04 October 2021

VPNs are very popular with consumers wanting to unlock a world of streaming content, but why do enterprises need them? Robert Shepherd investigates

If you stopped the average person in the street and asked them what a VPN (virtual private network) is, you’d either get a short, shrift “no idea” or a “yes”, followed by a comment on how amazing they are. I know, because I’ve asked. I also know because I have one.

However, the people in the latter group (except me) are most likely to use one for their viewing pleasure. That’s because nowadays VPNs are synonymous with unblocking geo-restricted content by succesfuly navigating local licensing laws. You could say it’s often used to stream content illegally (definitely not by me).

However, we’re not here to talk about how some people access their favourite TV shows, nor to learn about their viewing habits, but to ask how businesses use VPNs.

Think back to that dreadful first quarter of 2020 and the arrival of the novel coronavirus. For the first time ever, almost every single industry was forced to re-think operations. How would we all work if we couldn’t make it to the workplace?

We all headed to our respective remote offices (bedrooms, living rooms and kitchens in many cases) and it was VPNs that made it possible for us to work as usual. Granted, not every enterprise had a VPN in place, but those that did provided their staff members with a secure way to connect to the company network to access systems, data and files.

Now, some 20 months later, remote working is a permanent solution for many businesses - and that means a secure remote workforce.

It’s also important to remember that VPNs are nothing new. To the consumer, maybe they are, but VPNs were actually designed and introduced almost 20-yearsago for connecting devices with onpremises networks. To this day they are a highly mature technology – but with today’s cloud-based infrastructure (public, private and hybrid), they are attempting to protect an environment they weren’t really built for, which, according to some, can be a boon for attackers. Instead of protecting a flat network with linear access, some VPNs are now used to protect the perimeter network.

Mark Hardy, Citrix

“End-user trust is strictly based on the notion of access to the corporate network”

So, what does that actually mean? Are VPNs still an integral part of a business with lots of staff working remotely, or have they had their time?

William Sword, cybersecurity writer and researcher at Atlas VPN, argues that enterprises should use a VPN as it encrypts data on all of the devices in the company’s network. “That way, hackers or internet service providers would not be able to see your data,” he says. “Employees would always access the internet through a secure and private connection.”

Nathan Wenzler, chief security strategist at Tenable agrees and presents a slightly more technical explanation.

“VPNs create a connection between two endpoints that is, as the name describes, private,” he says. “Whether this connection is across public networks - like the internet, or internally to a corporate network, VPNs facilitate an encrypted tunnel that secures the communication in transit between the two systems. This is an incredibly important security tool which enables remote workforces to connect to corporate data and assets from outside the corporate network without exposing the data or other information to anyone else in the public space.”

It goes without saying; any tool that encrypts company data is always welcome. However, VPNs are not without their detractors – often because they slow down the whole internet experience. Just ask anyone trying to stream a TV show or movie.

There can be for a number of reasons behind it, such as the wrong choice of server location. The further the server is from your true location, the slower the speed. The data packet must travel a greater distance and the speed of the VPN connection may slow down significantly and ping may reach critical levels.

Of course, speed and latency are not helped by the fact that so many workers are increasingly taking advantage of the flexibility of working from home. Throw Zoom meetings into the equation and you potentially have a perfect storm. After all, fibre-to-the-home can have bandwidth issues at the best of times.

It’s hardly good for businesses, is it?

“When using a VPN, it is absolutely normal for the internet to be a bit slower, but it should never make your browsing frustrating,” adds Sword. “In fact, I can assure you that having a bit of a slower internet is much better than losing your or even your customer’s sensitive information due to security vulnerability.”

Wenzler concurs and says for most countries across the world, speed and latency isn’t really an issue for VPN use any longer – and here’s why. “In the early days of broadband, where download and upload speeds were very limited, the overhead generated by VPNs could impact performance noticeably,” he continues. “But, as the vast majority of offices and homes have fast Internet connectivity (at least in relation to the early days) coupled with the overall improvements VPN providers have made over the years, speed and latency shouldn’t be an issue for most every use case.”

Now that you know – if you didn’t already – why your business could do with a VPN, you’re likely to ask how you start looking for the right provider.

Just a few years ago, a quick internet search would reveal a handful of VPN companies. Google the term now and you’ll find yards of text, news and reviews telling you which companies are good, which ones to avoid and the ones offering the best value for money when it comes to enterprises.

So, how do you choose between them?

Sword is a good person to ask because he works for a provider.

“When choosing a VPN, enterprises should choose a service that comes with a no-logs policy,” he says. “In addition, I would highly recommend a VPN that has a centralised management panel. IT admins can add or remove accounts from the console and check what devices are connected to the VPN. Lastly, I would mention to check the features the VPN service is offering, Killswitch, different protocol options, wide server variety are all good signs of a quality VPN. “Some VPNs offer features like a data breach monitor, which scans the web and checks whether your personal information is leaked online. With such a feature, employees can make sure their data is safe.”

