The use of virtual private networks (VPNs) in the enterprise has come a long way. What was once a simple way to ensure a secure connection between an external network and a company’s internal network has become increasingly difficult to manage.
The current line between internal and external is blurry, and enterprises must deal with a growing number of contractors and third-party vendors that need remote access to corporate networks. Administering these various network privileges can be daunting — and as the threat landscape continues to shift, VPN security may not be enough.
VPNs 101
Before exploring whether or not VPNs are falling out of favor, it’s important to define a corporate VPN and how it differs from a personal VPN. Personal VPNs — such as Private Internet Access, VyprVPN and ExpressVPN — can encrypt any data going in or out of a device or laptop from a public or home network. At home, you may use these services to bypass georestricted sites or to keep your activity private. At a coffee shop or airport, for example, you may use them for privacy and security.
Corporate VPNs, according to Comparitech privacy advocate Paul Bischoff, are essentially portals that allow staff members to access internal company resources from anywhere in the world. (Just as if they were in the office.) In this scenario, access control happens in much the same way that it does on a local machine, as each employee is given an account with a certain level of access.
“Guest, user and administrator access are typical, but a corporation might have more,” Bischoff said. “A password and possibly two-factor authentication are required to log into these accounts via the VPN.”
The Larger the Perimeter, the Greater the Risk
While VPNs are cryptographically secure, connections are not immune to compromise. A breached VPN connection is usually the result of either human error or unfavorable encryption methods.
“Different VPNs use different tactics and levels of security, so some are more secure than others,” Bischoff said. “For example, VPNs that employ perfect forward secrecy are much more secure than those that don’t.”
Karl Lankford, senior solutions engineer at Bomgar, explained that while it’s a common practice, using a VPN to facilitate secure remote access to critical systems is no longer a suitable solution.
“The most obvious challenge is ensuring that the user and the machine they are connecting with are not compromised,” Lankford said. “After all, you have provided a direct, trusted connection right past all perimeter defenses.”
While hacking a VPN may not be easy, it’s prevalent for users to be exploited by threat actors using sophisticated, automated tools. With so many employees and third parties requiring access, it becomes an administrative nightmare to manage. Your risk increases dramatically by essentially extending the perimeter of your network.
As the security landscape has developed, Lankford stressed, it has become apparent that VPN technology is too vulnerable to facilitate connections like these because they are not designed to provide granular control.
Overcoming VPN Security Challenges
So, what can today’s enterprises do to keep things under control? Generally speaking, it’s best to combine VPN access policies with network segmentation policies. However, third-party access to your network can introduce significant challenges.
“If the vendor happens to be breached, cybercriminals can abuse this VPN access to get onto the vendor’s network and begin recon and exfiltration work,” Lankford said. “However, by implementing a modern, secure remote access solution, organizations can monitor who has privileged access to the company’s network and how they’re using it. Recording this activity through session monitoring will allow organizations to identify who these privileged users are and assess their IT permission levels.”
To minimize the security risk surrounding this access, third parties should only be granted access to the systems they need to perform their jobs successfully.
“This level of granular control cannot be done effectively through VPN, and organizations should look instead at more modern privileged access solutions,” Lankford said. “Those solutions include privileged access management [PAM], which ensures that third parties do not have the physical foothold in the network that they do with a VPN. PAM allows you to give vendors access to your network without a VPN connection and enables security professionals to control, monitor and manage access to critical systems by privileged users, including third-party vendors.”
In addition to PAM, Bischoff suggested that instead of hosting resources on an internal server and requiring those outside of the office to access it via a VPN, many companies have chosen to put those resources on the cloud. Thanks to an abundance of third-party applications and tools, companies can gain much more granular control.
Finally, it’s critical to clarify how you shouldn’t use a VPN.
“It should not be used to provide remote access for IT administrators, privileged users or third parties to access sensitive, confidential or critical infrastructure,” Lankford said. The role of corporate VPN should be to provide secure, remote access to private company resources, and to secure connections from remote employees when connected to open Wi-Fi networks.
So, is VPN technology dead? No, but let’s just say that the corporate VPN of the future will continue to play an important role — albeit a limited one that represents a piece of a well-defined and managed network access strategy.
Discover, manage, protect and audit privileged account access with IBM Security Secret Server