What is a VPN, and why do businesses use them?
A virtual private network (VPN) is an Internet security service that creates an encrypted connection between user devices and one or more servers. VPNs can securely connect a user to a company's internal network or to the public Internet.
Businesses typically use a VPN to give remote employees access to internal applications and data, or to create a single shared network between multiple office locations. In both cases, the ultimate goal is to prevent web traffic — particularly traffic containing proprietary data — from being exposed on the open Internet.
Why are VPNs necessary to accomplish this? Take remote employees as an example. When employees work on-premises, they can connect their computer and mobile device directly to the business’s internal network. However, if an employee works remotely, their connection to that internal network must take place over the public Internet, potentially exposing their traffic to on-path attacks and other methods of snooping on sensitive data. Encrypting that traffic with a business VPN or another security service keeps it safer from prying eyes.
What are the different types of business VPNs?
There are two categories of business VPN: remote access VPNs and site-to-site VPNs.
Remote Access VPNs
A remote access VPN creates a connection between individual users and a remote network — typically the business’s internal network. Remote access VPNs use two key components:
- Network Access Server (NAS): a dedicated server, or a software application on a shared server, which is connected to the business’s internal network
- VPN client: software installed on a user’s computer or mobile device
When the user wishes to access the business’s network, they activate their VPN client, which establishes an encrypted ‘tunnel’ to the NAS. This encrypted tunnel allows the user to access the internal network without their traffic being exposed — a significant security advantage for remote workers.
Site-to-site VPNs create a single virtual network that is shared across multiple office locations, each of which can have multiple individual users. In this model, the VPN client is hosted on each office's local network, rather than on individual users’ devices. In this way, users in each office location are able to access the shared network without using a VPN client individually. But if they leave the office, they lose this access.
How are business VPNs different from consumer VPNs?
Business VPNs and consumer-oriented VPNs work similarly, in that both create an encrypted connection with a remote network. The primary difference lies in why they are used.
A business VPN lets users and teams connect their company’s internal network. By contrast, a commercial VPN connects the user to a remote server, or set of servers, which interact with the public Internet on the user’s behalf.
What are the limitations of using a business VPN to secure remote employees’ access?
When a VPN is used as intended — and uses up-to-date cryptographic protocols — it can effectively encrypt traffic between remote employees or teams and their company’s internal network. In addition, VPNs are cheaper and easier to manage than legacy solutions like buying a secure ‘leased line’ from an ISP or manually ‘allowlisting’ individual IP addresses that belong to remote workers.
- Security risks: If an attacker gains access to a remote employee’s VPN credentials, that attacker will be able to access all applications and data on the corresponding network.
- Latency penalties: If a company uses a cloud-based VPN, their NAS exists in a data center in a different physical location from the company’s internal network. This extra step adds latency to every single request between employees and the network.
- Cloud and hybrid cloud complexities: Many business applications are hosted in the cloud instead of on a business’s internal network, making them incompatible with VPNs. Those applications typically use their own security tools to ensure secure access. But IT teams cannot fully control those tools, and might struggle to understand who exactly is accessing these applications — both critical security factors.
- Mounting costs: If a company uses an on-premises NAS to connect with its employees’ VPN clients, the company must regularly replace that hardware to ensure it is able to withstand the latest cyber threats. A similar situation arises if employee VPN usage outstrips the NAS’s capacity to handle traffic. The company must replace that NAS, or it could become overloaded and crash.
- Management time: VPNs require a lot of effort to maintain, especially if a business uses more than one VPN to provide different varieties of access to different types of employees. For example, IT teams must install the right VPN client on every remote employee’s computer, and ensure employees are keeping that software up-to-date.
How does Cloudflare protect remote employees’ network connections?
Cloudflare Access, part of the Cloudflare for Teams offering, is an identity and access management (IAM) product that can help speed up and secure remote teams by replacing a VPN with Cloudflare’s global network. Instead of placing internal tools on a private network, teams can:
- Deploy them in any environment, including hybrid or multicloud models
- Place them behind Cloudflare’s global Anycast network, speeding delivery to remote employees in any location
- Log every request to applications to applications protected by Access