Get out of the danger zone: Why VPNs don’t keep data secure

(Image credit: Image Credit: Flickr / Mike MacKenzie)

In the current political environment, who can access your data and who can (unfortunately) hack it has become a prominent issue especially with the almost daily headlines about data security fails. Technology and security don’t go naturally hand in hand, which is why data protection is likely to be among the hot button issues in the upcoming U.S. presidential election.

One aspect of securing sensitive data that’s often overlooked is the pervasive role that virtual private networks (VPNs) still play in transmitting data. Many consumers and businesses alike still give far too much credibility to VPNs when it comes to their ability to secure data and provide privacy in general. While this trust was once warranted, the world has changed alongside technologies. As a result, VPNs have become more limited in their ability to keep data safe; after all, they were designed only to offer security between on-premises settings and remote users. Today’s work environments are much more likely to feature an array of hybrid cloud, multi-cloud, and mobile technologies—and VPN’s efficacy is severely hamstrung in all of these settings.

More harm than good

While you may think that you’re deploying VPN technology to boost data privacy and security, recent events prove that the mishaps caused by VPNs can be more significant than their claimed benefits. As just one example of how pervasive this problem is and how it affects organisations, earlier this year, two U.S. senators asked the Department of Homeland Security (DHS) for an investigation into a potential “national security risk.” This was over the concern of VPNs possibly being behind critical government information getting transmitted over foreign servers.

The senators’ concerns raise a point that can no longer be ignored: most VPNs suffer from problematic, flawed architecture when it comes to data security. This flaw does the most damage when it concerns VPNs on mobile devices. When we’re talking about those ubiquitous applications that get routinely downloaded onto smartphones, there’s a routing issue. Specifically, as senators Ron Wyden and Marco Rubio pointed out in their letter to DHS, user traffic gets routed through the VPN providers’ own servers. It’s easy to see how this arrangement can result in a threat to national security—if a server is based in the location of a foreign adversary and so is the VPN provider, that provider could potentially reach in and grab confidential government data through an app.

And it’s not just the government sector that needs to worry about VPN’s limitations. If your company sends sensitive information using VPNs and the VPN provider transmits the data over their own servers, then customer and corporate data can easily end up retrieved by unauthorised sources.

Reporting for TechTarget, Michael Heller noted: “Fears about possible VPN threats are not new, especially when it comes to mobile VPN apps. Previous research found VPN apps on Android operating systems have issues ranging from not encrypting traffic to leaking data or including malware.” So clearly, while national security may be one of the largest issues linked with the risks of relying on VPN technology, it’s far from the only one. When it comes to distributed settings, VPNs can be behind a multitude of other important issues, from regulatory compliance to consumer privacy and enterprise security.

App-level routing

These concerns can be eradicated by thinking beyond VPN to incorporate new, more flexible solutions designed specifically for the current multi-cloud reality. What’s required is simply to shift routing to the application level rather than the network level for greater data protection and true enterprise security. This can be achieved using software defined perimeters (SDPs).

SDPs help prevent third parties from gaining unauthorised access to private data, since the technology ensures that routing to third-party servers never occurs. The method used involves direct delivery between the sender and recipient via the user’s servers, not the provider’s. The beauty of SDPs is that they use compartmentalised, cloaked micro-tunnels to securely and directly transmit data between apps and servers, without taking the risks required with VPNs. These tunnels prevent the possibility of unapproved access to your network, and by doing so, SDPs overcome the biggest limitation inherent in VPNs.

Erosion of privacy

Let’s drill down into an important component of data security—the ability to keep sensitive information private. While VPNs were ostensibly designed to increase privacy, they don’t work well in cloud-based and hybrid environments, which means they don’t work well today almost anywhere. A recent study collaboration that included the University of Wales and UC Berkeley drilled down into how strong the privacy and security features are on VPN apps, and the news was distressing for those who rely on these tools.

The vast majority—more than 80 per cent—of mobile VPN apps for Androids try to access private user data. This means everything from account information and confidential texts may be vulnerable. The study also found that two-thirds of such apps mine for user data via third-party tracking systems. SDP can assist here as well, since app-level data transmission boosts privacy, removing all of these frightening VPN-related concerns. After an SDP makes its connections, it closes the adjoining ports for an added layer of protection rendering the micro-tunnels virtually undetectable for reliably clandestine data transmissions.

Why we feel insecure

If you’re still using VPN technology, you’re right to feel nervous about your data’s security. The study above, which examined nearly 300 VPN android apps, also found:

  • 38 per cent of the VPN apps injected malware to gain access to private data
  • 84 per cent leaked user traffic
  • 18 per cent had no encryption for users’ traffic

SDP solutions, on the other hand, circumvent these issues with public key authentication and datagram transport layer security encryption. The powerful combination of these various security and privacy measures safeguards against leaked-data situations that are common with VPN.

For those of you who have grown attached to outdated VPN systems, there’s no way to sugar coat this. Just because VPN is often the first solution considered to manage these issues doesn’t mean it’s the superior option when an enterprise’s cyber-security is at stake. Bottom line: VPN’s very architecture for data transmission is risky when data transfer takes place over third-party servers, and the technology simply can no longer keep up with today’s standards for security and privacy. If you care about fortifying data privacy and security rather than eroding them, think SDP, not VPN.

Don Boxley Jr, co-founder and CEO, DH2i