Does your business need its own VPN? – IT PRO

In the past 12 months there have been 480 million downloads of mobile VPN apps an increase of 50% on the previous year. Thats according to the 2019 Global Mobile VPN reportand it shows that consumers around the world are starting to understand the benefits of connecting to the internet via a virtual private network when outand about.

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

But what about businesses? Have you ever stopped to think whether your business ought to be providing a VPN service to remote workers, or taking advantage of one to protect your sensitive data? We talked to industry experts to find out whether your business needs a VPN.

Before we can address the question of whether your business needs its own VPN, you need to understand exactly what a VPN can do for you and what it cant.

Advertisement - Article continues below

The network encryption provided by a VPN provides a business with confidentiality your data cant be read in transit and integrity your data, messages and transactions cant be tampered with, explainsCharl van der Walt, chief security strategy officer at security services provider SecureData. VPN services achieve this by creating a virtual tunnel between a remote device and your corporate network, requiring strict user authentication and allowing you to enforce access control.

Advertisement - Article continues below

The benefits of this should be obvious. When employees need to provide additional credentials remotely, said Chris Hykin, technical services director at Stone Group, it reduces the chance of the system being accessed by third parties, and prevents flexible working becoming a compromise to security.

Thats not necessarily all your VPN will do.As most VPN products require the installation of a low-level agent on the endpoint, many products also extend into the broader domain ofendpoint and internet protection, providing features like content filtering and blocking malicious sites, addsvan der Walt.

Advertisement - Article continues below

Your company VPN can, therefore, be more than simply a network service: you can think of it as the foundation of secure communication between systems, people and sites. With remote working becoming an increasingly important aspect of the business environment, the value of that is clear.

This all sounds super, smashing and lovely, but there are certain misconceptions about VPNs to clear up. SecureDatas van der Walt told us that, as VPNs have gradually become a commodity, some people have lost sight of their actual capabilities.

VPNs are often seen by the enterprise as a catch-all system that offers everything from confidentiality to access control, he said. Products are frequently over-simplified when theyre sold and deployed; subtle points are overlooked, sometimes resulting in more harm than good.

One important thing to realise is that all of the features offered by a VPN work differently in different phases of the data journey from the endpoint itself onto to the internet, through the VPN gateway and onto the LAN. As an example, lets think about cloud-based VPN products, where the gateway is hosted by a provider somewhere in the cloud.

Advertisement - Article continues below

The confidential data passing through the tunnel terminates at a single point, managed by a third party, which makes it a highly attractive target for attack, compromise or lawful (or unlawful) interception, van der Walt pointsout. These thirdparties often store logs and authentication data in ways which arevulnerable to compromise, as we saw recently withthe breach of NordVPN.

Advertisement - Article continues below

Its also important to recognise that a VPN product can provide complex functionality on both the endpoint and the gateway, which increases the potential exposure to attacks.

Enterprise VPN products that integrate with a directory (like Microsoft Active Directory) are susceptible to phishing, credential reuse, credential stuffing and other forms of credential theft exposing critical internal systems directly to an attacker over the internet, warnsvan der Walt. Indeed, he mentioned that hed seen precisely this type of attack being used successfully, both by red teamers security experts who carry out simulated attacks to expose holes in a companys defences and by genuine bad guys. Its safest to assume that all VPN gateway technologies even from the biggest names will be aggressively targeted in the wild, and any vulnerabilities will be exploited mercilessly.

Advertisement - Article continues below

Another vital point is that, while VPN services may be integrated into broader security solutions, the secure tunnel itself doesnt do anything to detect, block or remove malware or other unwanted content.

If the data payload travelling overthe VPN is infected, saysRyanOrsi, director of product management at WatchGuard, the VPN will securely deliver it to the endpoint where it could run wild if the endpoint doesnt have proper malware protection.

Lastly, we need to talk about the encryption misconception. That may sound like an episode of The Big Bang Theory, but its actually even less funny indeed, the consequences to your business of getting this concept wrong could be pretty darn serious.

A VPN does not encrypt any data at rest, only in transit, explained PaulBischoff, a privacy advocate at Comparitech.com. If the VPN server is acting as a middleman between theuser and the internet, that users traffic is only encrypted up to the VPNserver. The traffic between the VPN server and the final destination a website, for example is not encrypted by the VPN. In other words, the VPN doesnt provide true end-to-end encryption, and if youre relying on a third-party provider they could theoretically be monitoring your traffic, or storing it in a form that could later be released under the weight of legal pressure.

Advertisement - Article continues below

Advertisement - Article continues below

Indeed, the possibility of data logging is more than just a theoretical threat: in certain countries, such as China, its required. In other words, insome territories, private networks are fundamentally compromised by design

Now weve got a grip on those issues, we can start to address the actual question: does your business really need its own VPN, or not?

