Do VPNs provide effective security for businesses?
A virtual private network (VPN) is an Internet security service that allows users to access the Internet as though they were connected to a private network. VPNs use encryption to create a secure connection over unsecured Internet infrastructure.
VPNs are one way to protect corporate data and manage user access to that data. VPNs protect data as users interact with apps and web properties over the Internet, and they can keep certain resources hidden. They are commonly used for access control — however, other identity and access management (IAM) solutions can also help with managing user access.
How do VPNs help secure data?
Encryption is a way of scrambling data so that only authorized parties can understand the information. It takes readable data and alters it so that it appears random to attackers or anyone else who intercepts it. In this way, encryption is like a "secret code."
A VPN works by establishing encrypted connections between devices. (VPNs often use the IPsec or SSL/TLS encryption protocols.) All devices that connect to the VPN set up encryption keys, and these keys are used to encode and decode all information sent between them. This process may add a small amount of latency to network connections, which will slow network traffic (learn more about VPN performance).
The effect of this encryption is that VPN connections remain private even if they stretch across public Internet infrastructure. Imagine Alice is working from home, and she connects to her company's VPN so that she can access a company database that is stored in a server 100 miles away. Suppose all of her requests to the database, as well as the database's responses, travel through an intermediate Internet exchange point (IXP). Now suppose that a criminal has secretly infiltrated this IXP and is monitoring all data passing through (sort of like tapping a telephone line). Alice's data is still secure because of the VPN. All the criminal can see is the encrypted version of the data.
How do VPNs help with access control?
Imagine there are two servers in Acme Co.'s office building: Server A and Server B. Acme Co. does not use WiFi, so all devices have to use Ethernet cables for network access. Server A is physically connected via cables and routers to a network of devices that includes desktop computers and the office printer.
Anyone not physically connected to Server A's network cannot connect with Server A, and the same applies to Server B. If Bob wants to print a document stored on Server A via the office printer, he must plug his desktop computer into the correct network before he can access Server A and the printer. If he wants to retrieve a document from Server B, he must plug into that network as well.
VPNs work in a similar way, except the network is virtual instead of physical. Just as Bob cannot connect to Server A unless he is plugged into the network, a computer cannot connect to a resource gated behind a VPN unless it connects to that VPN. If Acme Co. used WiFi and VPNs instead of physical cables and routers, Bob would have to log in to VPN A in order to connect to Server A. Likewise, he would need to connect to VPN B to access Server B.
Because VPNs work like this, many companies use them for access control — in other words, to control which users have access to which resources. The company sets up several different VPNs, and each VPN connects to different internal resources. By assigning users to these VPNs, different users can have different levels of access to data.
Access control and management is crucial for protecting and securing corporate data. Without access control, unauthorized users could view or alter confidential data, resulting in a data breach.
What are the drawbacks of using VPNs for access control?
1. Single point of failure.
Attackers cannot monitor VPN-encrypted traffic from outside the VPN. But if they are able to connect to the VPN, they gain access to any resources connected to that network. It only takes one compromised account or device for an attacker to gain access to VPN-gated data.
Such a situation is often known as the "castle-and-moat" model. Think of a castle that is protected by a moat. Any attacking forces going after the castle will be kept out by the moat, but once they cross the moat, the entire castle is in danger. With a VPN approach to security, the "moat" consists of internal user VPN accounts. If an attacker steals a user's login credentials, then they are able to breach the VPN — they can "cross the moat" and gain access to all connected data.
Zero trust security is a framework for access control that aims to replace the castle-and-moat approach with a more secure strategy in which no user is trusted by default. Learn more about zero trust security.
2. VPNs are unwieldy to manage.
Using multiple VPNs is difficult to manage at a large scale. In big organizations, so many different users need so many different types of access that IT teams are forced to either 1) set up and maintain many VPNs, or 2) require users to log in to multiple VPNs at once, which is inconvenient and can negatively impact device and network performance.
3. VPNs are not granular.
VPNs work well for opening up access to a large group of users all at once. However, in practice, IT teams often need to tailor permissions to individual users: one employee needs to access the codebase, one needs to access the codebase and the content management system (CMS), one needs to access both of those plus the marketing automation platform, one only needs the CMS, and so on.
Setting up a VPN for every individual employee is impractical: cost-prohibitive, slow-performing, and labor-intensive. To manage access at the individual user level requires a different, more granular approach.
Are there alternatives to VPNs for allowing employees to work remotely?
Because VPNs are virtual, they are often used to give remote workers access to needed company resources. However, this approach often finds companies running into one or more of the problems described above.
Many identity and access management (IAM) solutions offer more granular control that is easier to implement. Cloudflare Access, for instance, is easy to set up and is built to increase security without impacting performance. Cloudflare Access offers secure access to internal applications without a VPN. Instead of a VPN, the Cloudflare global network protects internal resources and data.
Secure web gateways can also help keep remote employees secure by filtering out risky content and preventing data from leaving company-controlled networks. And finally, implementing a software-defined perimeter (SDP) can keep internal infrastructure and data invisible to all unauthorized users