Let’s start by being clear that what you need to do to support “hybrid work” versus a “hybrid workforce” isn’t the same. To support hybrid work, you need to secure and control access for an employee to the appropriate corporate resources as that employee roams between the office, home, or offsite. If your organization allows hybrid work, you inherently have a “hybrid workforce”, meaning a mixture of on-premises and remote users. For example:
- Remote workers may be employees who are on a job site instead of on their corporate network.
- They may be executives or sales representatives traveling to visit clients and prospects.
- They may be work-from-home employees for organizations that continue to support WFH.
But you can also have a hybrid workforce even if all of your employees are in the office. How can that be? It’s because of a final type of remote worker, which includes third-party vendors, contractors, and consultants who need access to your corporate networks and resources, but who are not located on that network.
To support a hybrid workforce that includes outside vendors, businesses must provide secure remote access for these vendors in a manner that differs from how they support remote employees. Traditionally, companies have relied on VPNs (Virtual Private Networks) for remote access, but VPNs were never designed for the level of control, security, and visibility required for external users.
External users often need temporary or limited access to sensitive systems and must be isolated from the privileged credentials used to access those systems. For these users, a Vendor Privileged Access Management (VPAM) solution offers a more modern and secure approach. VPAM not only controls access more precisely but also helps organizations reduce the growing risks associated with third-party access.
Why VPNs No Longer Fit the Hybrid or Extended Workforce
VPNs create an encrypted tunnel between a user and the internal network. Once connected, users often gain broad network-level access, which might include applications, file servers, databases, and other sensitive infrastructure. While this might be acceptable for trusted employees in a secure environment, it poses a serious security flaw when applied to external or temporary users.
Key VPN Weaknesses:
- Full Network Exposure
VPNs don’t differentiate between employees and third-party users. Once connected, both may have access to more than they need, violating the principle of least privilege.
- Lateral Movement Risk
If an external user’s credentials are stolen or their device is compromised, an attacker can move freely within the internal network.
- Lack of Granular Access Controls
VPNs often lack role-based policies. IT teams can’t easily restrict access to specific applications or servers without complex network segmentation.
- No Session Monitoring or Recording
VPNs provide little visibility into what users do once they connect. If a vendor mishandles data or makes unauthorized changes, there may be no audit trail.
- Credential Sharing
Contractors sometimes share login credentials across teams, which creates accountability and tracking problems, especially when using shared administrator accounts.
- The Added Risk of Third-Party Access
Third-party vendors and contractors introduce unique security challenges:
- Unmanaged Devices
Vendors may use personal or unmanaged devices that lack proper antivirus, endpoint detection, or patching, increasing the attack surface.
- Short-Term Access Needs
External users often need access for only a few hours or days. VPNs aren’t built for granting and revoking time-limited access quickly or safely.
- Untrusted Networks
Contractors might connect from insecure locations like hotels, cafés, or public Wi-Fi, raising the chances of session hijacking or data interception.
- Lack of Accountability
Without proper monitoring or identity controls, companies can’t prove who did what, which is a compliance and forensic risk.
Why VPAM Is the Better Solution
Vendor Privileged Access Management (VPAM) tools are built specifically to handle sensitive access for external users. They combine strong authentication, fine-grained permission management, and session recording, making them ideal for securing third-party access.
How VPAM Addresses VPN Shortcomings:
| Security Feature | VPN | VPAM |
| Granular Access Control | No | Yes – per user, per system, per task |
| Temporary / Just-in-Time Access | No | Yes – automated and auditable |
| Session Recording and Auditing | Rare | Built-in |
| Credential Vaulting | No | Yes – stores privileged credentials |
| No Shared Corporate Credentials | No | Yes – login is brokered |
| Role-Based Access | Minimal | Strong, policy-based |
| Support for Third-Party Access | Risky | Purpose-built with time-limited, monitored access |
| In-Browser Access | No | Yes – secure, isolated sessions |
VPAM in Action: A Real-World Scenario
Let’s say a software vendor needs access to a company’s production server to apply a patch. With a VPN, the vendor might be given network access and possibly even credentials to log in manually. This opens the door to misconfigurations, unauthorized access, or credential theft.
With VPAM:
- The vendor is verified through multi-factor authentication.
- Access is granted only during an approved time window.
- The vendor never sees actual passwords. Instead, the VPAM tool connects them through a session manager.
- All actions are recorded, logged, and monitored in real time.
If something goes wrong, corporate IT has full visibility into what occurred and when.
Conclusion
VPNs are outdated for managing secure access in a world of hybrid workforces and complex third-party relationships. They offer too much access, too little control, and almost no visibility. Vendor Privileged Access Management (VPAM) is a smarter, more secure approach. It reduces risk by providing temporary, controlled access to only the systems users need with full auditing, role-based policies, and session recording. VPAM helps businesses enforce least privilege, reduce attack surfaces, and ensure accountability. As hybrid workforces grow and more organizations depend on outside help, VPAM quickly becomes a necessity.
About the Author
Karen Gondoly is CEO of Leostream, a vendor neutral platform providing a comprehensive and scalable solution for organizations to securely deliver and manage remote access to physical and virtual machines hosted on-premises and in cloud environments.
Karen can be reached online at [email protected], on X at https://x.com/Leostream/ and at
