Management Advisory – Virtual Private Network Access
Objective
Our objective was to evaluate whether virtual private network (VPN) access to the Postal Service’s Information Technology (IT) network was granted only to those individuals who require access. eAccess is used for requesting and approving access for applications and other IT infrastructure. We reviewed eAccess data that showed authorizations for Postal Service contractors and employees who have been granted VPN access.
VPN provides users with a means to securely access information on a corporate network infrastructure or an untrusted public network (e.g., the Internet). On [redacted]. The Postal Service now uses VPN to provide users with a means to securely access information on its IT network from a remote location.
One of the primary IT security challenges with VPN is limiting unnecessary access to critical business applications and network resources. It is important to establish justifiable business rules and monitor VPN permissions to reduce the risk of IT security complexities associated with remote access to networks. As of March 15, 2019, [redacted] contractors and [redacted] Postal Service employees had authorized VPN access.
What the OIG Found
We identified contractors and bargaining employees with VPN access to the Postal network that had access higher than permitted by Postal Service policy. We identified [redacted] of the [redacted] (about 28 percent) contractor personnel had a higher level of VPN access than what Postal Service policy permits. Postal Service policy states that contractors should not have a higher level of VPN access unless they had been issued a Postal Service device. In addition, there were [redacted] bargaining employees with authorized VPN access to the Postal Service IT network. While this does not represent a significant number of employees, [redacted].
VPN access approvals are controlled by a user’s eAccess approving manager, who determines the level of access based on the business need. There are no controls within eAccess to identify for the approving manager those instances where VPN access may not be appropriate for the user. It is important to provide VPN access in a manner that reduces the risk of security complexities associated with remote access. However, Postal Service plans to invest [redacted] million into an eAccess Technology Refresh and Privileged Access Management program. This investment into a modern access management system will address concerns related to managing authorizations to the IT network.
What the OIG Recommended
We recommended the Postal Service analyze its contractors and bargaining employees with VPN access and make appropriate changes.