Many small businesses and their employees are concerned about the security of their data whilst working from home during the coronavirus pandemic. We see a lot of confusion surrounding this topic, even from fairly technical folk and there is unfortunately a lot of misinformation being spread by commercial VPN providers themselves. TL;DR - Most people do NOT need a commercial VPN provider to work from home securely and any provider telling you otherwise is probably selling you snake-oil. It’s a bit like arguing that you should put on a helmet to drive your car around your neighbourhood at 30 mph. Yes you’re less vulnerable than without it but does the risk justify the cost? No, not in our opinion. This excludes employees on the move who are connecting from untrusted networks and especially those with more sensitive threat models e.g. journalists.
Before we dive in I want to emphasise that this article makes quite a few assumptions. To start we assume you are an employee working from home for a small to medium size company which hosts their applications in the cloud and those applications use TLS/HTTPS (as shown by the little lock in the browser bar) and you don’t have an extreme threat model involving sophisticated government agencies or other well funded adversaries attempting to steal your data.
VPN technology was originally developed to allow enterprises to extend their private internal networks over the Internet. Instead of having to purchase expensive dedicated links between sites (e.g. a remote site and the head office) they could purchase two routers which established a secure connection over the Internet. The VPN ensured the confidentiality and integrity of the data whilst traversing the public Internet. There is also the ‘road warrior’ configuration where staff requiring remote access to their company’s internal servers could establish a VPN from their laptop to a VPN router connected to the company’s internal network. These companies typically have strong perimeter defences and relatively lax controls on the internal network. The VPN router in this case not only ensures data confidentiality and integrity but also access control i.e. only authenticated users with authorisation are allowed access to defined servers on the internal VPN. Many, perhaps most large companies still operate these VPN routers which enable their employees to work from any Internet enabled remote location securely. If you are working for such a company, you will typically be using a VPN client form Cisco, Citrix, Sonicwall etc. with strong authentication e.g. 2FA with a RSA hardware token. In this case a VPN is obviously necessary whilst working from home, without it you won’t be able to access the applications you need to do your job (email, CRM etc.)
The other use-case for a VPN is offered by a commercial VPN provider. These companies make various claims about ensuring your security, privacy and anonymity. Although the same basic VPN technology is used, the goals are very different. When you connect to a commercial VPN provider you are not attempting to access a server on their private network (as in the enterprise case above), rather you are connecting to a VPN router/server which is simply connected to the public Internet i.e. you connect from the public Internet and once connected have access to the same public Internet.
Although this may at first seem pointless it actually creates several side-effects which are potentially desirable. Because the VPN server acts as a proxy server i.e. processes all Internet requests on behalf of all connected users using the same source IP address it effectively masks the IP assigned to you by your ISP. In addition the data traversing the VPN link between your device and the VPN server is encrypted so the company providing you Internet access (your ISP) cannot see which websites you access. However what we are attempting to address here is the security of your data. What attacks does encrypting your Internet traffic between your device and a random server on the Internet prevent?
The most cited reason for using a VPN for security is to prevent attacks on untrusted networks e.g. public Wi-Fi. The presumption here is that the Wi-Fi operator may be malicious or that the Wi-Fi network itself doesn’t implement encryption thereby enabling various eavesdropping attacks. These are valid concerns and using a VPN may well mitigate these attacks. However in this article we are discussing working from home and assuming you are connecting to a Wi-Fi network that you trust or directly control. We’re also assuming you have configured your Wi-Fi with WPA2 or WPA3 (typical on most modern routers, you can verify this in your router configuration) and a strong passphrase so all traffic sent from your devices to your home router is encrypted with a similar level of security to that used by a commercial VPN provider. Ok so what about the data sent from your home router to the destination server? Well this is where ubiquitous TLS (https) connections save the day, yes that little lock in your browser bar that everyone talks about. If its there when you connect to a website (or the address starts with https) then you are using TLS, a modern encryption protocol that ensures that all data between the browser and web server is encrypted.
By now you’re probably seeing that there are multiple layers of encryption on the Internet and generally speaking for most people’s security needs we don’t need more than one layer. So lets take the case of Jane who works for Acme inc. a company with 100 remote employees with all their applications in the cloud. Jane uses Gsuite, Zoom, Salesforce, Slack and a custom app hosted on AWS. Whenever she connects to any of these apps, a secure encrypted connection is established and all data sent by the browser is encrypted until it reaches the application server. As Jane is connected via Wi-Fi, the encrypted TLS data is again encrypted by her network adapter between her laptop and her Wi-Fi router. Then from her home router to the Salesforce server it is protected by the TLS encryption established by her browser. At no point is the data vulnerable to an eavesdropper. If Jane was convinced to use a commercial VPN provider then there would be an additional layer of encryption between her laptop and the VPN server, offering no value unless you are concerned that the underlying TLS encryption is not sufficient, which is not normally a concern for most organisations. And when using a VPN, the connection from the VPN server to the salesforce server is not encrypted by the VPN, only the path from the user device to the VPN server.
So we don’t think Jane needs a commercial VPN to work securely from home in this scenario. However if Jane is concerned about her ISP snooping on the websites she is visiting or she needs some basic IP layer anonymity then there may be a use-case for a commercial VPN provider but thats a subject for another article.
Suggest an edit on GitHub.