Does your business need a VPN?
You might assume that a company VPN is overkill for small businesses; Davey Winder asks whether it’s actually a necessity
PC Pro’s resident security guru examines whether a VPN is overkill for smaller firms.
In the past 12 months there have been 480 million downloads of mobile VPN apps – an increase of 50% on the previous year. That’s according to the 2019 Global Mobile VPN report ( pcpro.link/306vpn) and it shows that consumers around the world are starting to understand the benefits of connecting to the internet via a virtual private network when out and about.
But what about businesses? Have you ever stopped to think whether your business ought to be providing a VPN service to remote workers, or taking advantage of one to protect your sensitive data? We talked to industry experts to find out whether your business needs a VPN.
What is a VPN anyway?
Before we can address the question of whether your business needs its own VPN, you need to understand exactly what a VPN can do for you – and what it can’t.
“The network encryption provided by a VPN provides a business with confidentiality – your data can’t be read in transit – and integrity – your data, messages and transactions can’t be tampered with,” explained Charl van der Walt, chief security strategy officer at security services provider SecureData. VPN services achieve this by creating a virtual tunnel between a remote device and your corporate network, requiring strict user authentication and allowing you to enforce access control.
The benefits of this should be obvious. “When employees need to provide additional credentials remotely,” said Chris Hykin, technical services director at Stone Group, “it reduces the chance of the system being accessed by third parties, and prevents flexible working becoming a compromise to security.”
That’s not necessarily all your VPN will do: “As most VPN products require the installation of a low-level agent on the endpoint, many products also extend into the broader domain of endpoint and internet protection, providing features like content filtering and blocking malicious sites,” added van der Walt.
Your company VPN can, therefore, be more than simply a network service: you can think of it as the foundation of secure communication between systems, people and sites. With remote working becoming an increasingly important aspect of the business environment, the value of that is clear.
What doesn’t a VPN do?
This all sounds super, smashing and lovely, but there are certain misconceptions about VPNs to clear up. SecureData’s van der Walt told us that, as VPNs have gradually become a commodity, some people have lost sight of their actual capabilities.
“VPNs are often seen by the enterprise as a catch-all system that offers everything from confidentiality to access control,” he said. “Products are frequently over-simplified when they’re sold and deployed; subtle points are overlooked, sometimes resulting in more harm than good.”
One important thing to realise is that all of the features offered by a VPN work differently in different phases of the data journey – from the endpoint itself onto to the internet, through the VPN gateway and onto the LAN. As an example, let’s think about cloud-based VPN products, where the gateway is hosted by a provider somewhere in the cloud.
“The confidential data passing through the tunnel terminates at a single point, managed by a third party, which makes it a highly attractive target for attack, compromise or lawful (or unlawful) interception,” van der Walt pointed out. “These third parties often store logs and authentication data in ways which are vulnerable to compromise, as we saw recently with the breach of NordVPN.”
It’s also important to recognise that a VPN product can provide complex functionality on both the endpoint and the gateway, which increases the potential exposure to attacks.
“Enterprise VPN products that integrate with a directory (like Microsoft Active Directory) are susceptible to phishing, credential reuse, credential stuffing and other forms of credential theft – exposing critical internal systems directly to an attacker over the internet,” warned van der Walt. Indeed, he mentioned that he’d seen precisely this type of attack being used successfully, both by “red teamers” – security experts
“A VPN product can expose complex functionality on both the endpoint and the gateway, increasing the potential attack surface”
who carry out simulated attacks to expose holes in a company’s defences – and by genuine bad guys. It’s safest to assume that all VPN gateway technologies – even from the biggest names – will be aggressively targeted in the wild, and any vulnerabilities will be exploited mercilessly.
Another vital point is that, while VPN services may be integrated into broader security solutions, the secure tunnel itself doesn’t do anything to detect, block or remove malware – or other unwanted content.
“If the data payload travelling over the VPN is infected,” said
Ryan Orsi, director of product management at WatchGuard, “the VPN will securely deliver it to the endpoint – where it could run wild if the endpoint doesn’t have proper malware protection.”
Lastly, we need to talk about the encryption misconception. That may sound like an episode of The Big Bang
Theory, but it’s actually even less funny – indeed, the consequences to your business of getting this concept wrong could be pretty darn serious.
“A VPN does not encrypt any data at rest, only in transit,” explained Paul Bischoff, a privacy advocate at Comparitech.com. “If the VPN server is acting as a middleman between the user and the internet, that user’s traffic is only encrypted up to the
VPN server. The traffic between the VPN server and the final destination – a website, for example – is not encrypted by the VPN.” In other words, the VPN doesn’t provide true end-to-end encryption, and if you’re relying on a third-party provider they could theoretically be monitoring your traffic, or storing it in a form that could later be released under the weight of legal pressure.
