July 22, 2019//Tony HowlettLast Updated: December 15, 2020
Many organizations face the need to give one or more third-party vendors, as well as employees, remote access to their internal resources. When addressing the need to provide internal (employee) and external (third-party vendor) remote access, an enterprise should compare the primary tools and approaches available for remote support and consider their pros and cons – especially related to maintaining the security of their network. One of the first challenges organizations come across when providing secure remote access is choosing among the available options. To provide some clarity, this post will present a few of the main remote access approaches, with an emphasis on how secure each option is.
To help in this task, let’s compare two widely used options (Virtual Private Networks and desktop sharing), then discuss a third approach (vendor privileged access management) that, in many cases, offers a superior solution.
Despite what the name may suggest, Virtual Private Networks (VPNs) are not always as safe and private as they sound. VPNs may be a viable solution for remote employees and for connecting offices, but in many cases, VPNs are not ideal for third-party remote access. The main issue is the level of security provided by VPNs.
When providing remote access to third-party vendors, login and password credentials are often shared. This practice, while always discouraged, is unfortunately all too common, and creates undue risk for both vendors and their customers.
Vendors have unique needs, requiring more or less access to resources depending on their role. However, with VPNs, roles defined in an access control system typically follow standard settings, with access to email, a CRM, or a reporting system.
Also, vendor technicians become nodes on the network via the VPN, which opens the door to potential snooping and IP address split-tunneling conflicts.
In addition, there are often bugs in VPN software platforms that can cause them to be exploited by a bad actor. Microsoft’s PPTP VPN is one example where there are many documented exploits. Cisco, Fortinet, Sonicwall, Palo Alto, and most VPN vendors have has these issues, too. In such a scenario, a VPN connection could be allowed even though the remote access policy settings should have denied a connection.
Given the above issues, you might expect that VPNs could leave a company vulnerable to cyber-attack – and you’d be right. In fact, hackers have taken advantage of VPNs to cause data breaches at major companies. In the Home Depot and Target data breaches, bad actors apparently stole VPN credentials, given network access, and obtained an administrative credential on the server running the vendor’s software. This dangerous combination enabled hackers to move through the network and locate valuable information.
Desktop sharing tools (such as Webex and GoToMyPC) were designed to enable remote support of end-user desktops, and while they do provide remote access, they come with their own risks and concerns.
Anyone, in any location, can log into a desktop sharing tool. A remote support session often starts with an employee clicking on a link and surrendering control of a desktop – but if a bad actor has compromised that machine, your company’s sensitive files could potentially become readable to outside eyes, or even locked and used in a ransomware scheme. Or, once a desktop sharing session has been activated, a hacker might try to use that connection to carry out malicious activities on your network.
Desktop sharing can be useful for end-user support. However, when supporting servers, databases, and other enterprise applications, this approach often falls short of the control necessary to keep an enterprise network secure. Also, desktop sharing assumes someone is there to share their desktop to give the technician access. For mission-critical services, unattended access after hours may be required.
While remote support may be achieved by using desktop sharing tools, they lack the strict security controls required by enterprise organizations in highly regulated industries. The level of logging and audit simply isn’t there in most desktop sharing tools and attribution can be difficult as it is often hard to determine who took an action, the desktop sharer or the tech that took over.
The degree of security vulnerability inherent in VPNs means that they are not an optimal solution for all use cases and for organizations with both internal and external remote access needs. VPNs may be suitable for providing remote access to employees, but not third-party vendors and certainly not for privileged third party access. Desktop sharing is another option to consider, and while it can be useful for simple end-user support, education, and other specific cases, this method has a number of security shortcomings when it comes to authentication and access control.
In contrast to VPNs and desktop sharing, SecureLink has created a solution built around the principle of least privilege remote access and protection of privileged accounts with strong auditability. In this approach, vendors are given only limited permissions to move about the network, and can only access the resources they need. Hence, SecureLink’s solution has enterprise security at its core, made specifically for the purpose of providing secure third-party remote access for organizations of any size and industry.
While SecureLink’s solution keeps the advantages of the other two approaches – providing secure remote access for both employees and third parties – advanced features are included to address the security faults of VPNs and desktop sharing. For example, SecureLink provides proactive customer monitoring and password management, whereas VPNs and desktop sharing do not.
Giving third parties access to your network is often a necessary component of doing business. However, providing this access comes with inherent risks. Ignoring these risks, or not properly preparing for them (by using sub-optimal remote access tools), can be dangerous – and should a data breach occur, it can mean a devastating loss of both reputation and money.
The bottom line is, you don’t want to take risks with your company’s bottom line.
So the decision comes down to this: do you want to manage your third-party remote access in the most secure way possible? If the answer is yes, then SecureLink’s platform is the only way to go. Get more details about how SecureLink beats VPNs and desktop sharing for secure remote support and you’ll see why there’s just no comparison.
This post, “Remote access solutions: Which is the most secure?” originally ran on Security Boulevard.