August 20, 2019//Tony HowlettLast Updated: November 19, 2020
When an organization needs to provide employees or third parties remote access to its network, there are a number of solutions available. In this post, we’ll discuss the most popular types of remote access – VPNs, desktop sharing, PAM, and VPAM.
When employees need to remotely access their company files, a virtual private network (VPN) is often the tool of choice. VPNs are designed to give employees the online privacy and anonymity they (and their company) require, by turning a public internet connection into a private network. VPN software creates a “data tunnel” between the corporate network and an exit node in another location (such as your workplace), which may be anywhere in the world. In other words, VPNs provide a kind of telepresence: they can make it seem as if you are at the office on your company machine with all of your applications and files at your disposal.
To fully achieve its goals, a VPN must accomplish two important tasks:
VPNs achieve this second step by encrypting data, these encryption and masking features help protect your online activities and keep them anonymous.
Since VPN services establish secure and encrypted connections, an organization’s employees can get the remote access they need with greater privacy than the public internet. But, let’s face it: using an unsecured WiFi network is simply not an option for company users, because your private information would be totally exposed to anyone snooping on that network.
For all these reasons, VPNs have become a popular option for companies who need to give their employees remote access, but want to provide online security and privacy.
VPNs are certainly an improvement over using unprotected methods to remotely access an organization’s network, and in certain business environments, they can provide a useful service. However, VPNs carry a number of drawbacks and inherent risks. Let’s examine a few of the major issues.
While VPNs may be good for giving remote access to internal employees, it is not the optimal solution for three crucial tasks: identifying, controlling, and auditing third-party vendors. VPNs simply don’t have the degree of granular control needed to properly monitor or restrict where a vendor can go and what they can do on a company’s network.
A note of caution for those thinking of using VPNs: their reputation has suffered a major blow due to their implication in a number of serious data breaches. National news stories have reported on how hackers exploited VPNs to cause data breaches at several major companies.
For example, in the case of data breaches suffered by Home Depot and Target, malicious actors apparently stole VPN credentials, giving them access to company networks, and the hackers also obtained an administrative credential. This combination let them infiltrate and move through company networks. (And yes, when Target becomes a target, that is indeed ironic).
Hackers have also exploited VPNs in prolonged multi-stage cyberattacks. As detailed in a 2018 US government alert, Russian cyber activity targeted “trusted third-party suppliers with less secure networks”, “leveraging remote access services … such as VPN, RDP, and Outlook Web Access (OWA)” to exploit the insecure infrastructure of those third-party suppliers and gain access to other, final targets. VPNs are specifically mentioned by name in the alert as a major initial access point for hackers.
Another drawback to using VPNs for remote access: they may expose organizations to compliance or regulatory risk. As cyberattacks have become more costly, sophisticated, and frequent, some policy-making groups have imposed tougher standards on their auditing processes and regulators are asking tougher questions about third-party access methods. Many remote access tools such as VPNs may not be able to provide the level of audit detail required and fail to meet these higher standards.
Desktop sharing is another way organizations can provide remote access to users. These software tools can provide real-time sharing of files, presentations, or applications with coworkers, vendors, or other clients. There are many applications made possible by desktop sharing including remote support, webinars, and online conferences with audio and visual content (presentation sharing), and real-time global collaboration on projects.
Another application of desktop sharing is remote login for workers who need access to their work computers from any Web-connected device (desktop, laptop, phone, or tablet).
Like VPNs, desktop sharing software tools come with a number of drawbacks.
First, there are authentication risks. Anyone, anywhere, can log into a desktop sharing tool if they have the credentials, meaning they have access to the whole network as if they are in the building. During a remote support session, if an employee surrenders control of their machine to a remote rep whose account has been compromised, your company’s internal sensitive files could become visible to bad actors and used for nefarious purposes.
Second, desktop sharing tools are not the best solution for supporting enterprise environments. While these tools can be utilized to provide desktop support and handle helpdesk tasks, they typically don’t have the security and functionality required for complex enterprise remote support such as server or application maintenance. They often lack the strict security controls (logging and audit) that enterprises in highly-regulated industries need. Also, while desktop sharing can be useful for end-user support, there are additional tools and protocols needed when supporting servers, databases, and other enterprise applications.
To go beyond VPNs and desktop sharing, you need an alternative that can manage identities closer than mere IAM technologies such as Active Directory. This is especially true of the privileged or admin accounts used for many enterprise-level support tasks. In order to securely manage credentials for privileged accounts, a better solution was developed: Privileged Access Management, or PAM.
PAM is a set of tools and technologies that can be used to secure, control, and monitor access via privileged accounts to an organization’s resources. The most effective PAM solutions address several areas of information security defense, such as advanced credential security, systems, and data access control, credential obfuscation and user activity monitoring. Ensuring continuous oversight of these target areas helps lower the threat of unauthorized network access, and makes it easier for IT managers to uncover suspicious activity on the network.
Best practices in PAM indicate that least privilege protocols should be enforced, where users only have access to the specific limited resources they need, rather than free reign to roam the entire network. In addition, network managers should be able to restrict or expand user access as needed, in real-time.
Many organizations need to provide privileged accounts to two types of users: internal users (employees) and external users (technology vendors and contractors). However, organizations that use vendors or contractors must protect themselves against potential threats from these sources. External users pose a unique threat because network managers cannot control the security best practices of their vendor partners; they can only protect against risky user behavior.
Vendor privileged access management (VPAM) refers to solutions that address the risks posed from these external vendors and contractors, which are unique to third-party remote access users. As the name implies, VPAM is related to PAM – but there are key differences. Traditional PAM solutions are designed to manage internal privileged accounts, based on the reasonable assumption that admins know the identity and employment status of each person accessing the network. However, this is not the case with third-party users, and so VPAM solutions use multi-factor authentication to provide an extra layer of protection.
In general, network managers and admins must be able to identify and authenticate external users via more advanced VPAM methods that can confirm these users are connected to active vendor employee accounts. A strong, effective VPAM solution will be able to continuously monitor vendor user activity, using detailed tracking to provide optimal protection against unauthorized use.
Both PAM and VPAM have the same overall goal: maintaining network security for all users who have advanced permissions, whether they be internal or external.
We have seen that there are several options available to organizations when it comes to providing users with remote access, but these often come with limitations or drawbacks. VPNs may be good for internal employees, but are not optimal for third-party vendors. Desktop sharing tools may be useful for desktop support and helpdesk, but are not good for complex enterprise remote support. PAM provides improvements over VPN and desktop sharing, but there is only one solution that combines the best of all these types of remote access technologies into one and is purpose-built for vendors and doesn’t include any of the drawbacks: VPAM.
Vendor privileged access management provides the most secure third-party remote access. VPAM follows the least privilege protocol (with users only having access to the specific resources they need, and nothing more), making third-party remote access a safe, secure, and efficient process. Plus, it comes with built-in enterprise-grade security and auditing features.
We at SecureLink enable organizations to properly identify, control, and audit third-party vendors. For vendors, SecureLink offers the perfect solution in its remote access support platform, thanks to the three E’s: it’s easy, efficient, and ensures compliance (and reduces liability when supporting customers).
To learn more about how VPAM platforms compare with VPNs and desktop sharing tools, check out this detailed comparison guide, which will help you determine the best path to take for securely managing third-party remote access.