VPN and maintaining corporate privacy

VPNs have a vital role to play in corporate privacy. But care is needed in choosing the right VPN for the job, says Lee Painter of Hypersocket Software.

Virtual Private Networks (VPNs) can trace their roots back 20 years or so, pioneered by technology companies like Microsoft and Cisco to help big businesses securely share information across different locations. But it’s only with the increase in remote working and, more recently, the mobile workforce, the cloud and Bring Your Own Device (BYOD) that VPNs have become an essential tool for businesses to provide private and secure access to network resources.

The overriding benefit of any VPN is that it helps an organisation maintain privacy by encrypting the information sent and received via the network and so protecting it from prying eyes. This privacy can even extend to internet search histories provided the VPN is planned and configured in the right way and can ensure that searches cannot be linked to an organisation’s IP address and made public. In industries like oil and gas, for example, it is becoming important for exploration and field engineers to maintain anonymity whilst looking for new reserves of hydrocarbons. So by using a VPN in this way oil companies can maintain an edge of confidentiality that could help to produce added revenue in the future.

However, not all VPNs are the same. They might achieve the same general objective albeit through different technologies, but there are a number of distinct advantages in deploying what’s known as a Secure Socket Layer (SSL) VPN compared to the traditional IPsec or point to point VPN.

The fundamental difference is that IPSec VPN works on the network layer and so secures all data between two points without being associated with a specific application. Once connected, then a user will be connected to and be able to navigate the entire network. In contrast, SSL VPN works at the application layer and is a protocol used for secure web-based communication via the internet. SSL VPNs secure one application at a time.

And this leads to one of the key security and privacy benefits of SSL VPN; it enables organisations to control who accesses what within the network at a very granular level. SSL VPNs allow the principle of least privilege access to be implemented so that every user is granted access only to the parts of the network and the resources they need to do their job.

Integrating Active Directory, SQL and other directories with role-based access control gives organisations the freedom to ensure the right users have access to right resources, enabling them to build a remote access environment that’s in-tune with their organisation’s security policies.

Since SSL VPN was initially conceived to support remote access it is also arguably a more effective solution for today’s increasingly mobile workforce. As well as controlling access on the basis of identity and role, it is also possible to do so based on device and location. So an organisation can choose to give different privileges to a user connecting via a VPN from a mobile device overseas compared to one connecting through a VPN via desktop in the same country.

SSL VPN also lends itself well to BYOD scenarios because the client has no direct access to the network, while the ability to have connections to multiple sites at the same time enables secure access to a corporate LAN and other resources such as a private cloud without the need for a permanent bridge between them.

SSL VPN’s auditing and insight capabilities also give businesses the power to monitor every action of their remote workforce. Monitoring will highlight when users launch resources or fail authentication and can be used to define rules to automatically block unexpected access or email IT.

Finally, SSL VPN clients are considered easier and simpler to install and some claim to be ‘clientless’ as client software does not actually need to be installed by the end user. In practice this clientless option is fading fast as it requires the use of the now deprecated Java plugin installed in the user’s browser. The plugin technology also comes with limitations and restrictions on how users could use the VPN tunnels it provided and was never truly a replacement for the installed VPN client.

Once a client is installed, the administrator enables access by defining one or more resources and assigning them to the end user via their roles. SSL VPN clients tend to support further productivity benefits by providing links to each resource that the user can simply click to access. In the modern enterprise it’s also often required that users access private corporate resources as well as private cloud infrastructure so a multi-homed SSL VPN client is also preferable.

VPNs are a valuable tool for businesses of all shapes and sizes with clear security and privacy benefits. But despite the points raised above, SSL VPN is not the ideal solution in every case. If a permanent, always on connection is required then IPsec may well be a better option. That said, in an era of BYOD and mobile working the granular access and authentication that SSL VPN provides means that its dominance is likely to increase in future.