPN. We circumvent the issue by enforcing GeoIP-based conditional access policy, and inform the user that obfuscating their traffic to corporate resources is against the acceptable use policy. We provide a corporate VPN to use in the event remote workers need protection, e.g. hotel networks.
Personal VPN may not be harmful, but it makes traffic patterns match malicious activity to the point that malicious activity is less recognizable. That’s why we don’t allow it.
I would push for a Zero trust policy, that means you need at least 3 things to access your resources (that shouldn’t be public accessible, but accessible without a VPN as long as you comply with the requirements)
You need an identity provider (to verify that is you)
You need a device posture verified by you endpoint protection/AV
And you need a certificate (provided by your MDM)
That will make impossible for end users to access resources on personal devices unless they enroll in you MDM and that will give you some visibility on their updates/sec posture
Most breaches come from personal devices because IT has no visibility on that and it takes longer to detect an attack
Are you providing the compute? Are you providing the transport? If you want to have agency over how the end user pcs are set up, put some skin in the game or stay out of it.
You can’t treat folks as contractors and then exert the same control over their tools as you would a full employee with company provided tools. Pick a lane and stay in it, or fully commit to the change.
This is a problem both for performance/UX today, and for possible infosec implications in the longer term.
I’d begin by making sure to have robust logs that are stored for a longer term. At least one year. The last thing you need is for a user to retroactively raise a vague performance complaint for the previous year or more, and then you only having 30 or 60 days of logs about what network path was in use.
One possible procedure is to have a process where staff are queried about travel and planned travel. You can say this is for infosec purposes, and if you join forces with HR, then also for tax and legal reasons. With this plan, you play slightly dumb about the VPN angle, and raise concerns about how your logs are showing “travel”. If the users are also playing dumb about VPNs or are ignorant of them, this can potentially turn into a stalemate, however. There’s also the issue that IP address geoloc can never be relied upon absolutely, it’s just intel.
Given the recent combination of WFH, heavy marketing of consumer no-split-tunneling VPNs for “privacy”, and perhaps BYOD, it’s actually a bit surprising that we haven’t seen more about this angle.
Somebody with the authority to do so needs to TELL people not to use these VPN services when doing work. It needs to be clear that it’s an order not a request, and action will be taken against people who don’t comply.
So your users are connecting to your corporate resources with their personal computers that could be malware infested and full of keyloggers and your main concern is the VPN they use?
How robust is your platform?
From a change management point of view I would approach with a couple different things.
If your security platform has the ability to initiate policy acceptance at the time of sign in you can use this as a notice for any external connections. Typically you can put your own verbiage in here to say “We’re blocking connections from [Country] on XXXX. Reach out to IT” This will allow your users access while providing just in time access.
If your security platform can do group based conditional access you can create a blocking mechanism now with a carve out for these 10 people. This plugs the hole and provides time to bail the boat.
As a median point to full compliance you can remove access to sensitive information providers (email, doc management, crm, your choice) while granting access to some of the lower sensitivity items until the device comes under compliance.
From strictly a security point of view you should be determining your risk profile associated with routing things through unexpected locations and then immediately lock it down. However, this doesn’t necessarily work with business operations. I find the highest buy in comes when there is flexibility. Remember, you didn’t just start having this problem, you have only just become aware of this problem. The boat has been leaking for a while. It’s going to be ok if you take a little while to bail it out.
That all said, make sure you make a game plan, identify the risks and communicate it early. A little CYA never hurt anyone.
We enrolled all users machine on intune and set up a policy under conditional access that they can only log in O365 Cloud apps on a complaint device. If they use a personal device or mobile it will not allow them to connect.
I don’t know, it sounds like a classic case of trying to use technology to hide a personnel and leadership issue.
I use my personal vehicle to drive to work every day. If I decided to bolt on aftermarket parts to it to make it “better” and it became unreliable and caused me to miss or be late to work, should my company try to find a mechanical solution so I can keep my bolt on parts and still get to work?
No. They should tell me to fix my car, find another reliable means of getting to work, or find a new job.
As an IT professional, if I tinker with my home network and cause it to be unstable should my colleagues have to troubleshoot it for me and find me a solution so I can continue working from home?
No. I should go into the office and work from there until I can figure out my personal stuff in my own time.
This isn’t about screwing over your users. This is about your users screwing over your company.
They were hired to and are paid to perform a role. They are doing something that is both unnecessary and directly interferes with that obligation.
I would document the source of their issues and lost productivity in their helpdesk requests and also that they were advised to stop using their VPN service, as the cause of those issues, while performing their work duties.
If they persist in behaviors that hamper their productivity that is an issue for their leadership chain to resolve.
What makes you so sure they use vpn and are not actually in the country and work from there?
Who would choose to connect and use South America for privacy? I call bullshit, and i bet many of them actually are in the country not using vpn and not in your country (usa?).
Because you aren’t supplying a company owned machine, and they are using their personal machine, you have absolutely NO say in how they connect to your resources.
Should you choose to restrict this in the future, you’ll have to provide your employees with their own company owned machine and then in turn restrict company resources to those machines only via policy.
I’d personally sue the piss off any employer who tried to insist I perform any task with any personal device I own. I choose what happens with my devices. If you would like to make these decisions, you will provide the device and the means to accomplish these tasks.