VPNs. It’s impossible to go anywhere without being told about the importance of a VPN for protecting your data and work. Every tech blog and publication worth their salt will mention the importance of a VPN. It is a requirement that everyone use the VPN when using your laptop outside the office. You might need to use the VPN to access files, apps, and the intranet of the company when you work remotely. You can’t even watch YouTube videos or listen to podcasts anymore without hearing “Brought today by our sponsor, [insert VPN provider here]!”
We get it. Use the VPN to surf the internet anywhere you are not at home or in the office. Secure your data. Cyber snooping is prevented. Anonymize your traffic. It’s okay, I guess. I assume this is important because it’s what I’m told. Perhaps a better understanding about infosec principles will help me understand the whys of VPNs instead of IT/YouTube sponsor telling me to.
Why use VPNs?
VPNs are a long-term security mechanism to protect data. They protect traffic by protecting your confidentiality, integrity, availability, and anonymity. These aren’t just buzzwords that will make you feel good about using your Starbucks laptop. They are the three sides of a crucial infosec concept called the CIA triad.
First confidentiality. This is the most important one when it comes VPNs. They encrypt all traffic between your laptop’s computer and the VPN software’s endpoint. It can be a virtual or physical server running VPN software or a hardware appliance such as a firewall or VPN concentrator. It can be hosted on any cloud provider, in a server room, or in your office’s data center. All traffic between your laptop’s and the other point is encrypted.
Learn how to become a security expert with SPOTO’s Cybersecurity Training
Get trainingWhy? Start trainingWhy?
“But do I really require a VPN if so many web traffic is already encrypted using HTTPS?” This is a great question, especially since browsers such as Chrome are pushing for HTTPS encryption on all websites. The VPN will add an additional layer of encryption to the HTTPS encryption. Although HTTPS is secure by itself, the VPN will add another layer of encryption.
Even with HTTPS, a website will see that your traffic comes from the same city you are surfing from. Although not with great accuracy, it is usually within a specific region or metro area. VPNs remove this problem as your traffic will appear from wherever the VPN terminates from (either your office or a cloud host). Masking your location is definitely a violation of the CIA triad point about confidentiality.
While confidence is the main reason for using a VPN service, let’s not forget about the other two. Integrity is the ability to ensure that data is not altered in transit. To ensure integrity, VPN protocols include hashing algorithms.
A hash is an algorithmically generated fixed length value from a block data. The hash will change if even a little bit of the original data is changed. A hash is sent when data is encrypted on one side. The other decrypts the data and hashes it again. Then, the hash is compared to the transmitted hash. If the hash matches, data integrity is achieved.
The availability is the final point in the CIA triad. To be useful, any system must be available. This means it cannot be taken down by DDoS attacks, files held ransom by Cryptolocker, or any other evil act that prevents you from working.
A VPN increases availability in corporate settings by reducing the public attack area. A VPN allows a company to access email, files, and apps. Instead of allowing access from a remote location, a VPN is used to protect the company’s data.
