A new alternative to the traditional VPN solution and authentication

Traditional VPN and authentication solutions have their shortcomings in usability and security. How can we tackle these today? Enhance security and usability now with Direct Access and eID authentication

  • Sebastiaan Tempels
  • October 1, 2014

When it comes to investing in infrastructure, most people think hardware, virtualization, storage or networking. Investing in these products often involves proving ROI, CAPEX, OPEX or TCO and these can all be measured. But one of the most forgotten investments and one that is not so easy to measure, is security. A security breach often means a disaster for the company but yet, not much effort is invested in prevention.  Security can be broken down in numerous parts like network access security (keeping unwanted guests of your wired and wireless network), intrusion detection (keeping hackers out of your network) and secure access. This last part is all about identifying the user: is this person really who he claims to be. Companies that do invest in security have a security officer in place, administrators know him as the paranoid person that wants to lock down all systems. He makes accessing them a struggle by demanding a complex password that has to be long enough, that you have to change frequently and can’t be reused. If you are working remotely, you have to start a VPN client and you have to log in with a second token. Although these measures may seem annoying, they actually have a purpose to secure the environment. But make them too difficult and users start writing down their password making the effort useless. Don’t be mistaken, if a hacker really wants to hack your system, he probably will in due time. Even the most secure environments have leaks because of human error, being in the program code or by giving access to a system. Someone once told me, the most secure system is one that is not connected to a network and where no user can log on to. Maybe so, but what could be the use of such an isolated system? The point being, security is always a balance between implementing security and usability. The goal is to keep hackers out long enough so they lose interest. If you make it easy, they will strike just for fun, because they can. Make it harder to get in and they’ll start losing interest because it is taking them to long.

Two solutions in keeping balance between security and usability are Direct Access and Two Factor Authentication. Direct access is a new solution to replace the classic VPN solution. It was first released in Windows Server 2008R2 but requirements back then where so complicated it was barely used. Since Windows Server 2012 is released, requirements are not that complicated anymore so it is more frequently used. Unlike many traditional VPN connections, which must be initiated and terminated by explicit user action, Direct Access connections are designed to connect automatically as soon as the computer connects to the Internet. Devices can reach corporate resources and be managed as if they are in the network. It is a more flexible and user-friendly way for your employees to work from anywhere. If you think: is that secure? Well, like every solution, it can be hacked but you need a corporate computer that is part of your domain and user credentials to log in on the computer. Should this not be sufficient for your security officer, you can add a second authentication on top of that (in fact that’s a third factor) in the form of a token but this requires extra user input. In short, Direct Access is the ultimate replacement technology for VPN to connect your mobile computers to the corporate network without user action and in a secure way.

The second solution that I would want to talk about is eID authentication. What if you could authenticate your users on their computer in a secure way? Instead of users entering there username and password, input that you just have to know, you can use two factor authentication, input that you know combined with something you have. A few options are possible for the something you have section: a hardware token that generates unique numbers or a software token that texts you a unique number. But there is something else that can serve as a hardware token that every Belgian citizen has. I’m talking about the Belgian eID that contains a unique personal certificate and serves as something you have where the PIN code serves as the something you know. This two factor alternative can be used to log the user in on the corporate computers and is more secure than a username/password.
In short, it is a nice alternative and secure way to log in to your computer.

Ordina has the expertise to implement these and other security solutions that your organization should need.
Contact us to discuss your IT security concerns.