December 22, 2020//Tony HowlettLast Updated: March 11, 2021
If you work within the cybersecurity field, or if you’ve ever worked from home, you’re probably pretty familiar with a virtual private network, or as we all know them, a VPN. VPNs are a staple of enterprise networks and offer a method of secure remote connection between users and the private corporate network. In other words, it gives you the access you need to files (or anything else) that are found locally on a server, but from the comfort of your home (or airport, coffee shop, or anywhere in between).
Now, don’t get us wrong– VPNs are great for what they’re meant for, but the problem is that VPN technology hasn’t really evolved with the changing nature of enterprise business. The perimeter has expanded and fractured with work from home arrangements becoming a norm and many new parties, including vendors and other third parties, needing access to corporate resources. A good example of this is thinking about the COVID-19 pandemic. At the beginning of the pandemic, most people went to work from home– but VPNs continued to stay stagnant.
Pandemic or not, new partnerships and technologies changed the access needs of the user, and network managers were left to maintain a secure environment while also controlling both internal and third-party access.
While many enterprises still use VPNs for all remote access, it’s imperative that all organizations separate the types of users and access needed and now seek alternatives to the limited capabilities of VPNs. In other words, you don’t give all internal employees the same level of access, do you? You need to ensure that the levels of access given to external entities, like vendors or contractors, is tailored specifically to what they need, and nothing more.
In order to discuss solutions that are good VPN alternatives, it’s important to understand exactly what features it delivers for an enterprise and where it is and isn’t a good fit.
A VPN’s main objective is to secure the data traffic while it is in “motion” to and from the host network. A VPN is not a good catch-all technology for all remote access use cases, especially for third parties and vendors.
The following platforms are some additional solutions to consider as VPN alternatives.
An Identity & Access Management, or IAM, platform can provide additional protections for a VPN. Instead of only needing a username and password, identity management technology can incorporate a comprehensive (and necessary!) verification process.
A post-it note, spreadsheet, or email is not the only key needed to access network systems. This solution enables you to implement multi-factor authentication on top of the VPN connection. You can also integrate it with your vendor’s IAM solution to delegate the authority to them.
Now, session activity is connected to the individual user, and network managers can be sure they have authorized access.
In addition, this solution allows for access privileges to be tied to the user, not just a connection so other functions can be tracked.
Often, IAM solutions provide additional levels of access so that users can only access the resources they are authorized to use.
However, while this VPN alternative (or a solution to pair with your VPN) manages identity protocols allowing for more granular activity monitoring, it does not provide any additional protections for privileged credentials such as server or domain administrators. In order to securely manage the credentials for privileged accounts, a different solution is needed.
If identity management establishes the identity of individual users and authorizes them, privileged access management (PAM) tools focus on managing privileged credentials that access critical systems and applications with a higher level of care and scrutiny.
These high-level accounts must be managed and monitored closely, as they present the largest risk to security. These high-level accounts are targets for bad actors because of the administrative capabilities they allow.
The key areas of a PAM solution include advanced credential security like the frequent rotation of complex passwords, obfuscation of passwords, systems, and data access control, and user activity monitoring. These features reduce the threat of unauthorized privileged credential use and make it easier for IT managers to spot suspicious or risky operations.
Another critical element that VPNs lack is the ability to enforce least privilege policies. PAM tools allow network managers to ensure that users only gain access to the applications and systems that they need at the time they need them.
As an enterprise business expands, they will have a growing number of technology partners that require some level of privileged access to networks and systems. These third-party privileged accounts introduce a unique challenge that a PAM solution alone cannot address.
When an enterprise has vendors, partners, or IT consultants, remote network access is often required to support their technology and applications. With that, privileged access is often necessary. These elevated permissions require more advanced security than internal access accounts, which often have more limited oversight. Additionally, vendors can have many support representatives that join and leave the organization. You hired the company, not the reps! Because of this, it becomes challenging for an internal IAM or PAM solution to manage all of the moving parts when thinking about external entities accessing your network and confidential information.
To mitigate these risks, a vendor privileged access management, or VPAM, solution allows for controlled onboarding, elevation, and termination of access privileges for external users.
In addition, new proposed regulations concerning remote access require specific features to stay in compliance. VPAM solutions incorporate those guidelines to offer robust authentication protocols, access controls, and auditing tools while ensuring compliance at all times.
It’s important to note that you shouldn’t go and “throw out” your VPN after reading this blog. VPNs are helpful and necessary, just not for third-party remote access. Today, we’re regularly inundated with options for everything in our lives, whether it’s software or a new pen. It’s important to understand your needs no matter what you’re researching to purchase so that you’re able to choose the best option for you.
If you’re looking for a solution that was built for third-party vendor remote access, check out our brochure that helps you better understand your options and can help you choose the best tool for your company’s vendor access management program.