Not sure what I have done in the course of my work as editor for FutureCIO but I have been, and continue to be, inundated with promotions selling me VPNs or virtual private networks. At one point I was tempted to get a VPN license since I am almost always outside my “secure” home connection. But a friend told me that for my purposes, a VPN doesn’t help.
So, I enlisted the advice of experts on the matter:
Brian Washburn, Practice Leader, Network Transformation & Cloud, Omdia
Larry Trowell, Principal Security Consultant, Synopsys Software Integrity Group
What do enterprises use VPNs for?
Brian Washburn: VPNs can be divided into several categories – whether they operate over a private network, or they operate over the public internet on a dedicated appliance (router) from a permanent fixed location, or they operate over the public internet from individual compute devices (PC, laptop, mobile).
These different approaches have much different levels of security and performance, but they all do two basic things: (1) set up connections backed by private IP addresses: Traffic in the VPN can only route to other addresses inside the VPN, so traffic in the VPN cannot be intercepted by an outside party; (2) Traffic in the VPN is often encrypted as an extra safety measure, so even if an outside party does intercept traffic, it cannot be read. These features are why they’re often described as “VPN tunnels”. You can only send VPN traffic wherever the tunnel is set up to go. It’s a way to send private traffic in a protected way, so it is hard for someone to intercept on a network.
Larry Trowell: Enterprises use VPNs to connect employees in different locations, sometimes from different offices, sometimes so that they can work from home. An enterprise is usually more concerned with ensuring the people who have access to the site are those who should have access, as opposed to protecting the privacy of the user. Encryption is still valued and needed, but the primary focus is on protecting the network.
Can VPN replace other security solutions as used by companies and their employees?
Brian Washburn: VPNs are a basic building block of security, which protects traffic across a network. It does not protect ICT infrastructure. There is much more to security to protect entire systems…
Larry Trowell: VPNs should be used alongside other security solutions. They are not a catch-all for all types of security problems. For instance, two-factor authentication should be used to access the VPN and network security measures should be used to protect the internal networks. The VPN is only to meant for access to the network. Its design is to keep the connection secure, not the network or anything else. An employee who clicks on a phishing link will have the same outcome on the VPN or inside the office. Thus, it is important that the VPN uses the proper encryption ciphers and is maintained following best practices.
What is the biggest bad misconception about VPN that is perpetrated by solutions providers?
Brian Washburn: VPNs are such a well-established technology, I wouldn’t say there are major misconceptions. The big question on the table for enterprise CIOs is weighing the value of VPN on a private network (each costing thousands of dollars per connection per month), against VPN on the internet (more like hundreds of dollars per connection per month), against individual device VPNs on the internet (more like ten, or tens of dollars per device per month).
There will be questions about why to pay so much for option X, whilst option Y seems so much cheaper. There is now a trend called hybrid networking, which lets enterprises mix high-end expensive VPN and lower-cost VPNs, to custom-build a network for the best mix of cost, performance, and security. Some service providers will insist that high-cost VPN on private network is the only truly safe option, while other service providers will claim VPN on private network is completely obsolete. The truth is, which is best and/or how to mix them is very circumstantial to the individual enterprise.
Larry Trowell: The biggest misconception about VPNs is what sort of data is seen or logged by the provider. Typically, you would expect none, but since they control the incoming traffic there is the possibility. Also, users should be wary of any VPN that would require the installation of their certificate because that can allow the provider the ability to see into the network traffic. Only pick a VPN provider you trust and one that has it in their best interest to protect your data.
How do you correct for this?
Brian Washburn: Our research shows that an impressive 96%-98% of large enterprises use some level of outside help when they deploy new, transformative network services such as hybrid networking and SD-WAN. Whether it’s to advise and validate purchase decisions, assess and design, install and maintain hardware, or help manage parts of the network actively – very few enterprises decide they know everything there is to know about a new technology, and implement it in a vacuum. The solution is just to find and engage with expert partners to help make the right decisions, and to supplement any gaps of in-house skills.
Larry Trowell: Using an outside VPN provider requires a lot of trust. I usually find that, when possible, it is more secure for a company to run its own VPN connection using OpenVPN, Cisco AnyConnect, Pulse Secure or similar systems. Implementation is normally not that difficult and ensures that the organisation knows exactly how secure their data is.
What should CIOs consider when determining use of VPN tech by the company?
Brian Washburn: Any sizable enterprise already uses VPNs, so it’s a matter of choosing what flavours of VPN services to buy, and what network services to pair with them. Today’s networks are flexible enough that enterprises can mix and match network services. That means CIOs need to evaluate the right formula for their company to meet cost, performance, security level, and service flexibility.
Larry Trowell: A few important considerations include what kind of ciphers and connections they use. Equally important is how well you can trust the organization providing the VPN. The connections to a firm’s network are the first line of attack for a system. It is also worth considering what sort of data the VPN user stores about the firm and its users.
Trending in 2020
With COVID-19 running amok, it is likely VPN use will rise sharply in 2020 as enterprises enforce work from home policies. Statista puts the global VPN market at US$23.6 billion, and rising to US$27.1 billion in 2020, up 12.9%.
Evolving protocols
OpenVPN is the most widely adopted protocol and likely this will remain in 2020. However, the new Wireguard protocol, with its 4,000 lines of code makes it a lightweight (potentially faster), easier to audit (aka more secure?) than OpenVPN’s 500,000. Both are open source.
