As small and medium businesses continue to expand their security capabilities, a security technology dating back to the 1990s is seeing a renaissance as a new strategy and the means to protect companies with increasingly decentralized IT resources. To some, the VPN is a table steak, almost a generic capability still useful today but not deserving much attention. These companies see VPNs as the means to encrypt data in motion or provide secure point-to-point tunnels across an open internet that continues to grow more dangerous. To others, the VPN is especially important in securing businesses with most, if not all, employees remote and most applications and services based in the cloud. Traditional networks, on-premises data centers, and servers are becoming rarer, making traditional security means potentially obsolete.
Literally a Virtual Private Network
The renaissance of VPNs brings companies back to its literal meaning: Virtual Private Network. Now, the virtualized private network is not strictly just tunnels and encrypted packets but a way of establishing a secure, private network within the broader public internet, catering specifically to employees or users in any location and cloud-based applications and infrastructure. The approach reverses some of the growing complexity of security and reckons with the current network realities of small and medium businesses.
Besides encryption, this new VPN approach combines several important factors: privatization, determinism, management, and access controls. Some of these are inherent to the way a VPN operates. Some are augmentations that use the VPN as a framework to add important capabilities.
Privatization for Protection
Privatization means that real IP addresses can be removed from public access by rejecting all but whitelisted VPN traffic, making it more difficult to see and access user machines and applications or resources. The obscurity makes it hard for attackers and malware to identify and target specific devices. The privatization using VPNs significantly lessens the specific targeting of machines and wide sweep port scanning to uncover potential targets.Â
Privatization protects IoT devices and industrial, utility, or manufacturing monitoring and management equipment. Remote users accessing IoT data or controls can shield these IP addresses from outsiders through a VPN. Similarly, IoT devices that communicate with remote users can also protect their identity through VPNs. Similarly, IoT devices that communicate with remote users can also protect their identity through VPNs. According to the IBM Security X-Force Threat Intelligence Report 2022Opens a new window , “Attackers increased their reconnaissance of SCADA (Supervisory Control and Data Acquisition) Modbus OT devices accessible via the internet by 2,204% between January and September 2021.†The report also showed that manufacturing became the world’s most attacked industry.
Many small and medium companies may not have large networks of IoT and SCADA devices, but they may be suppliers, partners, or consultants to larger manufacturing companies or utilities. It is imperative that such firms can securely connect with such customers or clients and are not a weak security link in a supply chain. The cost of damages and impaired reputation could wipe out small and medium companies.
Determinism amid Fraud and Deception
The flip side of privatization and the masking of real IP addresses externally is determinism. Namely, it is harder to fool users with spoofed IP addresses and phony sites if, within the virtual private network, users can confidently connect with company applications and resources and not be fooled by imposters. Phishing became the top pathway to compromise in 2021Opens a new window , according to the IBM Security X-Force Threat Intelligence Report 2022, with 41% of incidents X-Force remediated using this technique to gain initial access. Determinism through VPNs adds an overall feeling of confidence and legitimacy. It creates a walled garden inside the open internet, even with users in any location using any access and SaaS applications or cloud-based resources. It brings both ends into a protective environment that resembles an on-premises network. Access based on an IP is a foundational VPN approach. Modern, zero-trust VPNs require a multilayered authentication process requiring the user to prove it’s them and not an attacker to gain access.
See More: Comcast & Aruba’s Partnership Proves VPN Is Not Dead Yet
Managing Cloud Everything
Management is another key aspect of small and medium businesses using VPNs as a basis for “network†security. When a user connects to the organization’s cloud VPN gateway, encryptions, access control, 2FA, segmentations, and other security measures are applied to this connection and whatever device is used. This capability enables embracing the freedom and utility of any access and device environment while maintaining security and control.
Management also means ease of deployment and ongoing operation. First, users to this private network can be easily added or removed, and scalability should be primarily unlimited. Second, blacklisting can be employed to prevent employees or users from going to dangerous or unauthorized sites. Most of this will likely come from threat intelligence sources, open sources, or directly from the VPN provider, but organizations may have their specific sites or types of sites that they want to place off limits. Blacklists typically block known attackers, malware spreaders, botnet command and control servers, and spammers.
Traditional web/URL filtering is not widely used anymore, but certain kinds of companies or organizations, such as religious entities, may have the need or desire to utilize it. Other companies may need to prevent access to social media sites or streaming services during business hours. Standards could be imposed on users’ web access through the organization’s VPN, if necessary. Third, whitelisting can also be employed, and its use is fairly common. IP whitelisting is used only to allow traffic from within the organization’s trusted VPN network and no other. Hence, only verified users inside the organization’s network (available anywhere globally) can access those servers. Access based solely on IP is legacy; multilayered, identity-based authentication and least-privilege access are now a must-have.
Zero Trust Made Easy
Through a cloud VPN, small and medium businesses can create a zero-trust network virtually without much complexity and overhead. Access controls can require more advanced authentication and security checks of access devices. Use of privatization through IP masking or obfuscation as well as whitelisting, encryption by default, and other features add to zero trust protections.
Another major benefit to basing small business security on VPNs is one of the oldest security principles: complexity is the enemy of strong security. By using a cloud VPN for protection, compliance, and management, small and medium companies can achieve necessary levels of security in a relatively simple form that is easy to deploy and manage. The ease and simplicity directly contribute to better security because it can be more fully and consistently used. It also better conforms to the real-world conditions of “network-less†businesses with remote users and cloud-everything applications and resources.
Perhaps it’s time to consider using VPNs within small and medium businesses. Remote and dispersed employee access is a given. So is the use of SaaS and cloud resources. Threats and compliance requirements continue escalating, and general security is more complicated and complex. Turning to VPNs as existing virtual private networks within a cloud-everything world could make a crucial difference.
Why do you think SMBs should re-think VPNs as actual virtual private networks within a cloud-everything world? Share your thoughts with us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!