Best Practices 05-09-2020

VPN + PKI = a Solution to Secure Remote Worker Access

Brian Trzupek

While working remotely, more employees may need to access the corporate private network to continue business as usual. You need to keep remote workers connected, but you also must secure and control the network access. Plus, as your organization’s VPN usage increases, you need to consider increased threats, including how to prevent attacks, and policies for monitoring VPN usage. Public Key Infrastructure (PKI) is a great option to support mobile workforces and control virtual network access.

What is a VPN

As a refresher, a Virtual Private Network (VPN), uses advanced encryption protocols and masks your internet protocol (IP) address to give you additional privacy and security. With a VPN you can securely connect to another network over the internet. So, your device can send and receive data across a public network as if it were connected directly to a private network. Essentially with a VPN, your computer at home can behave as if it were connected in your office.

A VPN can protect your organization because it can prevent eavesdropping or man-in-the-middle attacks. As mentioned in DigiCert’s tips to securely work from home, you should use a VPN when connecting remotely to access company resources.

Remote access with VPN

You always want to make sure that only those who are authorized to access your network can log in, but this is especially important when people are logging in remotely. Up until a few years ago, the default for VPN access was a username and password but this was too easy an attack vector for hackers. Nowadays, you are going to want some form of multifactor or strong authentication to keep your VPN access secure. Public Key Infrastructure (PKI), in addition to passwords, is a good option because it has strong security, controlled management and is easy for users to work with.

My favorite example of why I find multifactor authentication with digital certificates advantageous is what I call “The Airplane Test.” When trying to access a corporate VPN from aboard an airliner, I was challenged with a response that was sent to my mobile device. My mobile device has no connectivity at 30,000 feet. So, I could not get into the network. This scenario also plays out in other ways, outside of airplanes, and is a real challenge to usability for multifactor access to networks. In contrast, in that same scenario, I have cryptographically strong two-factor authentication using a digital certificate, and it works from an airplane.

A PKI Solution

A PKI digital certificate is not like a password that anyone could guess; it’s cryptographically secure so that you can authenticate it and ensure that it came from your company (or the trusted resource that issued it). Plus, PKI certificates offer you more control. You can revoke access at any time, and it has an expiration date. That way, if an employee leaves the company, you can control their access. A PKI solution, coupled with a certificate distribution solution like MDM, can make it completely seamless for your end users to have strong security, and retain ease of use.

Best Practices Around VPN

In your organization, a VPN is a shared, limited resource. So, you should not leave a VPN logged on all the time. While staying on a VPN does not cause security issues, if too many people are using it at once it can slow down the network for everyone. A VPN is bandwidth-intensive; the more you use it, the less bandwidth there will be for others, and the more infrastructure your company will need to deploy to scale with the increased usage. It is a vicious cycle of resource usage, and capital expenditures to ensure scalability.

DigiCert’s team constantly monitors our VPN to keep it working efficiently. You might not have the manpower, or need, to monitor it closely but you should at least implement a corporate policy to protects its usage. For instance, you should encourage employees to only use the VPN for necessary work activities.

VPN Usage Etiquette

You should not use a corporate VPN for:

  • Streaming services (Netflix, Spotify, YouTube, Twitch, etc.).
  • Browsing the web for nonwork items.
  • Zoom meetings that don’t require access to applications through VPN.
  • Downloading/uploading large files.
  • Software updates.

You could list out your organization’s use cases for the VPN and ask employees to only use it for official uses. If you notice the bandwidth is still spread thin, then you can control what can be accessed on your network. For instance, if you’re seeing 90 percent of the bandwidth going to Netflix, you can block it.

At the end of the day, a VPN is a useful tool for your organization, but it needs to be protected and controlled because you don’t want to be vulnerable to attackers accessing your network. The best way to keep it secure is through multifactor authentication, like PKI certificates and passwords. You also need to protect its usage by educating employees and implementing policies to keep it running optimally.


3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories


What Is A CA’s Role In Delivering Digital Trust?


The Entrust distrust: Key takeaways for CAs and organizations


How to Secure Quantum Computing in the Cloud