December 09, 2020//Tony HowlettLast Updated: August 09, 2021
Companies of all sizes often turn to virtual private networks, or VPNs, for a critical layer of data security. These solutions are used to protect user-information that’s transferred via internet connections from unauthorized access. VPNs can successfully shield businesses from outside entities or hackers, but what happens when you allow a vendor or third party to access your core network with one?
Can a VPN protect your company from someone already on the inside? The answer is no. And, this is where they can create security and compliance nightmares.
Although we are all probably very familiar with what a VPN is and what it does, let’s relate it to something we all know and understand: locks on a door. Nearly every door to get you in somewhere has a lock of some sort on it, whether it’s your house, your business, or even a place where you go to shop or eat. Locks are strong (in theory), but once you start to give away keys to external people (like your neighbor your coworker) that place is already less secure. But, you give your neighbor your housekey to watch over your place and get your mail while you’re out of town because it’s easy (and feels safer than leaving your mail out on your porch to alert everyone you aren’t home)! Similarly, companies are relying more and more on outside technology providers to execute essential operations on their network. Companies are giving out keys to their network to external entities (like vendors), and more often than not, it’s in the form of a VPN connection. When VPNs are used to facilitate this access, there are a number of security and regulatory concerns that must be resolved.
In 2019, the Department of Homeland Security released two alerts concerning direct attacks against VPNs. The alerts outlined how hackers are targeting VPN vulnerabilities, such as password resets, information sharing, and account recovery features. The vulnerabilities sit at the core of the VPN platform’s functionality, which could allow a bad actor to get access to your network using compromised credentials. Once inside the account, the attacker could change security settings, escalating their privileges or even attack and try to commandeer other devices within your company. Shared passwords are a major weakness to VPN infrastructure implementation and unfortunately a common practice among vendors. This is why network managers need tools specifically designed to mitigate the unique risks associated with external users.
Where VPNs really break down is in multi-user settings, remote access, and desktop sharing. VPNs cause corporate infrastructure to become a free-for-all, open to anyone who has login information. Again, going back to the key analogy, it opens up your whole house to chaos. More often than not, VPN access for vendors leaves your whole network open to chaos. Let’s look at a couple of different ways that it affects your network:
Organizations in healthcare, gaming, finance, legal, and other regulated sectors must adhere to a variety of federal, state and local laws aimed at protecting personal and private data. Routine auditing and analysis of your networks, software, and hardware is critical when trying to comply with regulations that require identifying vulnerabilities or breaches.
VPNs offer limited auditing capabilities. While they can assist in tracking network connections, they rarely track employee and vendor behavior. If you’re only using just VPNs for vendor access, detailed tracking and auditing become more challenging (if not impossible!) to accomplish.
Things get even worse: VPNs cause more chaos than control when it comes to authorized access. VPNs don’t make it easy for admins to define access permissions at a granular level. This opens the door to not only bad actors, but unintentional errors that put sensitive data in harm’s way. Although you hope that it never happens, hypothetically, a support technician could easily manipulate settings on the VPN if they have privileged access. They can control IP addresses and split-tunneling settings which allow internet threats to cross over onto your VPNs and then your internal networks and systems. In other words, your company could be making headlines for a data breach if you’re using a VPN for vendor access!
Every user on the network should only be granted access to the networks, servers, and protocols that they need to do their specific job. Anything more puts the entire network and your reputation at risk.
Although it is possible to easily deprovision employee access to VPNs upon termination, it is more challenging to cut off that same access to vendors or third parties. And, if you didn’t know already, employees in other companies routinely share passwords and login information. There is often a long lag from vendor employee termination to them being taken out of your VPN list. VPNs must integrate with other solutions to effectively discern authorized users from unauthorized users in near real-time. Anything less is a time window of vulnerability to disgruntled or nefarious former vendor reps.
While VPNs can handle things like remote employees or connecting offices, their abilities fall apart quickly when you use them to provide access to partners, vendors, and other third-party users.
What your company needs is a more structured approach to third-party authorization, access control, and audit. To find out more about how VPNs play a role in data breaches when thinking about third-party remote access and vendor access management, check out our helpful and in-depth eBook that talks about the top attack methods.