The use of virtual private networks (VPNs) in the enterprise has come a long way. What was once a simple way to ensure a secure connection between an external network and a company’s internal network has become increasingly difficult to manage.

The current line between internal and external is blurry, and enterprises must deal with a growing number of contractors and third-party vendors that need remote access to corporate networks. Administering these various network privileges can be daunting — and as the threat landscape continues to shift, VPN security may not be enough.

VPNs 101

Before exploring whether or not VPNs are falling out of favor, it’s important to define a corporate VPN and how it differs from a personal VPN. Personal VPNs — such as Private Internet Access, VyprVPN and ExpressVPN — can encrypt any data going in or out of a device or laptop from a public or home network. At home, you may use these services to bypass georestricted sites or to keep your activity private. At a coffee shop or airport, for example, you may use them for privacy and security.

Corporate VPNs, according to Comparitech privacy advocate Paul Bischoff, are essentially portals that allow staff members to access internal company resources from anywhere in the world. (Just as if they were in the office.) In this scenario, access control happens in much the same way that it does on a local machine, as each employee is given an account with a certain level of access.

“Guest, user and administrator access are typical, but a corporation might have more,” Bischoff said. “A password and possibly two-factor authentication are required to log into these accounts via the VPN.”

The Larger the Perimeter, the Greater the Risk

While VPNs are cryptographically secure, connections are not immune to compromise. A breached VPN connection is usually the result of either human error or unfavorable encryption methods.

“Different VPNs use different tactics and levels of security, so some are more secure than others,” Bischoff said. “For example, VPNs that employ perfect forward secrecy are much more secure than those that don’t.”

Karl Lankford, senior solutions engineer at Bomgar, explained that while it’s a common practice, using a VPN to facilitate secure remote access to critical systems is no longer a suitable solution.

“The most obvious challenge is ensuring that the user and the machine they are connecting with are not compromised,” Lankford said. “After all, you have provided a direct, trusted connection right past all perimeter defenses.”

While hacking a VPN may not be easy, it’s prevalent for users to be exploited by threat actors using sophisticated, automated tools. With so many employees and third parties requiring access, it becomes an administrative nightmare to manage. Your risk increases dramatically by essentially extending the perimeter of your network.

As the security landscape has developed, Lankford stressed, it has become apparent that VPN technology is too vulnerable to facilitate connections like these because they are not designed to provide granular control.

Overcoming VPN Security Challenges

So, what can today’s enterprises do to keep things under control? Generally speaking, it’s best to combine VPN access policies with network segmentation policies. However, third-party access to your network can introduce significant challenges.

“If the vendor happens to be breached, cybercriminals can abuse this VPN access to get onto the vendor’s network and begin recon and exfiltration work,” Lankford said. “However, by implementing a modern, secure remote access solution, organizations can monitor who has privileged access to the company’s network and how they’re using it. Recording this activity through session monitoring will allow organizations to identify who these privileged users are and assess their IT permission levels.”

To minimize the security risk surrounding this access, third parties should only be granted access to the systems they need to perform their jobs successfully.

“This level of granular control cannot be done effectively through VPN, and organizations should look instead at more modern privileged access solutions,” Lankford said. “Those solutions include privileged access management [PAM], which ensures that third parties do not have the physical foothold in the network that they do with a VPN. PAM allows you to give vendors access to your network without a VPN connection and enables security professionals to control, monitor and manage access to critical systems by privileged users, including third-party vendors.”

In addition to PAM, Bischoff suggested that instead of hosting resources on an internal server and requiring those outside of the office to access it via a VPN, many companies have chosen to put those resources on the cloud. Thanks to an abundance of third-party applications and tools, companies can gain much more granular control.

Finally, it’s critical to clarify how you shouldn’t use a VPN.

“It should not be used to provide remote access for IT administrators, privileged users or third parties to access sensitive, confidential or critical infrastructure,” Lankford said. The role of corporate VPN should be to provide secure, remote access to private company resources, and to secure connections from remote employees when connected to open Wi-Fi networks.

So, is VPN technology dead? No, but let’s just say that the corporate VPN of the future will continue to play an important role — albeit a limited one that represents a piece of a well-defined and managed network access strategy.

Discover, manage, protect and audit privileged account access with IBM Security Secret Server

More from Identity & Access

How to Keep Your Secrets Safe: A Password Primer

There are two kinds of companies in the world: those that have been breached by criminals, and those that have been breached and don't know it yet. Criminals are relentless. Today’s cyberattacks have evolved into high-level espionage perpetrated by robust criminal organizations or nation-states. In the era of software as a service (SaaS), enterprise data is more likely to be stored on the cloud rather than on prem. Using sophisticated cloud scanning software, criminals can breach an enterprise system within…

Making the Leap: The Risks and Benefits of Passwordless Authentication

The password isn't going anywhere. Passwordless authentication is gaining momentum, though. It appears to be winning the battle of how companies are choosing to log in. Like it or not, the security industry must contend with both in the future.  But for some businesses and agencies, going passwordless is the clear strategy. Microsoft, for instance, has recently stopped forcing users to use a password to access their account, which allows access to a wide range of Microsoft business and personal…

Old Habits Die Hard: New Report Finds Businesses Still Introducing Security Risk into Cloud Environments

While cloud computing and its many forms (private, public, hybrid cloud or multi-cloud environments) have become ubiquitous with innovation and growth over the past decade, cybercriminals have closely watched the migration and introduced innovations of their own to exploit the platforms. Most of these exploits are based on poor configurations and human error. New IBM Security X-Force data reveals that many cloud-adopting businesses are falling behind on basic security best practices, introducing more risk to their organizations. Shedding light on…

Why Your Success Depends on Your IAM Capability

It’s truly universal: if you require your workforce, customers, patients, citizens, constituents, students, teachers… anyone, to register before digitally accessing information or buying goods or services, you are enabling that interaction with identity and access management (IAM). Many IAM vendors talk about how IAM solutions can be an enabler for productivity, about the return on investment (ROI) that can be achieved after successfully rolling out an identity strategy. They all talk about reduction in friction, improving users' perception of the…