What Is a VPN?

The History of the VPN

Point-to-Point Tunneling Protocol, thought to be the genesis of secure wireless data transfer, was released in 1996. Before PPTP, securely exchanging information between two computers required a hardwired connection, which was inefficient and impractical on a large scale because of the amount of physical infrastructure needed. Therefore, if the security offered by a wire was unavailable, any data being transferred was left vulnerable to attack or theft.

With the development of encryption standards and the evolution of the bespoke hardware requirements to build out a secure wireless tunnel, PPTP eventually evolved into what it is today: the VPN server. Able to be applied wirelessly, it saved hassle and costs for businesses in need of secure wireless information transfer. From here, many companies went on to build their own physical and virtual VPN services, including Cisco, Intel, and Microsoft.

How Does a VPN Work?

A VPN works by taking a standard user-to-internet connection and creating a virtual, encrypted tunnel that links the user to an appliance in a data center. This tunnel protects the traffic in transit so that bad actors using web crawlers and deploying malware can’t steal any of the user’s or entity’s information. One of the most common encryption algorithms used for VPNs is Advanced Encryption Standard (AES), a symmetric block cipher designed to protect data in transit.

Most often, only authenticated users can send their traffic through the VPN tunnel. Depending on the type of VPN or its vendor, users may have to reauthenticate to keep their traffic traveling through the tunnel and safe from bad actors.

Types of VPNs

VPNs exist to provide convenient security that can serve a smaller-scale need or purpose. Here are some examples of VPNs:

Cloud VPN: VPNs can be deployed on top of virtual machines in order to “cloud-enable” them. This takes the hardware capability of a VPN and (artificially) adds cloud functionality, such as greater scalability and endpoint protection. While these may be more useful for extended enterprises than a typical standalone VPN appliance, they may still lack the flexibility to support a remote or hybrid workforce at scale.

Personal/Mobile VPN: Companies such as ExpressVPN and NordVPN offer downloadable VPN apps so users can keep data secure on their personal devices. This is a good measure to have in place if you’re browsing the web on insecure Wi-Fi networks. Some free VPNs are available to help keep your devices secure, but they’ll later become paid.

Remote access VPN: These VPNs are designed specifically for users working from outside of the office in a corporate setting. They’re typically deployed within a company’s data center but can be extended (at the cost of web and/or app performance) to protect remote users from malware and other threats. These became extremely common after the onset of the COVID-19 pandemic.

What Are VPNs Used For?

A VPN is an adequate means of securing branch or remote employees on a smaller scale. When a few employees were on the road or connecting from a coffee shop, companies could leverage a VPN service to deploy VPN client software that would let a remote user establish a secure connection from an endpoint sitting outside the network perimeter.

Back when everyone went to the office, companies would even employ site-to-site VPNs as a means of connecting two networks, such as a corporate network and a branch office network. In this way, VPNs can serve a variety of use cases, particularly as they pertain to keeping remote and branch office users away from internet traffic. As the remote workforce has taken shape, however, more and more companies are realizing that VPNs aren’t as secure as they need to be.

How Businesses Use VPNs

In professional settings, companies use VPNs as a means of securing users who are working remotely and using mobile devices or other endpoints that may not be deemed secure. For example, businesses may issue Windows or Mac laptops to enable their employees to work from home when necessary. Of course, this notion is now widespread in the wake of the COVID-19 pandemic.

Businesses deploy VPNs to let remote users securely access corporate resources through their home networks. Most internet service providers (ISPs) have good security protocols in place to protect non-sensitive data flowing through home networks. However, when it comes to sensitive data, home Wi-Fi security measures aren’t strong enough to protect it on their own, necessitating the use of VPN protocols by businesses to keep this data secure.

By leveraging a VPN provider, companies will use these protocols to shut off the default flow of traffic from router to data center and will instead send the traffic through an encrypted tunnel, which protects data and secures internet access from users working remotely, reducing the company’s attack surface—albeit on a smaller scale.

Benefits and Challenges of Using a VPN

Benefits

VPNs can simplify security for a business or even an individual. At their core, they're designed to:

• Limit permissions. Imagine if anyone could gain access to any network. VPNs overcome this by requiring users to authenticate their way into the network.
• Prevent throttling. A VPN’s encrypted tunnel prevents visibility from the outside, so in theory, bandwidth remains wider and speeds stay fast.
• Secure devices. Remote desktops as well as devices running Android and iOS operating systems can be protected with the help of a VPN.

