Many businesses use virtual private networks (VPNs) to provide secure remote access to their systems, but this has increasingly become a liability as more people switch to remote work. The greater demands placed on VPNs to offer safe access can expose organizations and employees to security vulnerabilities.
In order to better protect their data and systems, organizations may need to seek alternatives to VPNs. This article will examine why corporate VPNs are vulnerable to data leaks and offer alternate solutions to help you safeguard your infrastructure.
What is a VPN?
A VPN provides an encrypted internet connection from a device to a network. The encrypted connection (which is owned by the VPN provider) is meant to ensure secure transmission of data and to prevent unauthorized users from traffic eavesdropping.
Why do organizations use VPNs?
VPNs were first developed by Microsoft in 1996 so that remote workers could get secure access to the company’s network. They also helped prevent hacking threats. When using them doubled the company’s productivity, the rest of the company started to adopt VPNs as well.
What are the shortcomings of VPNs?
When the COVID-19 pandemic began, many workplaces switched to remote access while the basic structure of VPNs stayed the same. Using a basic VPN connection for third parties can expose a business network to attackers, who can exploit third-party connections or shared passwords.
Unless you use strict network segmentation with firewalls and switches for third-party vendors, those vendors have full access to your network. There is no way to limit access to only required resources. The more access your vendors have to your servers, software, and network equipment, the more vulnerable you are. This is why least privileged access or a zero-trust model is necessary.
Recent cyberattacks have been a wake-up call to those using VPN connections. In October 2021, security researcher Bob Diachenko discovered an exposed database he attributed to ActMobile, which operates Dash VPN and FreeVPN. ActMobile denied being the source of the data.
In November 2021, the FBI announced that advanced persistent threat groups (APTs) had been exploiting a zero-day flaw in FatPipe’s VPN for six months.
Following are some of the challenges of VPNs.
If your VPN isn’t secure, a hacker can gain access to your files, including passwords and financial data, and track your online behavior. Attacks typically happen when attackers find a leaked password and access systems through an old, inactive VPN account, since many VPN providers don’t update and upgrade their technologies.
A competitor with access to your data might be a dangerous or even fatal threat to your company.
No malware protection
VPNs encrypt your data and traffic, but they don’t protect against computer infections or ransomware. Malware can infect your devices, enabling the attacker to gain your user authentication or password when those devices connect to a VPN. The malware can spread to other network devices.
Easy to compromise
While a VPN can shield your internet connection from being spied on and hijacked, you can still be attacked if you pass malware into the VPN connection as well or allow someone to discover your username and password.
One of the most common types of corporate and personal data breaches is password attacks, in which a hacker attempts to steal your password. Many passwords are badly crafted, making them an enticing target. Additionally, a malicious user can find a leaked password and access your system through an old, inactive VPN account, because many VPN companies don’t update their technologies. Leveraged credentials were responsible for sixty-one percent of all data breaches in 2020.
Not always trustworthy
VPN IPs are often not unique and are shared with many people. This raises the risk of security issues such as IP address blacklisting and IP spoofing.
Although some VPNs are simple, others are so complex to set up that organizations may not take the time to do so. This effectively means they have no VPN, which leaves their data more vulnerable.
Why should you use VPN alternatives?
Remote access solutions, particularly cloud-based, scalable remote access platforms, can provide outstanding performance and security without the downsides of traditional VPNs.
Instead of implementing point-to-point connectivity, these alternatives provide optimal routing of encrypted traffic between network devices while also integrating a full security stack. Security services can be deployed near cloud-based resources or geographically distributed to remote workers, minimizing the performance issues of routing traffic through different networks.
Following are several types of networks that can provide alternatives to corporate VPNs.
1. Zero trust network access (ZTNA)
The zero-trust model operates on a few core tenets:
- Users should never gain network access when using private applications. Risk needs to be decoupled from the network.
- If an attacker infects a system, the damage is limited to whatever the system can access.
- All private apps and infrastructure must be invisible to the internet. Cybercriminals can’t attack what they can’t see.
- The focus on securing user and device connections de-emphasizes the network, making the internet the new secure corporate network.
ZTNA technology is used by notable companies including Cisco Duo Security, Prisma Access by Palo Alto Networks, Netscape, Zscaler, and Akamai. Gartner predicts that ZTNA will replace sixty percent of VPNs by 2023.
2. Mobile device management
Mobile device management (MDM) is a method of centrally controlling the setup for computers, tablets, and smartphones. Apple strongly encourages IT administrators to utilize MDM, and the business is constantly improving. MDM systems offer some key capabilities:
- MDM saves organizations from the risk and inconvenience of separately configuring multiple devices.
- MDM allows users to separate personal and professional accounts and data.
- MDM is also easier for users since they don’t need to set up passwords for multiple accounts.
3. Identity and access management/privileged access management
Identity and access management (IAM) makes sure your employees have access to the tools they need to execute their tasks. IAM systems allow your company to manage staff apps without having to log in as an administrator to each one. The systems can also manage software and hardware, such as robotics and IoT devices.
IAM offers several benefits:
- The password is often the single point of failure in traditional security. IAM services reduce that risk and provide tools to spot problems as they happen.
- Once you’ve logged into your primary IAM portal, your employees can access the tools for their tasks without the need for passwords. Their access can also be handled as a group or position rather than individually, minimizing the stress on your IT staff.
Privileged access management (PAM) protects your company against misuse of privileged access. This is especially important if your company is expanding, because a greater number of employees, contractors, remote users, and even automated users could gain privileged access to your expanded IT system. These admin users could potentially make unauthorized system changes, access restricted data, and cover their actions. Outside attackers could also gain access using admin credentials.
PAM systems prevent these issues by collecting privileged account credentials and storing them in a secure repository or vault, isolating the use of privileged accounts and reducing the risk of those credentials being stolen. System administrators can access their credentials through the PAM system, where they will be authenticated and their access will be logged. When a credential is checked back in, it is reset for the next use.
4. Thin client
Thin client refers to a client-computer that completely depends on the central server for resources and data processing — in other words, a computer system with no hard disk of its own. Instead, it uses the hard disk, memory and stored resources of the central server.
A thin client computer connects to the server through a local area network (LAN) and doesn’t process any data itself, but simply provides the user interface (UI). There are several benefits to this method:
- A thin client is cheaper to buy and maintain than a regular desktop.
- It’s easier to set up and manage.
- It doesn’t require upgrades, since that’s handled at the server end.
- It’s safe from viruses.
- A new thin client can be connected to the server within minutes.
- A user can log in from anywhere in the network.
- It helps protect the network from unauthorized access.
5. Cloud-only environment
As of August 2021, GitHub’s technical team has moved to Codespaces, its cloud development platform. GitHub programmers now write code entirely in the browser.
Cloud development gives developers the tools they need to do large-scale remote work while separated from the underlying infrastructure. It brings the advantages of cloud computing to development environments.
In addition to Codespaces, Gitpod, Replit, CodeSandbox, CodePen, Autocode and Pipedream also allow developers to write, test and release code in a cloud environment.
6. Access proxy
Access proxy services require the digital identities of the user and the requesting device in order to allow the request. Identity-aware proxy (IAP) centralizes user access and handles authentication and authorization for you.
For instance, Teleport is an open source, multi-protocol IAP that supports SSH, RDP, HTTPS, Kubernetes, MySQL and PostgreSQL, among others. The DevOps tool works with “clusters” of servers, distant devices, databases, Kubernetes clusters and internal web apps. Teleport provides registered clients with a certificate that’s valid for all resources in a cluster. Its built-in user database can be combined with business SSO using Okta, GitHub, Google Apps, Active Directory and other identity providers.
Other benefits include:
- On the proxy server, SSH access is available using a web UI.
- You can use it with an existing OpenSSH infrastructure.
- Teleport employs SSH certificate-based access that’s set to expire automatically.
- SSH is used to manage IoT devices.
- It can be used to access Kubernetes clusters on edge or IoT systems, web apps on private networks, or databases in remote settings.
Traditional VPNs carry security risks as well as benefits. To better protect your organization’s infrastructure as well as your remote employees, you may be better served by an alternative to a corporate VPN. Consider one of the above networks to keep your data and users safe.
Teleport offers a single-platform approach to authentication and authorization, reducing vulnerability to attack while also providing an easily maintainable access solution for companies. Its high usability means that you and your employees can focus on completing projects while your infrastructure stays protected. To learn more about Teleport, check its documentation.
What Are JWTs?
By Victor Elezua
How to Connect to Microsoft SQL Server Remotely Using Teleport
By Travis Rodgers
Directory Sharing in a Web-Based RDP Client Using the File System Access API
By Isaiah Becker-Mayer