7 common VPN security risks: the not-so-good, the bad, and the ugly
A Virtual Private Network (VPN) is perfect for internal employees who need to access the server (or section of the server) from anywhere besides the office. In fact, at SecureLink we use VPN client software on our laptops to do just that; if you need to work remotely and need to update something that’s on the server, just use your VPN and you can easily get it done. Generally, this type of network offers high-speed connections that help companies operate efficiently. In addition to allowing employees to work from home or on the road, VPN connections can also give vendors access to internal resources they need in order to support company operations.
However, there are a number of problems, concerns, and vulnerabilities when it comes to deploying VPN services. Understanding these common VPN issues is crucial in protecting your company's network security. That's why we’ve categorized these common issues as the not-so-good, the bad, and the ugly to help you make an informed decision on whether your organization should implement a VPN.
Why VPN is Not Secure
VPNs are insecure because they expose entire networks to threats like malware, DDoS attacks, and spoofing attacks. Once an attacker has breached the network through a compromised device, the entire network can be brought down.
The not-so-good VPN security risks
Third-party VPNs can’t create or enforce policies that protect credentials
Third-party vendors may sometimes follow a number of VPN practices that are not optimal, yet are beyond your control – practices that create opportunities for hackers to enter your network.
Example: Sharing credentials with co-workers, or reusing weak passwords from personal accounts that are easily exploited. According to a Verizon report, 76% of network intrusions involved compromised user credentials.
More secure VPN = Less productive workforce
While using VPN software increases security over an unencrypted connection, connection speeds and application performance can decrease due to several factors – such as the time needed to provision and test the VPN, which usually involves other departments such as IT support.
And this must happen before any application or server access can be tested. This two-step process slows things down and often involves personnel who aren’t familiar with the application or the vendors' use case for getting access in the first place.
The result: Long lag times in getting vendor support technicians on the job, which also impacts your workforce’s productivity and customer service quality.
High VPN support costs = Higher cost of doing business
With VPNs, there’s no centralized remote management. Without the ability to deploy, monitor, and manage all of your connections from a single place, your support personnel must spend a great deal of time supporting the VPN client and the connected applications.
Plus, third-party vendors may not have in-house technical support to help with initial setup, troubleshooting VPN connection problems as well as solving everyday issues, and you may require more resources at your helpdesks to assist users, thus increasing your costs of doing business.
The bad VPN security risks
All or nothing = VPNs create security risks
When a business uses VPNs to provide third-party vendors access to their network, those vendors either have full access to your network (for example, at the start of a job) or they don’t (when you revoke access after the job ends) – unless companies implement strict network segmentation with firewalls and switches, which adds additional complexity.
There are no shades of gray, no ability to give partial access only to required resources. The more servers, applications, and network equipment your vendors can access, the more you have at risk.
VPN servers and client software grant a vendor access to everything in your network unless least privileged access is implemented. Even if you segment your networks with VLANs (Virtual Local Area Networks), access can still be too broad, or even too narrow, which requires additional VPN troubleshooting and technician time.
Lack of accountability creates third-party VPN risks
VPNs typically provide little or no granular audit records, so you can’t monitor and record the actions of every third-party vendor using the VPN. Usually, all that is logged in connection times and even then that data is in yet another log to monitor and watch.
Without easy, centralized access to all the historical information on a connection (user, applications accessed, the reason for access, etc.), it is impossible to prove who or what created an issue, should a breach or mistake occur due to a third-party vendor.
The ugly VPN security risks
VPN provides a false sense of security
If your third-party vendors and VPN users have access to your network, you may believe that your company data and network are safe; after all, the “P” in VPN does stand for “private”.
However, history has proven otherwise. The reality is that malicious hackers have exploited weak VPN protocols and non-secure internet connections to cause data breaches at major companies such as Home Depot and Target.
A VPN doesn't protect you from hackers
Hackers often use VPNs to gain access to networks. If your business has many third-party vendors, and each vendor has full access to your network, a hacker now has multiple potential routes to break into and exploit your network using VPN traffic.
Let’s face the facts: One of the easiest ways a hacker enters a network is through a third-party connection. Using a checklist to assess third-party VPN risks and the vulnerability of your third parties' remote access points can help reduce the probability of an attack.
The upside: use a third-party management system
Given all the above, do you really want to expose your company to these kinds of risks and common problems? Not just risks to your data, but to your company’s reputation, too, should a data breach occur? The answer is clearly no – especially since a better, smarter enterprise VPN alternative exists: SecureLink.
With SecureLink, third-party remote access is given not to your entire network, but only specific areas, based on the (much safer) principle of least privilege: vendors can access only the resources they require to get their job done.
Thanks to SecureLink’s third-party remote access management solution, you get the advantages of VPNs (allowing third-party access to your network) with none of the negatives. And that’s a very good thing.