Padlock icons on server room background showing how virtual private networks may no longer be considered as a reliable way to ensure secured data transmissions
Why Virtual Private Networks Aren’t Very Private by Don Boxley Jr, Co-founder and CEO at DH2i

Why Virtual Private Networks Aren’t Very Private

“Private” is the middle name of virtual private networks (VPNs) – but how private are they really? Unfortunately, when you understand their design, it becomes clear pretty quickly that with VPN technology, secure data transmissions can’t be counted on. While VPNs have traditionally been considered a reliable way to ensure that data transmissions occur with the needed level of privacy and security, the facts don’t validate that assumption anymore. The truth is that many of today’s go-to data security options may open the floodgates to added security risk rather than eliminating it.

What’s the deal with VPNs and why are they less secure in today’s world than in the past? The fact is that the legacy security/connectivity approach of VPNs was conceived not for the current workplace environment of hybrid/multi-cloud and mobile configurations, but for on-premises settings. Not only are VPNs hampered in cloud settings, but their many drawbacks may now outnumber their benefits. These disadvantages include, but aren’t limited to: complex management; unreliable, sloth-like connections; limited scalability; data and network vulnerabilities; and high, continuously escalating costs.

Flagged for concern

This isn’t just conjecture. Earlier this year, two U.S. Senators labeled VPNs a “national security risk” and alerted the Department of Homeland Security about it. You can read the letter written by Sens. Ron Wyden and Marco Rubio to Christopher C. Krebs, director of the branch of the Department of Homeland Security concerned with cybersecurity.

The senators’ concerns were well founded and pointed to a weak link in VPN architecture, which is particularly problematic in relation to downloading mobile apps. A key issue that Wyden and Rubio raised was the disturbing fact that “VPN providers route all user traffic through their own servers.” After outlining their argument against VPNs because of the technology’s inability to protect national security, the senators implored Krebs to “conduct a threat assessment on the national security risks associated with the continued use by U.S. government employees of VPNs, mobile data proxies, and other similar apps that are vulnerable to foreign government surveillance.”

Enterprises not immune

National security may be one of the most wide-ranging privacy problems caused by VPNs, but they’re just the tip of the iceberg. VPNs have been equally problematic in other distributed settings that require reliable security and compliance adherence, particularly when it comes to enterprise security. The issue centers around the fact that data can’t be routed securely at the application level with a VPN. So if your organization is still relying on VPNs to transmit sensitive data over the VPN provider’s server, then you’re taking a big risk that you may be exposing that data to people who shouldn’t see it and may compromise it.

As the letter from Wyden and Rubio highlighted, VPNs complicate private data transmissions when they use third-party servers to transport data. A study that included researchers from UC Berkeley and the University of South Wales revealed that the vast majority (more than 80 percent) of VPN apps on Android devices wanted access to personal user data.

The research also verified that:

  • Nearly 40% of the VPN apps injected malware to try to access user data.
  • 84% leaked user traffic.
  • Around 20% failed to encrypt traffic.

Yet of note, virtually no users of VPN apps (less than 1%) expressed any particular worries about privacy related to the apps that have the data security problems noted above. A key piece of this puzzle is that regulators in many industries require that companies be more careful about these decisions, since organizations are being held responsible for the practices of third parties that are processing their customers’ personal data and private information. So it may be time to get real about the situation when it comes to the fact that VPNs simply can’t protect privacy to the degree that is required in today’s enterprises.

Restoring privacy

In the data-distributed enterprise, a more secure solution is needed, and it already exists in the form of Software Defined Perimeter (SDP) approaches. SDPs are quickly gaining traction and visibility in the market because unlike VPNs, SDPs have been expressly engineered for a world of distributed data and sharing across multiple clouds and hybrid settings, from mobile to Internet of Things. By avoiding VPN shortfalls on both the operational and architectural front, SDPs actually do what many people believe VPNs do but don’t – SDPs bolster security and privacy for data transmission instead of undermining them.

The micro-tunnel design of an SDP is fully cloaked for optimal security, which is amped up further by proper encryption and authentication functionality. This means even if sensitive data does become compromised, the perpetrators won’t be able to decipher the data.

Here are some of the key ways that SDPs correct for the flaws inherent in VPN solutions to provide added transmission security:

  • Third parties have no access to user data with SDPs, since the data in question avoids third-party servers.
  • With no possible third-party intervention, the types of concerns common with VPNs – such as requests for data and tracking systems for compliance – become obsolete.
  • Application-level data delivery occurs directly from the source to target systems.
  • SDP’s compartmentalized micro-tunnels block outside access to users’ networks.
  • Once an SDP solution successfully connects the applications and servers, their adjoining ports are no longer open for detection – unlike with open VPN ports that can be easily spotted by hackers.
  • Micro-tunnels thus become virtually “invisible,” making data transfer truly private and helping companies achieve regulatory compliance.

What is it that makes these tunnels so secure? Their data transmission takes place via user data protocol (UDP), not transmission control protocol (TCP), the latter of which is much more detectable. Random port generation occurs only when a request is made for a connection, which prevents cyber thieves from zeroing in on the usual suspects like SQL Server and other standard application ports.

While inside data leaks commonly occur with VPN, the SDP format prevents even detection of remote data transmissions. With these fortifications and safeguards in place, the types of concerns about potential data compromise that Senators Wyden and Rubio expressed evaporate into non-issues.

VPNs may still be popular, but they’re no longer private. Their very architecture has become almost archaic in today’s cloud-based workplace, making them too risky when it comes to third-party data transmission. SDPs, on the other hand, are designed to be a model of security best practices when it comes to data transfer, offering enterprises a protective alternative to boost data privacy rather than compromising it.