Light Dark
June 18, 2018 By Mark Stone 3 min read
Identity & Access
Network

The use of virtual private networks (VPNs) in the enterprise has come a long way. What was once a simple way to ensure a secure connection between an external network and a company’s internal network has become increasingly difficult to manage.

The current line between internal and external is blurry, and enterprises must deal with a growing number of contractors and third-party vendors that need remote access to corporate networks. Administering these various network privileges can be daunting — and as the threat landscape continues to shift, VPN security may not be enough.

VPNs 101

Before exploring whether or not VPNs are falling out of favor, it’s important to define a corporate VPN and how it differs from a personal VPN. Personal VPNs — such as Private Internet Access, VyprVPN and ExpressVPN — can encrypt any data going in or out of a device or laptop from a public or home network. At home, you may use these services to bypass georestricted sites or to keep your activity private. At a coffee shop or airport, for example, you may use them for privacy and security.

Corporate VPNs, according to Comparitech privacy advocate Paul Bischoff, are essentially portals that allow staff members to access internal company resources from anywhere in the world. (Just as if they were in the office.) In this scenario, access control happens in much the same way that it does on a local machine, as each employee is given an account with a certain level of access.

“Guest, user and administrator access are typical, but a corporation might have more,” Bischoff said. “A password and possibly two-factor authentication are required to log into these accounts via the VPN.”

The Larger the Perimeter, the Greater the Risk

While VPNs are cryptographically secure, connections are not immune to compromise. A breached VPN connection is usually the result of either human error or unfavorable encryption methods.

“Different VPNs use different tactics and levels of security, so some are more secure than others,” Bischoff said. “For example, VPNs that employ perfect forward secrecy are much more secure than those that don’t.”

Karl Lankford, senior solutions engineer at Bomgar, explained that while it’s a common practice, using a VPN to facilitate secure remote access to critical systems is no longer a suitable solution.

“The most obvious challenge is ensuring that the user and the machine they are connecting with are not compromised,” Lankford said. “After all, you have provided a direct, trusted connection right past all perimeter defenses.”

While hacking a VPN may not be easy, it’s prevalent for users to be exploited by threat actors using sophisticated, automated tools. With so many employees and third parties requiring access, it becomes an administrative nightmare to manage. Your risk increases dramatically by essentially extending the perimeter of your network.

As the security landscape has developed, Lankford stressed, it has become apparent that VPN technology is too vulnerable to facilitate connections like these because they are not designed to provide granular control.

Overcoming VPN Security Challenges

So, what can today’s enterprises do to keep things under control? Generally speaking, it’s best to combine VPN access policies with network segmentation policies. However, third-party access to your network can introduce significant challenges.

“If the vendor happens to be breached, cybercriminals can abuse this VPN access to get onto the vendor’s network and begin recon and exfiltration work,” Lankford said. “However, by implementing a modern, secure remote access solution, organizations can monitor who has privileged access to the company’s network and how they’re using it. Recording this activity through session monitoring will allow organizations to identify who these privileged users are and assess their IT permission levels.”

To minimize the security risk surrounding this access, third parties should only be granted access to the systems they need to perform their jobs successfully.

“This level of granular control cannot be done effectively through VPN, and organizations should look instead at more modern privileged access solutions,” Lankford said. “Those solutions include privileged access management [PAM], which ensures that third parties do not have the physical foothold in the network that they do with a VPN. PAM allows you to give vendors access to your network without a VPN connection and enables security professionals to control, monitor and manage access to critical systems by privileged users, including third-party vendors.”

In addition to PAM, Bischoff suggested that instead of hosting resources on an internal server and requiring those outside of the office to access it via a VPN, many companies have chosen to put those resources on the cloud. Thanks to an abundance of third-party applications and tools, companies can gain much more granular control.

Finally, it’s critical to clarify how you shouldn’t use a VPN.

“It should not be used to provide remote access for IT administrators, privileged users or third parties to access sensitive, confidential or critical infrastructure,” Lankford said. The role of corporate VPN should be to provide secure, remote access to private company resources, and to secure connections from remote employees when connected to open Wi-Fi networks.

So, is VPN technology dead? No, but let’s just say that the corporate VPN of the future will continue to play an important role — albeit a limited one that represents a piece of a well-defined and managed network access strategy.

Discover, manage, protect and audit privileged account access with IBM Security Secret Server

 |  |  |  |  |  |  |  | 
Mark Stone

More from Identity & Access
October 23, 2023

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

September 13, 2023

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

August 1, 2023

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature