VPNs, or virtual private networks, have long been a cornerstone of enterprise networks, helping to secure remote connections between employees and the company’s network.
But while VPNs have worked in the past, they aren’t without their issues, and as a result, many enterprises have been turning away from them. This is because increasingly, VPNs are failing to evolve to reflect the ever-changing nature of the enterprise world.
The borders of the workplace have spread to all corners of the globe, and remote working arrangements have become the norm for contractors, freelancers, full-time employees, and even vendors and third parties. All of these individuals need to be able to access the corporate network on the fly in a manner that doesn’t put their enterprise’s security at risk.
An ever-changing technology landscape has continually changed the needs of each user and the level of access required. Network managers, while capable, are increasingly scrambling to maintain a secure network, while also enforcing strict controls on who can and cannot access it.
While VPNs remains popular among enterprises for establishing any kind of remote connection, many enterprises have started to break down users into categories and grant different types of access, and new security measures in each instance. For many of these, the VPN just isn’t enough.
But before we dive into what solutions are strong alternatives to traditional VPNs, it’s important to understand exactly what it is a VPN does, and why it is (and isn’t) well suited for an enterprise.
The main goal of a VPN is to ensure that data traffic is sure while it is moving to and from the corporate network. This can be effective for many users, but not for all, and can be an especially poor catch-all for third parties and vendors.
However, there are other options. In this article, I’ll explore the 3 ways that enterprises can vastly improve their security beyond just using a VPN. While there are even more good alternatives to VPNs, such as an SSL Proxy or SOCKS, I’ve restricted this list to the most widely used alternatives.
1) IAM - Identity & Access Management
When working alongside a VPN, Identity & Access Management (IAM) systems can provide an additional level of security. Instead of just relying on the typical, but the vulnerable password and username combo, IAM technology includes a more thorough process of verification.
A birthday, inconveniently placed post-it-note, or misplaced notepad is not the only way to get into a network system. An IAM allows you to implement two-or-more factor authentication over and above your existing VPN connection. This means if the VPN is compromised, or the password is cracked, there is still an additional (and extremely secure) level of protection. This can also be implemented on the vendor/third party side.
By using an IAM, user activity is connected solely to the user themselves, meaning managers can rest easy knowing the user has authorised access. Additionally, as this specific solution ties access to the user instead of a connection, the activity can be tracked. This is especially helpful for when they are accessing sensitive software or information through a SaaS model over the cloud.
But while this technology allows for more strict activity monitoring, it doesn’t provide any additional layers of protection for server or domain administrators. For that, another solution is required.
2) VPAM - Vendor privileged access management
When enterprises increase in size and revenue, they invariably increase the number of partners, vendors, and IT consultants. When this happens, the enterprise needs reliable remote access to its network that can provide these third-party users with unique privileged access, albeit different from that of their internal accounts.
These external access privileged accounts require a far greater level of security - far more than IAM or PAM can manage. To mitigate the risks of third-party access, a vendor privileged access management, or VPAM solution, provides a more precisely controlled level of onboarding and termination of external users.
Additionally, various regulations require specific features to remain in compliance during remote access - VPAM solutions include all of these regulations, on top of a robust, enhanced level of security, access controls, and authentication.
3) PAM - Privileged access management
Technology has a strange way of revealing what works and what doesn’t. As soon as a tool has proved its worth, people tend to take notice. Especially in the case of security. Small are increasingly prioritised spend in 2019, seeking out the best VPN services, most secure web hosting, and safest cloud storage solutions that they could afford. In each of these, a strong service always emerges. Such has been the case with PAM.
Where IAM focuses on security around individual users and their authentication, privileged access management (PAM) focuses on privileged users who can access core applications and systems. Because of how important these functions are, a greater level of scrutiny, care, and security is required.
Accounts with privileged access require more monitoring than any other. As they have such high-level access, they often find themselves in the crosshairs of bad actors who want to inflict terrible damage or steal valuable information. With this in mind, these accounts are the highest security risk.
PAM achieves its security goals in a variety of ways, chiefly: password obfuscation and frequent rotation, enforced password complexity, precise user monitoring, and control over the system and data access.
According to Gary Stevens, CISO at web research group Hosting Canada, “This combination of advanced security measures helps to greatly reduce the overall threat posed by bad agents and makes it significantly easier for data breaches to be spotted earlier on.”
By using a PAM solution, network managers gain far greater control than simply relying on a VPN. While VPNs do a fine job at maintaining a secure connection (although you need to be wary about where those VPN’s are actually coming from), they fall short when it comes to controlling who can and can’t access certain things. However, some users, such as third parties or vendors, have specific needs that PAM alone cannot address.
What is the best alternative to a VPN?
The best alternative to a VPN will depend greatly on your needs. If you require a secure connection and little more, a solid, reliable VPN from a good provider will suffice. If you need more strict controls on who accesses your corporate network, then an IAM or PAM will be necessary, depending on the level of access required.
Finally, if you’re working with lots of third-party vendors who need specific access to your network, then this level of vulnerability will require the VPAM solution.
Whatever your needs, however, there are plenty of options available, and with the right solution, you can get your business network secure in no time.
Sam Bocetta, security writer