December 03, 2019//Tony HowlettLast Updated: November 19, 2020
Companies of all sizes often turn to virtual private networks, or VPNs, for a critical layer of data security. These solutions are used to protect user information transferred via internet connections from unauthorized access. VPNs can successfully shield businesses from outside entities or hackers, but what happens when you allow a vendor or third-party to access your core network with one? Can a VPN protect your company from someone already on the inside?
The answer is no. This is where they can create security and compliance nightmares.
VPNs act like locks on a door. The lock is strong, but once you start to give away keys the room becomes vulnerable. Companies are relying more and more on outside technology providers to execute essential operations on their network. If VPNs are used to facilitate this access, there are a number of security and regulatory concerns that must be resolved.
Just two weeks ago, the Department of Homeland Security released two alerts concerning direct attacks against VPNs. The alerts outline how hackers are now targeting VPN vulnerabilities, such as password resets, information sharing, and account recovery features.
The vulnerabilities sit at the core of the VPN platform’s functionality, which could allow a bad actor to get access to your network using compromised credentials. Once inside the account, the attacker could change security settings, escalating their privileges or even attack and try to commandeer other devices within your company. Shared passwords are a major weakness to VPN infrastructure implementation and unfortunately a common practice among vendors. This is why network managers need tools specifically designed to mitigate the unique risks associated with external users.
Where VPNs really break down is in multi-user settings, remote access, and desktop sharing. VPNs cause corporate infrastructure to become a free-for-all, open to anyone who has login information. It affects your network on numerous levels. For example:
Organizations in healthcare, gaming, finance, legal and other regulated sectors must adhere to a variety of federal, state and local laws aimed at protecting personal and private data. Routine auditing and analysis of your networks, software, and hardware is critical when trying to comply with regulations that require identifying vulnerabilities or breaches.
VPNs offer limited auditing capabilities. While they can assist in tracking network connection, they rarely track employee and vendor behavior. If using just VPNs for vendor access, detailed tracking and auditing become more challenging to accomplish.
VPNs cause more chaos than control when it comes to authorized access. VPNs do not make it easy for admins to define access permissions at a granular level. This opens the door to not only bad actors, but unintentional errors that put sensitive data in harm’s way. A support technician could manipulate settings on the VPN if they have privileged access. They can control IP addresses and split-tunneling settings which allow internet threats to cross over onto your VPNs and then your internal networks and systems.
Every user on the network should only be granted access to the networks, servers, and protocols that they need to do their specific job. Anything more puts the entire network at risk.
Although it is possible to easily deprovision employee access to VPNs upon termination, it is more challenging to cut off that same access to vendors or third-parties. Employees in other companies routinely share passwords and login information. There is often a long lag from vendor employee termination to them being taken out of your VPN list. VPNs must integrate with other solutions to effectively discern authorized users from unauthorized users in near real-time. Anything less is a time window of vulnerability to disgruntled or nefarious former vendor reps.
While VPNs can handle things like remote employees or connecting offices, their abilities fall apart quickly when you use them to provide access to partners, vendors, and other third-party users.
What your company needs is a more structured approach to third-party authorization, access control, and audit. To find out more about the top VPN alternatives, check out our brochure that highlights the importance of having a separate software platform specifically to manage vendors’ privileged access to systems, networks, and applications.