July 05, 2019//Tony HowlettLast Updated: July 08, 2019
A Virtual Private Network (VPN) is perfect for internal employees who need to access the server (or section of the server) from anywhere besides the office. In fact, at SecureLink we use them on our laptops to do just that; if you need to work remotely and need to update something that’s on the server, just use your VPN and you can easily get it done. In addition to allowing employees to work from home or on the road, VPNs can also give vendors access to internal resources they need in order to support company operations.
However, there are a number of problems, concerns, and vulnerabilities when it comes to deploying VPNs, which are crucial to know about. For the sake of this article, we’ve categorized them as the not-so-good, the bad, and the ugly to help you make an informed decision for when it makes sense for you and your organization to implement a VPN.
Third-party vendors may sometimes follow a number of practices that are not optimal, yet are beyond your control – practices that create opportunities for hackers to enter your network.
Example: Sharing credentials with co-workers, or reusing weak passwords from personal accounts that are easily exploited. According to a Verizon report, 76% of network intrusions involved compromised user credentials.
While using VPNs increases security over an unencrypted connection, connection speeds and application performance can decrease due to several factors – such as the time needed to provision and test the VPN, which usually involves other departments such as IT support.
And this must happen before any application or server access can be tested. This two-step process slows things down and often involves personnel who aren’t familiar with the application or the vendors use case for getting access in the first place.
The result: Long lag times in getting vendor support technicians on the job, which also impacts your workforce’s productivity and customer service quality.
With VPNs, there’s no centralized remote management. Without the ability to deploy, monitor, and manage all of your connections from a single place, your support personnel must spend a great deal of time supporting the VPN and the connected applications.
Plus, third-party vendors may not have in-house technical support to help with initial setup or everyday issues, and you may require more resources at your helpdesks to assist users, thus increasing your costs of doing business.
When a business uses VPNs to provide third-party vendors access to their network, those vendors either have full access to your network (for example, at the start of a job) or they don’t (when you revoke access after the job ends) – unless companies implement strict network segmentation with firewalls and switches, which adds additional complexity.
There are no shades of gray, no ability to give partial access only to required resources. The more servers, applications, and network equipment your vendors can access, the more you have at risk.
With a VPN, a vendor can typically access everything. Even if you segment your networks with VLANs, access can still be too broad, or even too narrow, which requires additional troubleshooting and technician time.
VPNs typically provide little or no granular audit records, so you can’t monitor and record the actions of every third-party vendor using the VPN. Usually, all that is logged in connection times and even then that data is in yet another log to monitor and watch.
Without easy, centralized access to all the historical information on a connection (user, applications accessed, the reason for access, etc.), it is impossible to prove who or what created an issue, should a breach or mistake occur due to a vendor.
If your third-party vendors use a VPN to access your network, you may believe that your company data and network are safe; after all, the “P” in VPN does stand for “private”.
Hackers often use VPNs to gain access to networks. If your business has many third-party vendors, and each vendor has full access to your network, a hacker now has multiple potential paths to break into and exploit your network.
Let’s face the facts: One of the easiest ways a hacker enters a network is through a third-party connection – and 59% of companies reported that they have experienced a data breach caused by one of their third parties or vendors.
Given all of the above, do you really want to expose your company to these kinds of risks? Not just risks to your data, but to your company’s reputation, too, should a data breach occur? The answer is clearly no – especially since a better, smarter alternative exists: SecureLink.
With SecureLink, third-party vendor access is given not to your entire network, but only specific areas, based on the (much safer) principle of Least Privilege: vendors can access only the resources they require to get their job done.
Thanks to SecureLink’s Vendor Privileged Access Management (VPAM) solution, you get the advantages of VPNs (allowing third-party access to your network) with none of the negatives. And that’s a very good thing. To learn more about the SecureLink VPAM solution, check out our infographic to better understand how to easily identify, audit, and control vendor access.