With the SARS-CoV-2 pandemic continuing to hit countries all around the world, many businesses and organizations have turned to remote work as a way of keeping things going. Many employees who now work at home use a virtual private network (VPN) to connect to their company’s internal network. Using a VPN provides you with online privacy and anonymity by creating a private network over your public Internet connection. Often these same employees do their job using virtual desktops, operating system images that run remotely in a datacenter or the cloud, and which deliver the user’s desktop environment remotely over the Internet. What isn’t always clear to the employer is whether the user accessing a virtual desktop over a VPN is a legitimate employee of the company. To shed some clarity on this issue, I asked Nick Roquefort-Villeneuve to delve into the details of this problem. Nick is a technology marketing and communication executive with more than 22 years of experience working with Fortune 100 companies, including Mattel and E*Trade, plus several startups. He recently became director of marketing for 1Kosmos and holds an M.Sc. in econometrics and an MBA in corporate finance. Let’s listen closely to what Nick has to say on this subject.
Challenges facing companies that embrace remote work
A second wave of COVID-19 has started to wash across Europe and the United States. So, who knows when there is going to be a return to normality? For the past several months, many organizations have had to adapt to this “new normal” by allowing employees to work remotely. Surprisingly, productivity has increased by 13 percent, according to the BBC. However, working remotely requires that employees remain diligent when accessing an employer’s systems and internal applications securely. But is even the most conscientious employee enough to avoid risking identity compromises and ultimately data breaches?
The reality about VPN access and virtual desktop authentication
Fact: The chances of being hacked without a VPN are significantly higher than being hacked with one. Having said that, with the new normal and employees working from home and, consequently, accessing company data from offsite locations, serious security concerns have been raised. So, how can an employer actually know whether his or her employee is taking all known and necessary precautions to log into the company’s systems? Is he or she using a VPN? In actuality, it doesn’t really matter because if the employee needs to enter a username and a password for VPN and/or virtual desktop authentication, the company is at risk of a cyberattack. If user data is stored in a centralized repository, then the cybercriminal truly feels like a kid in a candy store.
Passwords expose systems to cyberattacks.
To be frank, passwords are obsolete because hackers have access to inexpensive technology that cracks them in no time. Anyone can buy the needed tools on the Dark Web for a fraction of a bitcoin. Two-factor authentication (2FA) and multifactor authentication (MFA) solutions are far less secure than their vendors want to admit. With only 2FA, an individual’s passwords, which is the first authentication factor, can be stolen. And you can guess what happens with the second authentication factor if an employee clicks on a phishing link. There are 2FA solutions that involve basic biometrics as a second factor of authentication, but Touch ID and Face ID do not identify the person using the phone (you can have multiple fingers/faces registered). Hackers are seasoned criminals, and they can set up or reconfigure two-factor authentication to keep the real account holder out of his or her own accounts. Employing “real” biometrics such as face or iris scanners is cumbersome and expensive — thus why they are almost never in use for remote workers. Until now.
Does bulletproof authentication even exist?
Spoiler alert: Yes, it does, and it is passwordless, but not only. There cannot be bulletproof authentication without an indisputable ID proofing process beforehand that ultimately leaves no room for uncertainties concerning the employee’s identity. Indisputable ID proofing must involve the triangulation of a user claim (photo ID, physical address, for example) with government-issued documents (driver’s license, passport) and multiple sources of truth (bank account, email, and physical addresses, passport RFID chip, credit cards, loyalty programs, etc.), including advanced biometrics, like a liveness test. Government-issued documents, sources of truth, and advanced biometrics operate a series of data checks and verifications to prove an individual’s identity and leverage this process each time the same individual needs authentication to access a system or a service online. This degree of identification reaches the highest level of identity assurance per the NIST 800-63-3 guidelines, or IAL3. 1Kosmos BlockID is the only passwordless solution on the market that focuses on indisputable ID-proofing to reach IAL3.
What more is required to eliminate identity compromises?
The communication between a user and a VPN access or virtual desktop solution is encrypted. But what about the identity information used to authenticate? It is most likely stored unencrypted in a centralized database, which is supported by legacy software, and that operates with numerous single points of failure, making the whole infrastructure a high target for hackers. The only alternative to a centralized system is a decentralized system, with the user data stored encrypted on a private blockchain, which among other benefits, is impervious to cyberattacks. With a blockchain network, most domestic and international guidelines on transparency, privacy rights, and data security are being respected and followed. 1Kosmos stores user data, including their biometrics, encrypted on a private blockchain to ensure their integrity at all times. Of course, like with any blockchain, the key for user data is kept with the user, which means only they can authorize its access.
Lower your risk
No employee, customer, or citizen wants to have his personal and financial information for sale on the Dark Web and endure the consequences of identity theft. No business should risk being the target of a cyberattack because the consequences can be disastrous: loss of credibility, market share, and plunging stock price, among others. BlockID by 1Kosmos eliminates identity compromises. Feel free to contact me to continue the discussion.
Featured image: Shutterstock