Security leaders say that organizations increased implementation of VPNs in their system as a safety measure during the pandemic lockdown and sudden rise in the remote workforce
CISOs explain that VPN is meant to secure an organization’s traffic rather than endangering the data. As a result, enterprises need to pay special attention when selecting the VPN service that they want to implement in their architecture. While there are numerous VPN providers are in the current scenario, not all of them are capable of providing the same scale of protection.
CIOs believe that at a point, a VPN can turn into a security liability. In countries where VPN regulation occurs, it can turn into a liability as regulation defeats VPNs’ real necessity; anonymity and security.
Security leaders say that a VPN that compromises anonymity and security is equivalent to not having a VPN solution. An unsafe VPN can be easily identified if enterprises know what they are looking for.
Activity/Usage logging
Security leaders say that browsing via a VPN is technically routing the internet traffic via the VPN’s server. It basically means that the VPN service has complete access to all the usage data and the employee’s activity can be tracked back to the user device as well. As anonymity and privacy are the major reasons for VPNs, it is unsafe for a VPN tool to maintain user activity logs.
Read More: COVID-19 Becoming a Catalyst for Evolving Cybersecurity Leadership
CISOs bring forward the different kinds of policies that are used by VPN services relevant to activity logging. Among the different types of logs that a VPN solution can store, activity logs are the most vital, and a safe VPN service should not keep of these. Similarly, connection logs should not be kept for a time frame longer than necessary. The best method, as per CIOs, is using the zero-log policy.
The main problem with VPN service is that many claim to have no activity logs but store them behind the users’ back. Users and enterprises can’t take VPN’s no-policy simply by face value. To ensure such claims, enterprises must dig into the service terms and privacy policy related to the logging information.
Security leaders highlight that not only should internet activity logging not happen, connection logs should also not allow the activity be tracked to the end-user. Users should be aware of the timeframe that any log is stored by a third-party or organization if storing is the practice.
Encryption model
CISOs say that the best quality VPNs implements OpenVPN encryption protocol using a 256-bit standard or AES 128-bit standard. The device at full capacity will be the most robust computer in the entire world. It will take 885 quadrillion years to force a 128-bit AES encryption key. The open-source model OpenVPN is subject to vetting by various third-party vendors, collaborating to update the tech.
Read More: How do CISOs convince the leaders for Cyber Security Infrastructure Investments
Leaders acknowledge that certain VPNs are left with redundant tech like PPTP (point to point tunneling protocol). The weak encryption makes it operate at high speed and is easy to set up. The tools result in severe security vulnerabilities that can potentially expose the enterprise infrastructure in man-in-the-middle incidents. A similar issue is faced with L2TP as well. The lack of native encryption in the solution, along with IPSec, is capable of supporting encryption algorithms till the AES 256-bit scale. The performance is significantly affected at higher encryption levels.
Business reputation
CIOs believe that a VPN solution’s reputation plays a major role in determining credibility. Enterprises can easily identify unsafe VPNs by reading the reviews of the users. Often too- good -to -be -true offers are provided by the service provider to hide obvious flaws and attract unsuspecting clients. Security leaders believe that free VPNs should be rejected outright as it costs a high amount of money to maintain VPN servers, and freebies are surely a suspect.