IT teams should look for services with automatic alerts about user behavior, logging, scalability, and central management.
As remote work becomes the new normal, IT teams have to take a second look at solutions that worked in March 2020 but may not be the right choice now. In addition to implementing multifactor authentication and considering a zero-trust approach, IT leaders should determine how a virtual private network (VPN) fits into the overall security plan.
A VPN provides two basic services: Encrypting data between two points and hiding a user's IP address, as David Gewirtz explains on ZDNet.
SEE: VPN: 5 reasons business pros should always use one (TechRepublic)
Sebastian Stranieri, CEO, VU Security, said that all users who work remotely for a company that has a corporate network should use a VPN. He said VPNs provide three central benefits:
- Guarantees a level of security of the information
- Avoids third parties from intercepting the communication
- Protects the user's identity
Stranieri said people should use a VPN for personal online activities as well and avoid free services.
Juta Gurinaviciute, chief technology officer at NordVPN Teams, said a company's needs and the technical characteristics of the service are the two main pillars of choosing a VPN.
"Some try to protect their corporate network perimeter, those working remotely focus on the end user's resilience, and others primarily need cloud protection," she said.
Gurinaviciute said IT leaders should also consider secondary technical parameters, such as connectivity, speed, supported devices, and the number of permitted connections.
IT teams should consider how a VPN could affect latency, according to Gurinaviciute, as sending encrypted traffic can slow the overall flow.
"However, this is the considerably low price enterprises have to pay for their resilience and data protection—especially with today's increasing bandwidth, optical networks and 5G connections," she said.
Gurinaviciute said that VPNs are one element of an overall cybersecurity strategy because this technology can't defend employers and staff from social engineering attacks or malware that is already inside the network perimeter.
"VPNs work best simultaneously with antimalware programs and the development of cybersecurity education within a company," she said. "To lower the risk, enterprises can take a step beyond VPN and implement zero-trust network access solutions, thus limiting employees' connection to sensitive corporate information."
Rob Smith, a senior research director at Gartner, agreed that many companies should be thinking about migrating to a zero-trust solution to manage access and security instead of picking a VPN. However, he said that VPNs are still important for some industries with significant investments in data center operations that are not moving into the cloud any time soon, such as city governments and financial firms.
"For many finance companies, they hope to be 80% in the cloud in the next five years," he said.
Another factor to consider is a remote worker's level of connectivity. Some employees working from home have fast connections that will support a desktop-as-a-service solution to security and access. Individuals with slower connections will not.
Considering the most important VPN features
Maxime Trottier, vice president of sales and marketing at Devolutions, said that IT teams should look for these features in an enterprise VPN:
- Central Management: Choose a VPN that gives you the necessary control you need over central functions like key management.
- Logging: Choose a VPN that meets your company's compliance and auditing obligations.
- Scalability: Choose a VPN that is going to adapt with your organization and seamlessly support future growth as you onboard new staff.
Trottier suggested considering a service with a kill switch.
"In the unlikely event that your VPN connection drops, you're at risk of using a regular unprotected connection managed by your ISP—and you might not even know if this happens," he said. "A kill switch prevents this by shutting down apps and preventing access to websites as soon as the connection is lost."
Trottier also said that configuring, managing, and optimizing enterprise-grade VPNs are much more complicated than personal VPNs. He recommends checking the levels of support a provider offers as part of the selection process.
IT teams also should calculate how many simultaneous connections a VPN can support to avoid hitting a user cap which prevents additional employees from logging on, Trottier said.
He also recommends finding a VPN that provides real-time push notifications so that employees who break the rules (even by accident) can be identified and stopped.
Trottier also recommends taking into account user experience when selecting a VPN.
"Choose a VPN that will not materially degrade user experience, or else some employees are going to try and circumvent it," he said.
Finally, it's important to find out if a VPN vendor is going to re-sell your data.
"If so, and if this is a problem (and it probably is), then find another vendor who confirms that they will wipe all logging data," he said.
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
- Shadow IT policy (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)