Indeed, the possibility of data logging is more than just a theoretical threat: in certain countries, such as China, it’s required. In other words, in some territories, private networks are fundamentally compromised by design. You will find a reasonably comprehensive list of where VPNs are, and aren’t, legally allowed to be truly private at pcpro.link/306vpn2.
So, does your business need its own VPN?
Now we’ve got a grip on those issues, we can start to address the actual question: does your business really need its own VPN, or not?
If you’re looking for a simple answer, it’s yes. As David Emm, principal security researcher at Kaspersky, told PC Pro: “A VPN is a necessary part of a business’ cybersecurity strategy, as it helps ensure that the credentials used to access corporate systems and websites that require input from a login and password can’t be intercepted.” In a cybersecurity landscape that’s dynamically evolving with new threats and vulnerabilities at every turn, it makes sense to embrace all the protection you can get.
At this point you might be wondering whether that really applies to all businesses. What if you don’t have any remote workers, and all your office computers are connected to a wired LAN that’s managed by a competent IT services provider? In such a scenario, VPN services are admittedly less critical. “The added layer of encryption is good,” noted Paul Rosenthal, CEO and co-founder of Appstractor. “But for many companies, I would consider putting a VPN on each workstation as icing on the cake rather than essential.”
Even then, though, a VPN has benefits, as it ensures that your activities can’t be snooped on, and cuts down the possible avenues for a data leak.
And things change as soon as you introduce Wi-Fi into the equation, as this
greatly increases your exposure to possible attacks. “It’s very easy for hackers to either intercept your traffic or trick you to connect to a fake access point, where all kinds of attacks can be launched, potentially exposing confidential and sensitive data,” Rosenthal reminded us. In his view it’s pretty much essential that every non-wired device used by every employee should use a VPN.
Choosing a VPN service
For home users, choosing a VPN provider largely boils down to simple metrics such as speed and price. As Rosenthal put it, “arguably there isn’t a huge amount of difference between the main consumer VPN brands, in terms of the technical level of security they provide.”
In a professional context, however, there are other issues to think about. “Businesses face a fundamentally different challenge,” Rosenthal said, “making sure that every device used by every employee has the VPN not only installed, but also switched on and used properly.”
This is a key reason why you shouldn’t rely on a consumer VPN service for business security: the client software doesn’t support central management. “Look for a VPN that’s designed for deployment in a business,” advised Rosenthal, “where installation and administration are simplified, and compliance can be enforced. Otherwise you’re leaving huge gaps in your cybersecurity defences.”
The other option is to operate your own VPN, which you might do either by installing or enabling services on your internal servers, or investing in a dedicated gateway appliance.
Either way, the self-hosted approach has the advantage of putting you fully in control of your own security – and the use case really kicks in when your business has multiple locations requiring access to a central network. Indeed, the value of this sort of system is understood even in environments that are broadly unfriendly to VPN usage.
“In many cases, even countries that block VPN usage will allow corporate entities access to one by requiring either a fee or the collection of data relating to how the VPN is used,” explained Larry Trowell, principal security consultant at Synopsys.
That said, there are scenarios where running your own VPN is an unnecessary investment. Trowell points out that if your workers aren’t actively collaborating on documents, and you just need to periodically exchange and synchronise data, a secure FTP or email server may be all that’s needed.
Configuration matters
If you have decided to set up your own VPN, you will need to confront the question of how it’s configured. The simplest approach is to route all your traffic through the VPN tunnel, but this can have an impact on performance. “If you’re forcing all your network traffic through the
VPN tunnel, your latency will increase, and the connection will be slower,” warned Ron Winward, a security evangelist at Radware.
The solution could be split tunnelling, which routes only certain types of traffic over the VPN.
“Perhaps you have a resource inside of the network that needs remote access, but don’t want all your internet traffic to go through the VPN server,” Winward said. “Split tunnelling allows this. But if you do use split tunnelling, make sure your users understand that not all traffic traverses the VPN tunnel. Don’t create a false sense of security for them.”
The right tool for the job
Clearly there are multiple reasons and ways to use a VPN, and many people actually use several VPNs for different purposes. “As a global business traveller,” Winward said, “I run my own VPN servers at trusted locations where I control the network devices on the remote end.” Doing so gives him the confidence that his traffic is kept secure as it traverses networks outside of his control. But that’s not the whole story: “I also connect to other VPNs for different needs, including work, lab access, and basic security hygiene.”
The upshot is that it’s essential to properly consider exactly what you want to achieve by using a VPN. Your needs could be best met by a thirdparty provider, or by running your own VPN – or a combination of the two approaches.
“Each option has its own considerations,” Winward concludes. “A service requires that you trust the vendor with your data and your privacy. Buying your own device requires knowledge and support of the device, as well as the cost of purchasing and maintaining it. Open source might reduce your capex spend, but at the cost of not having support from a vendor when you might need it most.”
“The simplest approach is to route all your traffic through the VPN tunnel, but this can have an impact on performance and latency”