Why VPNs alone won’t secure your remote employees

(Image credit: Shutterstock.com)

As organizations were forced to let their employees work from home during the pandemic, many turned to VPN services as a means to allow them to connect to their corporate networks remotely. Cybercriminals were well aware of this and they began exploiting VPNs to gain access to corporate networks. Outdated software and poor security practices were used to gain access to organization’s VPNs but attackers have also begun to use voice phishing or vishing to steal VPN credentials from remote workers.

In order to learn more about how businesses can ensure secure access while working remotely, TechRadar Pro spoke with SecureLink’s CISO Tony Howlett.

Where do VPN services fall short when it comes to giving employees access to corporate networks?

VPNs are designed to secure data in transit, not necessarily to secure the endpoints. VPNs also only provide the connection, they do not provide credentials to the servers or hosts so that must be relayed and managed separately. Finally, given that VPNs connect you to a remote network, without proper segmentation, it often leaves the target network vulnerable to scanning or leapfrogging onto other systems or networks that the user is not authorized for. 

(Image credit: Shutterstock.com)

How can cybercriminals use a VPN as a pathway for lateral attacks?

As most networks are not properly segmented, hackers who gain VPN access to a less sensitive network can often jump onto more critical networks where things like payment, accounting, development, or other more sensitive systems reside. Additionally, users who are working from home can often have malware that infects other machines on their home network (i.e. kids and/or spouses machines) to attack their VPN endpoint and then travel over that connection to the corporate network. 

Can you tell us more about Vendor Privileged Access Management (VPAM) and the benefits these solutions provide that VPNs don’t?

VPAM provides transport and system access in one solution. It proxies the connection so that there is no native network connection, preventing the aforementioned lateral movement. Additional least privilege controls can be applied, tying the use case to specific application ports and even time periods. The system integrates with Privileged Access Management (PAM) systems so that the actual login credentials are stored in an encrypted vault and the vendor user never sees them. Finally, it provides a high-definition audit where actual keystroke and mouse movements are recorded for monitoring and audit purposes. 

What factors does your platform use to decide when to revoke a user’s privileges?

The beauty of our VPAM system is that it can be tied directly into a vendor’s directory service so that the minute a vendor employee is terminated, they no longer have access to the customer’s systems. This automates the offboarding of users when they are no longer authorized and makes rights termination happen in near real-time. 

(Image credit: Shutterstock)

What is least privileged access (LPA) and how does it prevent users from being granted more privileges than they require?

Least privileged access ensures that the levels of access and rights are based on a user’s title and need to do their job. In other words, it gives just the right amount of access — no more and no less. When a vendor user is set up in SecureLink, they are provided with a symbolic connection profile that only gives them access to specific networks, servers, and application ports that they need to do their job. Unlike VPNs or desktop sharing tools, they simply do not have direct access to the underlying network to explore or exploit it further. 

What led your organization to create the SecureLink platform in the first place?

The ever-increasing number of services that companies are outsourcing to third parties and the risk that those connections bring to a company's systems and data. Also, the fact that many vendors require some form of privileged access which increases the risk and the damage that a hacker can do with those types of connections. 

(Image credit: Shutterstock / LStockStudio)

Have you had to change your platform to support remote workers in addition to remote vendors and contractors? What lessons has your organization learned from the pandemic?

We haven’t had to change the platform in order to support internal workers since our core and primary use cases focus specifically on the access granted to networks to third-parties (contractors, vendors, etc.). However, many of our customers were able to quickly and easily transition to using SecureLink for remote access for their remote employees. While internal access needs are often different, we were able to use the SecureLink platform to support this use case to get them through the crisis. Through this pandemic, we’ve learned a lot about the importance of our product and platform. Even though there’s a pandemic going on for all of us, hackers or bad actors aren’t going to stop trying to infiltrate networks because of COVID-19. 

Are you currently working on any new products or services to make remote access easier for businesses?

We just released a cloud option so that customers do not have to host their own SecureLink server. We’re very excited about this because it provides a turnkey solution that can be quickly turned up. Since SecureLink is hosting the appliance, organizations don’t have to worry about ongoing upgrades, monitoring, or patching. SecureLink handles all of those components to free up time and bandwidth for IT teams.   

  • Also check out our complete list of the best VPN services