What’s the difference between RDP and VPN for remote access?

Remote access has become a necessity in business environments. Whether it’s employees working from home or third-party vendors that need to access a customer network, remote access needs to provide secure and reliable connectivity—keyword here being secure.  VPNs and remote desktop sharing (or RDP) are two of the more popular and common applications used for remote support. Although they differ in both theory and practice, they have strong commonalities: their limitations in usefulness, efficiency, and security.  When determining what remote access method is best to use for your organization, it’s critical to first understand how each of these traditional methods work—along with how they don’t measure up.

What is a VPN?

A VPN is a virtual private network that extends a private network across a public network, which allows users to access data as if their devices were connected directly to the private network. For example, if you were working remotely at a Starbucks (public network), but needed to access your company’s server on the private network, you would deploy your VPN to bridge a connection into your company’s private network and access the application you need.  For the average remote corporate user, a VPN connection is all they need. Their connection replicates what they would have if they were sitting at their desk at work but provides no additional functionality beyond access. And for third-party vendors, VPNs provide even less functionality and security, which is especially critical given that third party connections put organizations at major risk of a data breach.

Disadvantages of VPNs

All security capabilities are lost when it comes to granting third parties remote access via VPN. Here are a few examples of the security disadvantages of VPNs:

Minimal access controls

VPNs provide some access controls, but the more controls you put in place, the less efficient the VPN connection is. Instead of a smooth connection, VPN controls delay the connection process, which is costly for third-party reps who need a quick login to fix an immediate problem. These access controls also fall short of the security safeguards that should be put in place, like zero trust methods. VPNs also don’t provide access notifications—which notify the organization when a vendor is accessing the network—and schedule-based access—which restrict user access to during a set period of time. 

No credential management

Credentials are the keys that unlock every door in a company’s digital framework. Third parties need credentials to access their customers’ networks and systems, but it’s up to their customer—the organization—to protect those credentials as best they can. Practicing good credential management mitigates the risk of passwords being exposed, shared, or compromised by a vendor rep or hackers exploiting third-party connections. VPNs don’t manage, vault, or obfuscate credentials, so password protection is dependent on your third parties keeping them safe. Which begs the question, how much do you trust your third parties?

No session monitoring

The lack of access monitoring is a huge disadvantage of VPNs. VPNs don’t record or audit third-party vendors while they’re in session. They don’t have the capabilities to monitor vendor rep behavior or keep reps accountable for their actions while on a company’s network. If there was an incident, there’s no way to trace the source of the incident and no footage to investigate how the incident happened. The result is too much access that leaves companies vulnerable to attack without any way to provide evidence if something were to happen. 

No employment status verification

While this isn’t a feature of every remote access method, VPNs aren’t able to keep tabs on which of your third-party reps are still employees and which aren’t. Employment verification mitigates the risk of a former employee getting their hands on old VPN credentials and accessing a network where they don’t belong.

What is RDP or remote desktop protocol?

Remote desktop protocol (RDP) is a technical standard for accessing a desktop computer remotely. Remote desktop software can use different protocols such as Independent Computing Architecture (ICA) or Virtual Network Computing (VNC), but RDP is the most common protocol. RDP provides an encrypted tunnel much like VPNs, usually using SSL or similar methods, and then enable a “take-over” of an existing user’s role, which eliminates the need for separate credentials. In short, it allows a user to remotely access another user’s computer and act as if they’re on the network locally.  Let’s say your work laptop was acting up and needed IT attention; RDP provides the connection for an IT team member to access your desktop as if they are on it themselves.

Disadvantages of RDP

For third parties, this kind of connection is valuable for support capabilities, but extremely vulnerable to the customer. Similar to VPNs, the lack of access controls, vendor management, and monitoring are disadvantages of RDP and make it a prime targets for hackers.

No access control

Anyone, anywhere can log into a desktop sharing tool. A remote support session starts with an employee clicking on a link and surrendering control of a desktop. And without access controls in place, there’s nothing to restrict a vendor rep’s access; they have the same amount of access as the user they’re connected to. Also, similar to VPNs, there’s no way to establish access schedules or notifications. There are approval workflows, but once a vendor has approval, there aren’t any restrictions on what they can access inside a network, which opens the door to an entire organization’s network.  This is a frequent tactic of hackers, where they get low-level access on a single network node, but expand out from there by finding other vulnerable machines or services visible on the network.

No vendor identity management

Another disadvantage of RDP is that it allows anyone who has RDP capability to access another user’s desktop. They don’t register users and can’t track/log what permissions are given to each third-party rep, especially because permissions aren’t required when using RDP. Once connected into a machine, a rep has full access to a machine on the network, including access to local files as well as network resources with the full permissions of that user.

Minimal session monitoring

Some (but not all) desktop sharing tools allow recording of sessions, but this setting is rarely enabled. These tools rarely provide the detailed audit reports needed to demonstrate compliance with regulations, internal security policies, or legal teams. Most monitoring is done at the whim of the employee granting access to their computer. And who’s to say the employee won’t walk away from their computer, leaving a rep (or hacker) unattended, unsupervised, and able to access critical assets and information. 

RDP vs VPN for remote access

While RDP and VPN serve similar functions for remote access, VPNs allow users to access secure networks whereas RDP grants remote access to a specific computer. While useful to provide access to employees and third parties, this access is open-ended and unsecure. Given the cyber landscape, remote workforces, and growing IoT, hackers are exploiting vulnerabilities in all these segments, taking any path of least resistance. Most often, these paths of least resistance are via third parties and their minimally controlled and tracked remote access methods.

RDP vs VPN security

The essential difference between VPN vs RDP security is that an RDP provides devices with additional functionality, unlike a VPN. Even though the same device is being used, an RDP changes its IP address to provide additional security. VPNs lack access controls and session monitoring, which are both effective means of security when it comes to network access. RDP provides the additional functionality previously mentioned as well as the rare case of monitoring. While these functionalities are helpful, they’re minimal and not nearly enough to account for the sophisticated techniques hackers have acquired.  Traditional methods of remote access like VPNs and RDP are coming up short and failing to fully secure remote access. These outdated means have been the culprit of cyber attacks (like Colonial Pipeline) and continue to be insufficient in protecting companies from data breaches. An organization shouldn’t settle for minimal security, especially when it comes to the new vector-of-choice for hackers—third-party remote access.  The search for secure remote access doesn’t have to stop with VPNs and RDP. Check the security of your remote connections with this remote access security checklist or seek out solutions designed to manage third-party access that act as superior alternatives to VPNs and RDP software.