The use of virtual private networks (VPNs) in the enterprise has come a long way. What was once a simple way to ensure a secure connection between an external network and a company’s internal network has become increasingly difficult to manage.

The current line between internal and external is blurry, and enterprises must deal with a growing number of contractors and third-party vendors that need remote access to corporate networks. Administering these various network privileges can be daunting — and as the threat landscape continues to shift, VPN security may not be enough.

VPNs 101

Before exploring whether or not VPNs are falling out of favor, it’s important to define a corporate VPN and how it differs from a personal VPN. Personal VPNs — such as Private Internet Access, VyprVPN and ExpressVPN — can encrypt any data going in or out of a device or laptop from a public or home network. At home, you may use these services to bypass georestricted sites or to keep your activity private. At a coffee shop or airport, for example, you may use them for privacy and security.

Corporate VPNs, according to Comparitech privacy advocate Paul Bischoff, are essentially portals that allow staff members to access internal company resources from anywhere in the world. (Just as if they were in the office.) In this scenario, access control happens in much the same way that it does on a local machine, as each employee is given an account with a certain level of access.

“Guest, user and administrator access are typical, but a corporation might have more,” Bischoff said. “A password and possibly two-factor authentication are required to log into these accounts via the VPN.”

The Larger the Perimeter, the Greater the Risk

While VPNs are cryptographically secure, connections are not immune to compromise. A breached VPN connection is usually the result of either human error or unfavorable encryption methods.

“Different VPNs use different tactics and levels of security, so some are more secure than others,” Bischoff said. “For example, VPNs that employ perfect forward secrecy are much more secure than those that don’t.”

Karl Lankford, senior solutions engineer at Bomgar, explained that while it’s a common practice, using a VPN to facilitate secure remote access to critical systems is no longer a suitable solution.

“The most obvious challenge is ensuring that the user and the machine they are connecting with are not compromised,” Lankford said. “After all, you have provided a direct, trusted connection right past all perimeter defenses.”

While hacking a VPN may not be easy, it’s prevalent for users to be exploited by threat actors using sophisticated, automated tools. With so many employees and third parties requiring access, it becomes an administrative nightmare to manage. Your risk increases dramatically by essentially extending the perimeter of your network.

As the security landscape has developed, Lankford stressed, it has become apparent that VPN technology is too vulnerable to facilitate connections like these because they are not designed to provide granular control.

Overcoming VPN Security Challenges

So, what can today’s enterprises do to keep things under control? Generally speaking, it’s best to combine VPN access policies with network segmentation policies. However, third-party access to your network can introduce significant challenges.

“If the vendor happens to be breached, cybercriminals can abuse this VPN access to get onto the vendor’s network and begin recon and exfiltration work,” Lankford said. “However, by implementing a modern, secure remote access solution, organizations can monitor who has privileged access to the company’s network and how they’re using it. Recording this activity through session monitoring will allow organizations to identify who these privileged users are and assess their IT permission levels.”

To minimize the security risk surrounding this access, third parties should only be granted access to the systems they need to perform their jobs successfully.

“This level of granular control cannot be done effectively through VPN, and organizations should look instead at more modern privileged access solutions,” Lankford said. “Those solutions include privileged access management [PAM], which ensures that third parties do not have the physical foothold in the network that they do with a VPN. PAM allows you to give vendors access to your network without a VPN connection and enables security professionals to control, monitor and manage access to critical systems by privileged users, including third-party vendors.”

In addition to PAM, Bischoff suggested that instead of hosting resources on an internal server and requiring those outside of the office to access it via a VPN, many companies have chosen to put those resources on the cloud. Thanks to an abundance of third-party applications and tools, companies can gain much more granular control.

Finally, it’s critical to clarify how you shouldn’t use a VPN.

“It should not be used to provide remote access for IT administrators, privileged users or third parties to access sensitive, confidential or critical infrastructure,” Lankford said. The role of corporate VPN should be to provide secure, remote access to private company resources, and to secure connections from remote employees when connected to open Wi-Fi networks.

So, is VPN technology dead? No, but let’s just say that the corporate VPN of the future will continue to play an important role — albeit a limited one that represents a piece of a well-defined and managed network access strategy.

Discover, manage, protect and audit privileged account access with IBM Security Secret Server

More from Identity & Access

CISA, NSA Issue New IAM Best Practice Guidelines

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators. As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today's world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented…

4 min read

The Importance of Accessible and Inclusive Cybersecurity

4 min read - As the digital world continues to dominate our personal and work lives, it’s no surprise that cybersecurity has become critical for individuals and organizations. But society is racing toward “digital by default”, which can be a hardship for individuals unable to access digital services. People depend on these digital services for essential online services, including financial, housing, welfare, healthcare and educational services. Inclusive security ensures that such services are as widely accessible as possible and provides digital protections to users…

4 min read

What’s Going On With LastPass, and is it Safe to Use?

4 min read - When it comes to password managers, LastPass has been one of the most prominent players in the market. Since 2008, the company has focused on providing secure and convenient solutions to consumers and businesses. Or so it seemed. LastPass has been in the news recently for all the wrong reasons, with multiple reports of data breaches resulting from failed security measures. To make matters worse, many have viewed LastPass's response to these incidents as less than adequate. The company seemed…

4 min read

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

8 min read - View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

8 min read