If youre looking for a simple answer, its yes. As David Emm, principal security researcher at Kaspersky, told PC Pro: A VPN is a necessary part of a business cybersecurity strategy, as it helps ensure that the credentials used to access corporate systems and websites that require input from a login and password cant be intercepted. In a cybersecurity landscape thats dynamically evolving with new threats and vulnerabilities at every turn, it makes sense to embrace all theprotection you can get.

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

At this point you might be wondering whether that really applies to all businesses. What if you dont have any remote workers, and all your office computers are connected to a wired LAN thats managed by a competent IT services provider? In such a scenario, VPN services are admittedly less critical. The added layer of encryption is good, notesPaul Rosenthal, CEO and co-founder of Appstractor. But for many companies, I would consider putting a VPN on each workstation asicing on the cake rather than essential.

Advertisement - Article continues below

Even then, though, a VPN has benefits, as it ensures that your activities cant be snooped on, and cuts down the possible avenues for a data leak.

And things change as soon as you introduce Wi-Fi into the equation, as this greatly increases your exposure to possible attacks. Its very easy for hackers to either intercept your traffic or trick you to connect to a fake access point, where all kinds of attacks can be launched, potentially exposing confidential and sensitive data, Rosenthal remindesus. In his view its pretty much essential that every non-wired device used by every employee should use a VPN.

For home users, choosing a VPN provider largely boils down to simple metrics such as speed and price. As Rosenthal puts it, arguably there isnt a huge amount of difference between the main consumer VPN brands, in terms of the technical level of security they provide.

Advertisement - Article continues below

Advertisement - Article continues below

In a professional context, however, there are other issues to think about. Businesses face a fundamentally different challenge, Rosenthal says, making sure that every device used by every employee has the VPN not only installed, but also switched on and used properly.

This is a key reason why you shouldnt rely on a consumer VPN service for business security: the client software doesnt support central management. Look for a VPN thats designed for deployment in a business, advisesRosenthal, where installation and administration are simplified, and compliance can be enforced. Otherwise youre leaving huge gaps in your cybersecurity defences.

The other option is to operate your own VPN, which you might do eitherby installing or enabling services on your internal servers, or investing in a dedicated gateway appliance.

Either way, the self-hosted approach has the advantage of putting you fully in control of your own security and the use case really kicks in when your business has multiple locations requiring access to a central network. Indeed, the value of this sort of system is understood even in environments that are broadly unfriendly to VPN usage.

Advertisement - Article continues below

In many cases, even countries that block VPN usage will allow corporate entities access to one by requiring either a fee or the collection of data relating to how the VPN is used, explainsLarry Trowell, principal security consultant at Synopsys.

That said, there are scenarios where running your own VPN is an unnecessary investment. Trowell points out that if your workers arent actively collaborating on documents, and you just need to periodically exchange and synchronise data, a secure FTP or email server may be all thats needed.

If you have decided toset up your own VPN, you will need toconfront the question of how its configured. The simplest approach is to route all your traffic through the VPN tunnel, but this can have an impact onperformance. If youre forcing all your network traffic through the VPN tunnel, your latency will increase, and the connection will be slower, warnsRon Winward, a security evangelist at Radware.

Advertisement - Article continues below

The solution could be split tunnelling, which routes only certain types of traffic over the VPN.

Perhaps you have a resource inside of the network that needs remote access, but dont want all your internet traffic to go through the VPN server, Winward says. Split tunnelling allows this. But if you do use split tunnelling, make sure your users understand that not all traffic traverses the VPN tunnel. Dont create a false sense of security for them.

Clearly there are multiple reasons and ways to use a VPN, and many people actually use several VPNs for different purposes. As a global business traveller, Winward says, I run my own VPN servers at trusted locations where I control the network devices on the remote end. Doing so gives him the confidence that his traffic is kept secure as it traverses networks outside of his control. But thats not the whole story: I also connect to other VPNs for different needs, including work, lab access, and basic security hygiene.

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

The upshot is that its essential to properly consider exactly what you want to achieve by using a VPN. Your needs could be best met by a third-party provider, or by running your own VPN or a combination of the two approaches.

Advertisement - Article continues below

Each option has its own considerations, Winward concludes. A service requires that you trust the vendor with your data and your privacy. Buying your own device requires knowledge and support of the device, as well as the cost of purchasing and maintaining it. Open source might reduce your capex spend, but at the cost of not having support from a vendor when you might need it most.

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

All-flash buyers guide

Tips for evaluating Solid-State Arrays

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Go here to read the rest:
Does your business need its own VPN? - IT PRO