To VPN or not to VPN
They say there’s a fine line between genius and insanity and when I blurted out on a team call that I would describe a VPN as a ‘condom for the internet’ I figured I either gained some respect among my peers or lost all credibility. The question has come up a lot recently and I had to ask myself why so many people were requesting a VPN from their organization.
First, a quick primer on what is a VPN. A VPN or ‘Virtual Private Network’ is just that; a way to create your own way to direct your computers traffic somewhere, securely, using software.
Since the prevalent use of HTTPS: https://en.wikipedia.org/wiki/HTTPS I had been reducing the reliance on small biotech companies from their VPNs. This reduction helped save bandwidth, reduced support tickets and decreased the need for high uptime availability of the infrastructure; all measures that reduce IT spend. Recently, however, it seems there is a resurgence of business leaders asking questions around VPNs.
Now that we know what a VPN is and the question has arisen, we need to take the crucial step of asking the ‘Why?’ question for our organization. Why should we introduce more cost and complexity into a life science startup that already has it’s hands full?
Privacy
Are you concerned with details of your traffic being visible to others? While HTTPS traffic is encrypted, your destinations are not. For example: when you log into your bank from a coffee shop, the contents of your connection are secure, but the fact that you are visiting your banking website is recorded by the coffee shop router. In this example you may not care that the coffee shop knows you visited a banking website as that is a pretty typical occurrence and they very likely don’t care much about you. However, what if you were on-site at a potential partner’s office for a meeting or to close a deal? Try to think of all the websites you visited recently and consider if it would be OK that a company you are choosing to do business with knows what they are and if that information may color their impression of you or how well (or not well) any agreements go.
A VPN would provide the above privacy, and the privacy can be enhanced further depending on how it is configured. In my next blog post I will examine the different options we have to meet privacy concerns, as well as security and access.
Another option that could protect the privacy of your devices is the use of a Private DNS Service as an alternative route for traffic. These are subscription services that direct your website destinations through a private company first.
Upside: no infrastructure to maintain
Upside: many of these services also filter out known malicious websites, keeping the browsing of your employees safe
Downside: does not fulfill any other functions of a VPN such as access to local resource or corporate data centers
Downside: not under IT's control, unknown security
Security
For additional security, consider a VPN as an extra layer of encrypting your traffic to protect intruders from collecting information within your internet data. We know that HTTPS is encrypted but what about those websites or local resources that use the older HTTP(without the ‘S’)? Further, some routers (and even entire ISPs/countries!) will do what is called Deep Packet Inspection https://en.wikipedia.org/wiki/Deep_packet_inspection and surpass the HTTPS encryption in order to see the data within your traffic. Do you know if your incubator space, hotel or airport network is doing this? (Hint: if you accepted a ‘certificate’ when joining a network this is very likely happening and all your traffic is now visible to the people that manage that network). More than just privacy, a VPN will protect your traffic end-to-end and prevent an attacker from getting on your network or device.
Foreign travel is often cited as a reason for selecting a VPN, and it’s a great reason. Just be aware that some countries, like the People’s Republic of China, may have laws against using them. The 2017 update to the Great Firewall law makes VPNs illegal unless approved by the PRC government.
On foreign travel, my advice to clients is to
Not let yourself be the first to test the consequences of this law.
Collaborate with a knowledgeable IT professional and your legal team to decide whether this applies in your use case.
Work with an IT professional to make a plan for limiting the exposure of sensitive data through other means (burner device, cloud storage resources, risk assessments and an action plan which includes training).
Work with an IT professional and your HR team to develop a policy for your employees who require travel as part of their duties so this is addressed consistently to the companies specifications.
Access
There may be a very practical reason for a VPN separate from privacy and security; maybe you just want to access a local resource from the office or your data center. This is often termed ‘tunneling’ as you essentially make a ‘tunnel’ through the internet back to your own servers. This is most common when accessing local storage or lab devices, so you typically see this in the R&D, Computation and Informatics or Development teams. Is your organization leveraging the cloud? A VPN may be a very essential step when accessing those resources and hey, why not do it in a secure, encrypted way?
These three reasons are crucial in understanding WHY my clients could empower their enterprise by utilizing a VPN. Gathering these requirements is the first step in understanding how to securely and effectively solve a problem and enable smaller orgs to move quickly and safely.
My next blog post will address the crucial next step of HOW we can accomplish those goals.