Another security framework associated with remote working is what’s known zero trust.

It operates by assuming that the device or user is not authorised for access, and then authenticating each connectivity request. This approach limits the surface area and provides the necessary scalability. Zero trust also provides visibility into every user and device that VPNs lack, which allows a greater level of protection — more so for personal devices. In addition, security experts collect behaviour analytics to combine with artificial intelligence that can help proactively prevent future attacks. With working together being an increasing part of businesses, zero trust also allows companies to securely provide as-needed access to partners, vendors, customers and contractors.

Due to the boom in remote working, many companies have shifted and continue to shift to zero trust.

So, how does it compare to a VPN?

“When comparing VPN with zero trust security, I would say both of them are equally important,” says Sword. “VPN provides employees with secure remote access to company resources, while zero trust security fills the gaps in traditional network security architectures to prevent any inside or outside attacks.”

For Wenzler, it’s not even a debate because in his view, “comparing VPN technology to zero trust guidelines and principles is very much an apples-tooranges comparison”. He says “zero trust is more of a mindset or overall philosophy” that provides a guide toward how an organisation approaches its entire security program “while VPNs are technologies that provide a very specific form of security control. Looking at it from a People-Process-Tools spectrum, zero trust is a process while VPNs are tools. That said, VPNs can be a part of an organization’s zero trust initiative and would support some of the guidelines around securing communication or providing access on a per-session basis, but they should not be the sole security control used to address the various processes and requirements needed to properly implement a zero trust security program across an enterprise.”

While the zero trust and VPNs are quite different, one of the many ongoing security debates is how best to use them together.

On the face of it, it’s seen as most helpful in the short term while moving to a zero trust approach, which can be lengthy due to how complex the shift can be. While a VPN simply provides access to remote users and zero trust is a holistic authentication approach, VPN can be used as an access method as part of zero trust.

However, once the zero trust framework is rolled out, it’s much less time consuming to scale and grow the framework. However, Mark Hardy, director of cloud networking at Citrix, argues that IT security solutions are not made for hybrid work.

He says that’s because traditional VPNs are designed for the occasional remote worker, not for many or even all employees working from home. “This is why more and more businesses are looking for a security solution that actually fits the age of remote working,” he adds. “Zero-trust brings security controls from the network or VPN level to the application level, and from an initial all-access security check to granular rules and permanent monitoring. For a zero-trust security infrastructure, it doesn’t matter where, with what devices, or via what kind of network connection employees are accessing their business applications and internal data – all access is treated in a ‘never trust, always verify’ manner to ensure the highest standard of security while working remotely.”

Hardy explains how the VPN model has worked for use cases where end users get access to the corporate network, typically from approved corporate-managed devices only. “End-user trust is strictly based on the notion of access to the corporate network,” he continues. “Classic VPNs do not align with zero trust principles, since one-time access gives a user the metaphorical keys to the kingdom. Instead of this castle-and-moat approach, the zero trust model will use a dedicated VPNless proxy that sits between user devices and the full spectrum of applications they need, from enterprise SaaS to unsanctioned web apps. This proxy can enforce granular cybersecurity measures, such as disabling printing, copying and pasting on an endpoint if the contextual evidence supports doing so.”

Nathan Wenzler, Tenable

“VPNs create a connection between two endpoints that is, as the name describes, private”

Nevertheless, businesses need to look at the bigger picture: is the VPN secure and robust enough to protect against today’s increasingly sophisticated threats? Last year, cyber criminals launched vishing scams specifically designed to gain sensitive information through the VPN. With so many devices and locations involved, VPNs create a very large surface to protect. If an attack occurs, the potential damage is significant — because VPNs often give users access to the entire network.

Mike Campfield, head of EMEA operations for ExtraHop, says it’s important that companies should consider the pros and cons of VPNs. “When used properly, VPNs can strengthen an organisation’s security and can be highly scalable,” he adds. “A couple of advantages are that it secures the network by stopping hackers or software from accessing the organisation’s connection and hides private information through encryption. But this encryption process takes time and can sometimes significantly slow down internet speed. Also, VPNs can’t provide tailored access at the protocol or host level, potentially opening up users to services they shouldn’t be accessing, creating new risks for the organisation.”

Although VPNs have been viewed as the answer to supporting employees working outside of the office, Campfield says the biggest issues came about because of Covid. “They became overwhelmed throughout this shift, providing inbound security headaches alongside outbound challenges related to patching distributed endpoints,” he concludes.

Think of a VPN as a curtain, stopping opportunists and professional cybercriminals from viewing your browsing activity. A good VPN will also secure your internet connection, protect your privacy and conceal your identity, keeping you safe from hackers or anyone else who might be trying to keep tabs on your online activity. In reality, it does more than just protect the network.

Nevertheless, it’s important to remember that not all VPNs are created equal and each one comes with its own set of pros and cons.

Choose wisely.