As part of my employees training, one of the modules that was part of my KnowBe4 training was beating into my users how they should not use public Wifi etc.
One of the users challenged me last week and asked if the organization should supply a VPN for users to use whenever they feel like, and possibly forever when they are outside of the office.
Backstory here is that we are now in Azure AD, and adopting the Zero Trust, so no ‘internal’ network needs to exist for proper DC-like communications. Nor do I want to build and setup VPN’s for all my users back to our main office to drag down out network.
My thought here was that maybe it wasnt a bad idea, and maybe be able to get a corporate rate on something like expressvpn etc. But that doesnt sit well with me either.
I wouldn’t use a commercial VPN service for business use… At least not like ExpressVPN and the like… We use Palo Alto Global Protect for our VPN service. I can’t speak to Pulse Secure, we’ve never used it, but I’ve dealt with vendors that have, and they seem to like it.
Publicly available or commercial VPN services don’t offer any inherent security benefit. Connections that matter should all be over encrypted protocols. In terms of privacy, browser fingerprinting and the like really diminish any benefits to a VPN service.
Also, even if they would help, where are the security certifications for the providers? Are they really trustworthy? What’s to stop a malicious competitor or nation state from running a VPN provider under the guise of it being more secure, when in reality it just makes their job easier?
If your users do need a VPN on public WiFi, you should be providing them a corporate VPN I’m using a trusted vendor (Anyconnect, Global Protect, zScaler, etc).
Edit: if you have internal applications that can’t be secured properly or if privacy is a big deal, there can be immense benefit to using corporate VPNs. My first paragraph has been updated to reflect that I was talking about public VPN services.
A single HTTP request (that is immediately redirected to HTTPS) is enough to leak an insecure cookie and provide someone sniffing access on your behalf to whatever service you are accessing. Sure HSTS and secure cookies exist, but even today they are often not implemented, or not implemented correctly.
I think you vastly overestimate how security aware a lot of webdevelopers are. I work at a web agency where we regulary take over management/maintenance of old websites from smaller agencies or solo developers. We always run a security scan / audit when taking control, and cookies missing the secure flag is by far the most common vulnerability we come by.
Be it because the developer just isn’t aware of the threath, or developed localhost without SSL, or just the application not being aware that it is hosted behind a SSL terminating loadbalancer/reverse proxy (like in container environments), we’ve seen it all and we see it regulary. We have the luxery of having the scale to invest in SecOps/DevSecOps and educate our developers on these topics, but in many places that just isn’t the case.