What is a VPN and why do organizations use them?

Since the beginning of the COVID-19 pandemic, the workplace has undergone a dramatic shift moving from the office to the home, and organizations are now more spread out than they’ve ever been. This shift to remote work has complicated organizations’ cybersecurity initiatives in more ways than one, but one of the main concerns of many organizations continues to be secure and private access to their sensitive corporate data. For this reason, the use of virtual private networks (VPNs) by organizations has skyrocketed by 68% since the beginning of the pandemic, according to OpenVPN.

VPNs provide organizations with a way to create a secure, encrypted connection between their employees and their corporate networks so that critical data can be accessed by authorized users that are outside of the corporate perimeter. As corporate VPNs are generally cost-effective, relatively easy to deploy, and scalable, they've quickly became a popular way for organizations to adapt to hybrid and remote work. With that in mind, though, like just about any other cybersecurity tool, VPNs aren’t one-size-fits-all solutions, nor are they “deploy and look away” solutions. The following five best practices will help to ensure that your organization’s VPN and corporate network remain safe from the growing threat landscape.

1. Choose the type of VPN that best fits your organization.

The first step in deploying a VPN within your organization is understanding which type of VPN makes the most sense for your needs. An organization’s current workforce size, growth trajectory, IT budget, and more can all influence which type of VPN it chooses to implement.

Business VPNs are generally offered in two different varieties: remote access VPNs and site-to-site VPNs. While the objective of both types of VPNs is to connect an organization’s workers to its corporate network, they each accomplish this slightly differently. A remote access VPN is similar to consumer VPNs in that it requires an end-user to install a client. The VPN gateway then authenticates the user in order to create a secured connection between that user and the corporate network.

Remote access VPNs are commonly used by employees that work from home, are frequently traveling, or work in public areas using public networks. A site-to-site VPN (or router-to-router VPN), on the other hand, connects the local area networks (LANs) of separate geographic sites—usually separate offices—directly to the corporate LAN to create the secured connection. Site-to-site VPNs serve as a cost-effective way for organizations to connect entire networks to a consolidated intranet.

If your organization has a large remote workforce that works from their home offices, remote access VPNs could prove to be easier to deploy and scale as your workforce grows but issues with latency and a lack of compatibility with cloud applications could arise. If your workforce is largely working out of the office, though, and your goal is to solely connect domestic branches and international offices with the corporate network, then a site-to site VPN could be the better option. IT teams may even find that employing a combination of both types of VPNs is the best option for their respective organizations assuming they have the means to maintain both.

2. Create and enforce strong security policies around VPN usage.

Your organization may already have comprehensive corporate data security policies in place that dictate how its sensitive data should be handled on a daily basis by employees. Since many of these policies are technology-centric, making sure to include specific VPN-related policies is an absolute must.

Your organization’s VPN security policies can and should cover a lot of ground, including which employees do and do not have access to the VPN, how employees first gain access to the VPN and authenticate themselves in the future, what privileges will be allowed to each VPN end user, and more. Furthermore, VPN security policies do not have to be solely people- or employee-centric in nature. These policies should also detail the VPN’s configuration settings, like what type of encryption it uses, what applications will and will not be compatible with the VPN, and what protocol is used. These policies can ideally prevent human error when employees operate the VPN as well as any lapses in hardware or software functionality that may negatively impact an organization’s operations.

3. Ensure your organization’s VPN is properly configured.

While cost, convenience, and scalability are all important factors in initially choosing a business VPN, ultimately, the point of an organization using such a tool is to heighten security. Unfortunately, though, VPNs can be used against the organizations they were originally supposed to help protect even with VPN security policies in place. Verizon’s 2022 Data Breach Investigations Report indicates that the human element was present in more than 8 in 10 data breaches and that carelessness—including misconfigurations—was the third top action vector in those breaches. Misconfigured VPNs are no exception to those findings. For example, an attack carried out against the communications company Viasat this past February was the result of an attacker exploiting a misconfigured VPN, according to the company's analysis.

Perhaps the biggest security risk associated with VPNs is that they can leave an entire network vulnerable to an attack. If a bad actor were to gain unauthorized access to the secured VPN connection, likely using an end-user's compromised credentials, that attacker can then gain access to other (perhaps more sensitive) systems on that same network if it is inadequately segmented.

To prevent such an attack before one ever occurs, IT leaders need to consider several important features when first choosing a VPN and following standard recommendations during its initial configuration. Most recently, the NSA recommended finding a VPN with strong encryption algorithms and “disabling all unneeded features and implementing strict traffic filtering rules for traffic flowing to VPN gateways,” including limiting accepted traffic to known VPN peer IP addresses. This past year, the NSA additionally released joint guidance with the Cybersecurity and Infrastructure Security Agency (CISA) that included a multitude of suggestions for both finding and hardening a VPN to reduce its attack surface. Some of these recommendations include finding a VPN that supports strong authentication, digital certificates, logging and auditing, and an intrusion prevention system. After finding a VPN that supports these important features, it’s important to have a knowledgeable network engineer put these measures in place before deploying the VPN.

4. Take precautions against zero-day vulnerabilities, ransomware, and other malware.

Just as a bad actor could move through a VPN-protected network after gaining unauthorized access, the same can be said for malware. While VPNs can serve as useful security tools to prevent man-in-the-middle attacks and general eavesdropping, they cannot prevent, detect, or eliminate malware moving through a network.

This is where your organization’s corporate data security policies should come back into play, and more specifically, its policies on devices. It’s imperative that business VPNs are only used on company hardware that has anti-virus and anti-malware pre-installed on the device. Because a VPN can facilitate the spread of malware through a corporate network, similar to how a VPN needs to be properly configured before deployment, IT leaders need to ensure that any hardware that will make use of the VPN is properly protected against ransomware and other forms of malware before ever connecting to the VPN hardware or installing a VPN client. Furthermore, it’s important that employees are continuously educated to prevent the spread of malware via phishing attacks and/or compromised credentials.

Lastly, it’s vital that your business VPN is continuously updated promptly after its deployment. Zero-day vulnerabilities are being exploited more than they’ve ever been before, with Mandiant Threat Intelligence having identified 80 zero-day vulnerabilities exploited in the wild in their most recent report—more than doubling the record previously set in 2019—and a similar report by MIT Technology Review having found 66 exploits by roughly the end of Q3 2021. Ensuring that software updates and patches are regularly applied to your VPN as soon as they become available is an important way to mitigate the threat of zero-day exploits

5. Test your VPN’s capabilities and monitor its usage.

Before finally deploying your organization’s VPN, testing its capabilities and fully understanding how it will handle user traffic is wholly necessary. Particularly if your organization plans on using an on-premises network access server (NAS) to connect end-users to its VPN, then it should be understood that it has a limited amount of bandwidth. And while security should remain the top priority in a VPN’s configuration, the use of more security features can mean more latency. If poor network performance causes a dip in work efficiency, that can have negative implications for your organization.

To combat the possibility of poor network performance, organizations should test how their VPNs handle user traffic before deployment—regardless of where their NAS is located—and continue to monitor fluctuations in traffic after deployment. By understanding when an organization’s user traffic is at its highest, who is sending and receiving the most data, and where that data is coming from, IT leaders can adjust traffic filtering, block certain sites that generate too much data, and adjust other VPN configuration settings accordingly to accommodate high user traffic.