VPN – Why and when to use it?

Whenever we are out and about in our daily life, we sometimes connect to networks which cannot be trusted to keep all our data and secrets safe and secure.
As we bring our phones, laptop and other devices with us when we leave our home or office, we expose ourselves to security risks.

When do we have to use a VPN then? It is quite simple really; it all comes down to: Trust.

Do you trust the app developers to implement and follow good security practices or do you risk leaking information about yourself, your device or even cookies/passwords?

Do you trust the network you connect to, to have fully patched their network and service – and to be properly configured and be monitored?

Do you know which apps you use, that will automatically sign you into your accounts without any additional verification?

If the answer to any of the above is “no” or “maybe”, I urge you to read on.

Definitions

  • Encryption: The use of cryptography to make data unreadable by other parties than those with the cryptographic keys.

  • VPN: Virtual Private Network, a virtual network, where the traffic is protected from the public internet using encryption and other technologies.

  • Physical security: Protecting your physical assets with locks, barriers and cages to make it harder to steal your property and data.

  • IT security: Protecting your digital assets by using good security practices like passwords, encryption, block level backup, surveillance and monitoring.

  • Public WiFi: traditional WiFi network, which is open to the general public to use, password protected or not.

  • 3rd party: A company / partner which operate outside your control and is available to the general public or other companies on standardized terms and conditions.

  • Home network: Your network at home, where you have both physical access to and administer the network yourself to some extent.

  • Company network: The business network at your company. All responsibility of maintaining and securing it lies with your company. Often administered by IT partners or internal IT departments.

A layered approach

A good way to incorporate good security practices is using a layered approach to security. This is true for both physical and IT security.
Think of it as an onion where you might break through the hard shell, but then must peel back multiple layers to get to the core.

Therefore, storage rooms for documents, bank vaults and computer systems should be protected by multiple technologies – a layered approach.

It is hard to imagine a well designed bank vault that is only protected by a big massive front door to the bank – there are a multitude of doors and locks you have to get through to get to the vault – you should protect data (both electronic and physical) the same way.

You are most likely already familiar with SSL encryption on websites and some apps, where the connection between your device and the webserver is encrypted by TLS and the identity of the server is certified by a certificate authority, which ensures that the webserver is who you think it is. This is all fine and good, but this is only one security measure, i.e. one door.

So… What do we do to make our connection even more secure? We could connect to a VPN – thus adding another layer of security.

What a VPN does

The basic idea of a VPN is to encrypt the traffic end-to-end so it cannot be viewed or tampered with by anyone during transit of the data from your device to the trusted network.

There are many different protocols and ways this can be done; some are more secure than others.

To try and picture how it works, you can imagine that you put all your data into a thick metal pipe so no one can see what is inside or poke at your data.

This is important when you are connected to networks that you do not control or trust, to make sure that you are not leaking anything, or that your device becomes exposed to a variety of attacks.

Trust

VPN market shares for commercial VPN products has increased steadily over the past couple of years as privacy and anonymity has become something people think and care about, which is great.

A VPN is not a perfect solution though – here is why.

We talked about trust and this is exactly what it all comes down to. A VPN is never more secure than the company that offers it, the country of the VPN server or the encryption used – so the question then becomes:

Who do I trust the most?

  • The public network you connect to (hotel, café, airport etc. WiFi)?
  • Your 3rd party VPN provider?
  • Your home network (and ISP)?
  • Your company network (and ISP)?

All this should change the conversation a bit, and the choices we make.

Can you ever trust a public WiFi network?

It depends.

Some larger scale networks like at airports are definitely more likely to have been configured and monitored by professionals, compared to your mom and pop coffee shop’s public WiFi network.

Unless your mom and pop coffee shop’s owner or family member is a network engineer who knows his security as well, it is highly unlikely that they would have spent the money and continue spending money on their network when it is first set up.
With that in mind, the potential for someone to gain something from exploiting a network like this is somewhat limited (unless a specific person is targeted)

Airport public WiFi networks, are usually of such massive scale that external contractors would have been hired to install everything, configure and maintain the network – all this should (in theory), make the network more secure for you to use.
Being a much larger network with a lot more clients, the potential to gain something from an exploit of a network this size is a lot greater. In turn, this should also help harden the network even more as the company behind the network should be aware of the potential risks of their clients.

This all comes down to economy of scale – you can use this as a guideline: huge network with many clients, is most likely more secure than a small network with a few clients.

3rd party VPN providers

There are many 3rd party VPN providers out there on the market, whom are having great commercial success providing VPN products to their clients.

They usually offer great products with great security for many use cases – but at the same time, it is important to not get blinded by marketing.

The big selling points, that are often marketed with 3rd party VPN providers are; increased security, improved anonymity, and geo-location spoofing.

3rd party VPNs will increase your security compared to using no VPN at all and they can improve your anonymity if configured correctly.

An added benefit of using a 3rd party VPN provider is that you in most cases have the option to choose which country you want to exit from on the VPN endpoint – this means that you can get around some or most geo-location blocked services.

The thing is though, by using a 3rd party VPN provider, you are trusting them with all your traffic and data. This means that you have zero control once your data arrives at the VPN endpoint, so all the things we try to protect against by using a VPN, could in theory happen right at the 3rd party VPN provider.

While this might be a lot better than using public WiFi with no additional security at all, it is not a perfect solution.

Your home network

If you are doing your everyday stuff on your home network, you are most likely not in the need of a VPN as you have placed inherent trust in your network and your ISP to keep you safe.

This changes as soon as you want to work on something for your company or the company you work for. Do you trust your home router and ISP enough to send all your potentially sensitive data (remember our GDPR article?) over that connection? Maybe you do – but maybe you should not?

But to be on the safe side, use protection, use a VPN.

Your company network – VPN for business use

After GDPR was enforced, when you are working outside your office, securing your data while in transit has become more important than ever – both to protect against snooping and to reduce the risk of your data falling into the wrong hands.

You should always strive for the best security feasible – but security and user-friendly workflows are always a balance, you must weigh as a business owner or IT professional.

You might not realize, but the emails you send could be insecure (unless you use S/MINE or MTA-STS), and some of your app’s authentications could be vulnerable to eavesdropping, if they are not designed and secured properly.

In most cases, your customers and business partners trust you to keep their data secure, so you must take the necessary steps to protect their data and not let it fall into the wrong hands.

You should never use an untrusted network for business without a VPN.

Your own VPN

We will assume that your company network is secured properly, and you monitor egress and ingress traffic on the necessary interfaces.

This is an excellent opportunity to give you a lot of benefits both security and workflow wise.

What if you could connect to your own company network via a VPN tunnel to both secure your data stream between your device and the internet – while at the same time maybe even gain access to your company files and systems in a secure way?

Good news! You can!

A lot of routers already support some of the popular VPN protocols, one of the most notable is OpenVPN, so the cost of having your own VPN might not be completely out of reach for most companies, even though it might sound complicated and expensive.

We can help set it all up for you.

Share This Information

SECURITY
IS IN OUR DNA.

GET STARTED