Challenges

Despite the promise of these benefits, however, VPNs come with their share of hindrances that can create headaches for IT departments or even increase risk. VPNs:

• Put users on the network. VPNs inherently give employees and third parties direct access to the corporate network. The moment a user tunnels into the network via VPN, they are viewed as “trusted” without knowing whether they have earned sufficient trust and are granted lateral access.
• Increase costs and complexity. The cost of a full VPN gateway appliance stack becomes more expensive as latency and capacity limitations require organizations to replicate the stacks at each of their data centers.
• Aren’t built to scale. VPNs are, by their nature, hardware-based. They’re not built to grow and scale to protect users, workloads, and applications as an organization’s needs increase. What’s more, hybrid work is now the norm, and most VPNs weren’t built to handle much outside of a corporate office or a limited number of employees working remotely.

Business VPN Limitations

Much of the trouble with traditional network security lies in inefficient and insecure VPN infrastructure, because:

• VPNs cannot prevent lateral threat movement. Even though VPNs can keep data secure through encrypted tunnels on a smaller scale, they do not prevent further access to an organization’s network at large if an endpoint has been compromised.
• VPNs don’t scale well. Hardware-based VPNs need to be manually configured, and their bandwidth caps tend to necessitate redundant deployments. Software-based VPNs need to be deployed on every user device, limiting the ways users can work.
• VPNs don’t do zero trust. After authentication through a VPN, a user is on the network. From there, a hacker or malicious insider can move laterally to access sensitive information or exploit vulnerabilities that aren’t protected from the inside.

Even the best VPNs aren’t able to secure all online activity, as some of their encryption protocols may not be able to stand up to today’s advanced threats.

How Does a VPN Affect Performance?

VPNs can provide secure tunnels to an organization’s data center, but these tunnels are liable to throttle the network due to the increased bandwidth and functionality needed to securely send traffic from a home network to a piece of hardware in a data center. Both performance and user experience can be significantly hampered, and what’s more, users may have to repeatedly log in to the VPN, leaving them frustrated.

Cloud Network Security: A VPN Alternative

As organizations get accustomed to hybrid workforce models and cloud adoption becomes the norm, it becomes clearer that an old-fashioned firewall approach is too slow for the cloud and zero trust.

Instead, you need a modern, digital-first solution tailored for the era of the cloud and mobility—a cloud-based security solution that decouples security from the network, with policies enforced anywhere apps reside and everywhere users connect.

Moving security off the network and into the cloud effectively places the full network security stack everywhere your users go. Protections are applied consistently, offering the exact same security measures in branch offices, users’ homes, airport terminals, or corporate headquarters.

Compared to traditional network security, the ideal cloud-based security solution provides:

• Faster user experience: User traffic takes the shortest path to any app or internet destination.
• Superior security: All internet traffic, including encrypted traffic, is inspected, with threat data correlated in real time.
• Reduced costs: The need to constantly buy and maintain appliances disappears because cloud infrastructure is continually updated.
• Easier management: A solution delivered as a service reduces the complexity of managing multiple devices.

Moving to a complete cloud-delivered security stack ensures your users can enjoy fast, safe, policy-based access to third-party and private applications. Be wary though—many security companies advertise cloud-delivered, cloud-ready solutions, but these tend to be retrofitted, virtualized legacy appliances. Only Zscaler offers security built in the cloud, for the cloud

Zscaler Private Access™ (ZPA™)

Zscaler Private Access™ (ZPA™) is a cloud-delivered, zero trust network access (ZTNA) service that provides secure access to all private applications, without the need for a remote access VPN. ZPA delivers a zero trust model by using the Zscaler security cloud to deliver scalable remote and local access to enterprise apps while never placing users on the network. ZPA uses micro-encrypted TLS tunnels and cloud-enforced business policies to create a secure segment of one between an authorized user and a specific named application.

ZPA’s unique service-initiated architecture, in which App Connector connects outbound to the ZPA Public Service Edge makes both the network and applications invisible to the internet. This model creates an isolated environment around each application rather than the network. This eliminates lateral movement and opportunity for ransomware spreads.