Expand / Collapse search
Watch TV
Menu

Quotes displayed in real-time or delayed by at least 15 minutes. Market data provided by Factset. Powered and implemented by FactSet Digital SolutionsLegal Statement.

This material may not be published, broadcast, rewritten, or redistributed. ©2024 FOX News Network, LLC. All rights reserved. FAQ - New Privacy Policy

Features
Published | Updated

Businesses Need to Understand the Risk of VPN Services

As you can tell from our recent review roundup of virtual private network (VPN) services, these products exist for a lot of reasons, not all of which are relevant to business use. For example, it's unlikely that your IT staff will have a business reason to watch movies that are actively blocked in a specific geographic region like, say, China.

Instead, the typical reasons a business should use a VPN service center almost entirely around security. Protecting the device using the VPN, protecting its data in transit, and protecting the business network to which the VPN is connecting—that's a lot of bases covered. You might also need a VPN to meet compliance requirements for the transmission of health-related information or financial data. Perhaps you want to make sure that your competitors can't see what you're up to. Or what's more common lately, you don't want a foreign government siphoning off your intellectual property (IP).

A properly configured VPN should manage all of these tricks. Your connection between two separate points on the internet is encrypted by using powerful algorithms that should prevent anyone—whether they're from your competing firm across the street or whether they're working for Kim Jong-Un—from intercepting your communications. Or will they?

What's Your VPN Really Doing?

More From PCmag

New York's Rejection of Amazon Isn't Anti-Tech, It's Pro-People
Is the DMZ Dead? Not Quite
Amazon Cancels Plans for New York City Headquarters
Report: Apple Eyeing Spring Launch for Streaming Video Service

That's the question being asked by the US Department of Homeland Security (DHS) at the behest of Senators Ron Wyden (D-OR) and Marco Rubio (R-FL). In a letter to Christopher C. Krebs, Director of the newly formed "Cybersecurity and Infrastructure Security Agency," the two senators noted that many VPN services are owned by corporations outside the US, and that they may have the ability to extract information (the same data that users thought was protected) and then share it with others.

So, first, is it possible for an unscrupulous VPN provider to share communications in decrypted form with others? And second, is it likely that such sharing is actually happening?

The answer to the first question is an unequivocal "yes." From a purely technical perspective, it's entirely possible for a provider to share whatever private information you pump through its VPN pipes. The answer to the second question is, of course, "maybe," because it depends on the provider, who's managing that organization, potentially where they're located, and, finally, what their ethics are. Those are the questions that the DHS is being asked to determine.

The reason it's possible is because of the way most VPN providers work. When you set up the VPN session, you create an encrypted tunnel between your computer or network and a server at the VPN provider's location. From that point, your connection is sent to its ultimate destination. While your data is passing through the VPN provider's servers, it may be in an unencrypted state, and it may be encrypted again when it's sent to the other end of your connection.

While some VPN providers keep your data encrypted throughout the entire process, some may not. And any of them can decrypt your data if they so choose. The risk lies during the time your data spends on the VPN provider's servers. An unscrupulous provider could send an unencrypted version of your data to someone else while it's in their possession. Faced with that scenario, how do you protect your business data?

How to Protect Against Data Loss

First, know your VPN provider. If you're a US-based company, then you need to realize that a VPN provider based in the US will be subject to US laws on data protection; a provider located elsewhere may not. Likewise, if you're located in Europe or another country, then you'll want to know that your data is being handled in accordance with your local laws, too.

Francis Dinha, founder and CEO of OpenVPN, said that you should consider it to be a red flag if a VPN provider is located overseas. "When you have a company operating out of the country, you're exposing yourself to security risks," he said. "Who knows whether the data on your device is being shared to someone else?"

Dinha points out that there are other red flags, notably, whether a VPN is offered for free. With a free VPN service, you are the product, he explains. This may mean that your VPN use may expose you to advertising, or you may find your activities shared with others for marketing purposes, or you may find that your data is being shared with entities that don't have your best interests at heart.

"You should not be using VPN that allows torrenting or peer-to-peer connections," Dinha said. "It could be a third party that's able to install malicious content."

Those third-party peer-to-peer connections can also extract data from your network. They can allow their clients to install back doors for later use, and they can give them access to network assets during the entire time the VPN is active. While many consumers and power users of VPN technology may scoff at that advice—often they're using a particular VPN specifically because it allows torrenting and peer-to-peer use—these users are also well aware of these potential security risks. They're willing to take them and they've likely installed plenty of endpoint protection software to compensate. Most businesses, on the other hand, are likely involved simply in data transmission and secure remote connections, which means additional endpoint risks simply aren't worth it to them.

Dinha said that any VPN, including those based in the US, can be misused, so it's critical that you vet your VPN provider to ensure it's providing the service you think you're getting. He said that a good way to make sure you're dealing with a reputable VPN provider is to confirm that the company is reputable in other ways. For example, find companies that have a grounding in security, such as firewall companies or security software companies.

One key point, Dinha said, is that you should never use a VPN where you can't control the server. He also suggests that you should ensure that you have full control over key management. Again, from a business perspective, this is a good idea. However, most consumers won't be setting up their own VPN servers. In fact, the whole idea behind consumer VPNs is that they don't have to do so. Power users and consumers need to weigh their time and resources against the benefits gained by end-to-end control of their VPNs. Businesses can afford to be more hardcore, especially those with permanent IT staff—and they probably should be.

What Kind of VPN Solution to Use

By now you're probably thinking that using a consumer VPN service where you tunnel into a server in another country, which then connects you to a site located elsewhere, isn't a business best practice. Dinha agrees, emphasizing that those services really weren't developed as business solutions.

What most businesses should do instead is to use a VPN solution that connects users to the company's own server without an intermediate step through someone else's server. There are many such solutions available, some from companies you've never heard of and some from companies as well-known as Cisco. Any of these, but not all, are compatible with OpenVPN's open-source software, which is also widely used and re-marketed by other vendors because it's evolved into something of a de facto standard in the VPN space.

This is certainly more difficult to configure and implement than simply signing up for a VPN cloud service, but the difference is that you're connecting directly to a VPN server that you control, usually located at the edge of your own network. This way, your data is protected and it never enters the hands of a third party.

This article originally appeared on PCMag.com.