With the work-from-home trend unlikely to slow down any time soon, IT leaders are continuing to look for ways of providing reliable, secure network access to enterprise resources. Despite the availability of newer and better, yet more expensive choices, such as SD-WAN and SASE, most organizations now regard virtual private network (VPN) technology as the go-to tool for providing at-home workers with a direct pipeline to enterprise data, providing an acceptable, if not ideal, level of security.
The pandemic has made teleworking a norm, observed Olivier Huynh Van, CSO and co-founder of network automation software developer Gluware. "Almost every enterprise now has to accept that a VPN needs to be part of the services it offers to its employees," he noted.
Consumer versus commercial
Most consumer VPN providers focus on last-mile security—the connection between the user's system and the open Internet. "[These VPN services] are designed with privacy, unblocking region-locked streams, and bypassing censorship in mind," said Paul Bischoff, privacy advocate for Comparitech, a security and privacy information website. A commercial VPN, targeted at enterprise customers, focuses on securing the connection between the end-user device and an organization's private resources. "Those resources can include the Internet, but also files, apps, and documents exclusive to the organization," Bischoff explained. "Consumer VPN servers are operated by the VPN provider, but enterprise VPN servers can be operated by either the VPN provider or the organization itself."
Another difference separating consumer VPNs from their commercial counterparts is the fact that an enterprise VPN is designed to support users distributed across a large area, perhaps even globally, not just a single user or household. "The commercial VPN has one global account ... and employees are given credentials for the VPN connection," said Veronica Miller, cybersecurity expert at VPNOverview, a VPN reviews and news website. "In the consumer VPN, the user has full control of their account while in the commercial VPN the account manager has full control of the business account," she added.
For enterprise users, the VPN is essentially a hands-off technology. "Admins have all the power," noted Akram Assaf, CTO for job search website Bayt.com. A consumer VPN is more user friendly, leaving the primary user free to configure the service to their particular needs and preferences. "It prioritizes customer experience above everything else," he said.
Privacy, a major concern for consumer VPN users focused on evading regional viewing restrictions, is typically achieved through the provider's "no-logging" policy. Enterprises, meanwhile, place security above privacy. "Enterprise VPNs are designed to provide end-to-end security where every single connection is logged," Van said. "Ideally, applications are monitored, and only known applications can flow through the VPN." Extensive and detailed logging, a VPN practice most consumer VPN customers seek to avoid, offers enterprise administrators deep visibility into network users and their activities. Most commercial VPNs also include a kill switch that can be immediately activated if the administrator suspects that a malicious intruder may be at work.
Trust and control
It's important to find a commercial VPN provider with a strong service and reliability reputation. "Generally, businesses should be able to trust their VPN provider with their traffic even more than they trust their network," Miller observed. "Large VPN providers are invested in making sure that the businesses’ traffic is delivered safely and quickly."
It's also essential to partner with a VPN provider that's committed to strong security. "Make sure the VPN provider offers 2048-bit SSL or 256-bit encryption since they are harder to crack," Miller advised. "If anyone tries to hack the business, these protocols and encryptions are too strong [to defeat]."
An enterprise VPN service should also provide easy-to-use dashboards that administrators can use to manage user accounts and access privileges. "It should be simple to add and remove users and access rights as needed," Bischoff said. "VPNs that support single sign-on (SSO) make this process much simpler.”
When managing at-home workers who may change access device, task, or location without notice, it's easy for human behavior to become a security risk. A VPN dashboard that can be easily read and managed cuts down on risk, Bischoff explained. "A good dashboard increases transparency ... for the administrator, so they know when and how to revoke access for leaving employees and lost devices, adjust access permissions for existing users, and group certain groups of employees together, among other tasks."
Whenever someone connects to the enterprise network, it's important to ensure that the access is legitimate. Strong authentication technologies, such as multifactor authentication, one-time passwords, and universal 2nd factor, are all key parts in today's standard network defense arsenal, Van said. "But once the access is granted, either posture assessment or advanced filtering through next-generation firewalls are important to guarantee that the resource connecting to the corporate network is not a Trojan horse."
IT leaders should always work with the assumption that they are fully responsible for the security of their data, whether it's in the cloud, in the data center, in transit, or anywhere else, noted Ken Presti, vice president of research and analytics at IT advisory firm AVANT Communications. "Even in situations where the security functionality is being delivered by an ISP or other partner, you need to establish management-level oversight, as opposed to assuming that it’s being successfully handled on your behalf."