Securing Remote Workers and Vendor Access: The Perils of VPNs
The coronavirus pandemic has forced thousands of companies to make leaps in their digital transformation journey. Businesses and public sector agencies were already challenged by remote access, BYOD, and cloud adoption. Now, the coronavirus has raised the stakes.
Teleworking, or remote working, is putting great strain on remote access systems. Most likely, you’ve experienced slow connections, crashing websites, or sketchy videoconferences. What’s not so obvious to everyone are the risks of continuing to use Virtual Private Networks (VPNs) for privileged remote administration, especially by vendors.
Even before the pandemic, risks posed by third-party access had increasingly become a core cybersecurity challenge. Many organizations may rely heavily on IT service providers to help them adapt to the new normal. Additionally, many service providers had to adapt their operations, potentially making the vendor systems less secure.
Amid the crisis, some companies have provided employees with company-provisioned computers that are closely managed and locked down. But for many businesses, the ability to have employees take their work computers home was limited. Some enterprises and public sector organizations simply can’t afford the cost of additional computers for every employee outside the office. This leads to employees using their personal computers from home, which poses a huge security risk on top of the remote access risk. It certainly doesn’t help matters that many organizations use a mix of unsecured and outdated remote access tools to connect to their network.
Third-Party Risk & VPNs
The vendor or third-party attack vector has been well-understood since at least the time of Target’s 2013 credit card data breach. That breach was infamously perpetrated by an attacker who gained initial access to the network via a third-party vendor’s VPN account used for monitoring HVAC equipment in stores. Vendor access security risk has exploded since that time.
The 2019 Privileged Access Threat Report disclosed that, on average, organizations have 182 vendors logging into their systems every week! A Ponemon Institute survey revealed that 59 percent of companies experienced a breach due to third parties in 2018. Now is the time for organizations to improve their ability to manage third-party risk.
One of the most common tools for remote access — the VPN — is unfit for managing privileged vendor remote administration of business systems, whether as part of a staff augmentation use case or just for troubleshooting. Among its security deficiencies, the VPN:
- – Creates a full tunnel, potentially leaving core systems with no inherent resistance to a compromised edge device or account.
- – Punches big holes in the network segmentation model.
- – Lacks privileged access management (PAM) features.
What’s the solution?
With the increase of cyber-attacks against remote workers, organizations must secure end-users’ machines and prevent malware and ransomware from being introduced into the corporate environment.
But service desk teams are stretched thinly, having to do more with less, and yet they must address the risks created by remote users. The latter are more likely to self-provision tools and applications and may inadvertently introduce malware or ransomware into the network.
And this problem often comes back to a common security headache — admin rights.
Users either have no admin rights, and can’t do anything, or have full admin rights and have too much control.
Your employees need to connect to systems and applications necessary to perform their work. Your IT service desk needs to support employees in their homes around the world. Your third-party vendors and contractors need to continue performing critical tasks on your network. And this all needs to be done securely without maxing out your infrastructure and VPN. It certainly seems too hard to achieve, but it’s not.
The solution is to combine secure remote access with least privilege. This way, you can enable your remote employees, support staff, and third-party vendors to securely connect to the endpoints and systems they need without requiring a VPN, allowing your workforce to be productive without introducing security risks or straining your network.
Using this combination, employees working from home should be able to connect back to their desktop or workstations at the office from any modern browser, and support staff can see and control remote computers and devices.
Some solutions also allow you to access a remote employee’s mobile device’s camera to assist in setting up hardware and peripheral devices. Every connection should be centrally managed, permission-based, and recorded for security compliance.
In addition to maximizing the use of a complete secure remote access tool, enforcing least privilege will help you secure endpoints by only elevating privileges at the application level and whitelisting applications to protect against malware.
Times of unplanned change can create increased risk. There are ways you can support your remote workforce and third-party vendors without compromising security.
Learn more about how to protect remote endpoints from attacks & malware. Download this quick guide: Enable & Secure Your Remote Workforce.