Virtual private networks (VPNs) used to be the exclusive province of the IT professional, providing secure links not just to road warrior employees and telecommuters but also to securely tie buildings and multiple corporate campuses to a central data center. But in recent years, consumers have discovered VPNs and their security and privacy benefits, which have resonated profoundly enough that many consider a consumer-grade VPN just as essential to a basic device setup as they do a web browser. PCMag recently published a VPN review roundup that provides a comprehensive look at VPNs that can provide the privacy and anonymity you may want when browsing the internet or finding content options that aren't available from your location.
That's because a VPN provides a secure pathway through the internet to another server. This is accomplished by running an application on your desktop computer or mobile device that handles the encryption and sets up the tunnel to the remote server. From there you can access material on the internet, but someone in between you and that remote server can't see what you're doing. Additionally, because your actual contact point to the internet is originating from that server and not your personal device, it's more difficult to track the actual user than it would be if you connected to the web directly since the IP address associated with the session belongs to the server, not you.
That all sounds much more secure than your usual consumer internet session and it is. But just because a VPN can provide a connection to another server doesn't mean it's an appropriate solution for handling sensitive corporate information. From a corporate perspective, there's a lot more involved than just a connection to a server.
Types of VPNs
First, it's important to know that there's more than one type of VPN. For most companies, VPN use began as a remote access connection to a dedicated VPN gateway. The secure connection used the internet for transport, but the encrypted tunnel it created led only between your computer or other device and the VPN gateway. When that tunnel was created, you became part of the company network: you could access the company servers and you had a company IP address. The network extended securely to your machine.
With a remote access gateway, your connection to the internet, if any, was through your company's internet gateway. These connections were provided by using dedicated hardware, and were often provisioned by an internet service provider (ISP) or major telecom. They were expensive and sometimes hard to manage, but they were secure.
VPN services are attractive because they're relatively inexpensive, easy to set up (at least for the user), there's little management once they're running, and they're widely available. So why not reach your company's data through a VPN service?
"The VPN network might be secure, but what happens when it leaves there?" asks Jack Gold, Principal Analyst at tech industry analyst firm J. Gold Associates. "What happens when you run the connection to your corporate network?"
And therein lies the problem. Using a consumer VPN to access your corporate network solves only half of the problem. You may have a secure connection to the VPN server but what kind of connection do you have between the VPN server and your corporate network? In may cases, it may just be an unencrypted internet connection or maybe it will have Secure Sockets Layer (SSL). But for sensitive data, you need more than that.
Why You Need a Business VPN
What you need is a business VPN. But that doesn't mean that you need an old-fashioned remote access gateway, although that may be an option in some cases. Fortunately, there are also other options.
A remote access gateway can make a lot of sense if what you need to do is connect a remote office network to the corporate network through the internet. There are a number of VPN appliances that can do this for you, from companies you know, including Cisco, Linksys, TP-Link, and WatchGuard. They're available for organizations of pretty much any size.
A more flexible solution is a VPN service that operates much like the consumer services, but which is designed for the needs of business users, including the need to protect sensitive information on its entire trip to the corporate network. These providers include some of the consumer VPN providers, notably NordVPN, which not only earned an Editors' Choice but also a rare 5-star editor rating in our consumer VPN review roundup.
NordVPN for business starts where the company's consumer product ends, providing a secure connection to the corporate network and can even provide a dedicated server. You also have central administration, central billing, and a dedicated account and helpdesk support team.
Of course, there are providers other than NordVPN, including some of the companies in our review roundup. What's important is that you confirm that they're really suitable for your business. This means meeting Payment Card Industry (PCI) rules if credit card data will travel over the VPN. You must also meet requirements for protecting personally identifiable information (PII), Health Insurance Portability & Accountability Act (HIPAA) rules for medical and electronic medical record and other health data, and in some cases, US Securities and Exchange Commission (SEC) regulations.
How to Meet VPN-Related Requirements
So, how exactly do you meet these requirements? Gold suggests asking the following questions:
- Who is certifying the encryption? You must know that the encryption meets the standards your business is required to meet.
- How was it tested and who did the testing? Testing is expensive, so some providers may not want to spend the money. You don't want those providers.
- Where is the server? Crossing national boundaries can often be problematic, not just for performance reasons but also when addressing some compliance needs.
- How do they connect to your corporate network? It needs to meet those same standards of protection that the rest of your business must meet.
- What kind of logging is performed? Logs can be subpoenaed, which is why consumers don't like them. But businesses may be required to keep logs for the very compliance regulations you're trying to meet. You need to know this.
You also need to know what kind of support you'll get, especially if the VPN goes down right as you're getting ready to run your employee payroll for the month. You'll want to know how easy it is to set up and configure the VPN endpoints.
Protecting your company with a VPN really isn't optional, unless you don't allow any operations to take place remotely. Since that's not very practical, it pays to find a VPN that will work for your company and start using it. While a consumer VPN might be better than having nothing at all, the fact is, it's probably not good enough to keep you and your business out of trouble.