When remote work and decentralized IT infrastructure have become a reality of every modern business, businesses seek flexible tools to protect their workforce and systems. Cloud VPN has answered this call by cost-efficiency, agility, and ease of use so that more than half of businesses today already switched from their legacy on-premise solutions. Such movement is influenced by embracing SASE principles (Secure Access Service Edge) for strengthening network security in the cloud and at the edge.
The virtual private network creates an encrypted tunnel through the shared networks and public internet, allowing remote users to securely connect with resources such as office buildings, business systems, cloud apps, databases). Via VPN, the network administrator creates an isolated network of devices (servers, systems, routers, printers, etc.) and users with a private network's security and management controls. The communication between any two entities inside VPN is encrypted and thus shielded from eavesdropping and security breaches based on stolen credentials.
Everything that goes via VPN is hidden. All the attacker sees is just random encrypted data. When VPN is used in combination with whitelisting technology, hiding the whole server(s) from public internet is possible (access is granted only to proper employees/users).
VPN by default protects users from threats such as:
Traffic interception - bad actors trying to steal credentials and sensitive data via traffic interception (passwords, credit card info, files, or just information about what systems businesses run) will fail when the communication is routed via an encrypted tunnel,
System and application attacks - via whitelisting IP addresses on target application servers, you can make them disappear entirely from public eyes (make them accessible to authorized users only).
When a business uses VPN, all the data goes encrypted via a tunnel to VPN Gateway and then to the destination. VPN protects all the connections no matter the employee`s location (hotel, coffee, airports, etc.) from eavesdropping and thus prevents breaches utilizing stolen credentials and sensitive information (i.e., where the business stores data, what systems does it use, etc.). For a comparison between HTTPS encryption and VPN, see this article.
There are many VPN protocols, both open source, and proprietary, out there. Some are recognized as obsolete since their security mechanisms have been broken, so they should not be used anymore (e.g., PPTP). Today's security standard is OpenVPN and IPSec; both are designed to use strong (unbroken) ciphers and algorithms, TLS authentication, MitM protection, Perfect Forward Secrecy, etc. If you want to learn more, this article discusses VPN protocols in full.
One of the most popular VPN protocols. It is a client-server, very robust, actively developed VPN protocol. OpenVPN is open-source, and it is regularly audited. OpenVPN can operate on almost any port (standard port is 1194) in TCP (slower but more reliable) or UDP mode (faster connection speed, but could be less reliable).
A kind of "legacy" protocol. It is a combination of L2 tunneling protocol, which isn't encrypted at all, and IPSec, which provides encryption. It has native support in Windows since version 2000 and macOS, but not a reliable implementation for Linux.
A prevalent VPN protocol (IKE is part of IPSec responsible for establishing a secure connection between two networks), which is very secure and widely adopted today. It has native support in macOS, Windows, iOS.
The latest "silver bullet" VPN protocol. It is supposed to be easy to use and super fast due to its lightweight implementation. Wireguard was mainly developed for Linux (it is a part of the kernel already), but now it has its implementation in BSD as well and clients for most OS. However, this lightweight comes at the price of a lack of features that other "adult" protocols have (e.g., radius authentication).
VPN protocol developed by Microsoft using TLS to secure connection. SSTP should provide robust encryption (like IKEv2 or OpenVPN). However, it never became widely adopted. SSTP is TCP-based, so it has poor performance on longer distances (eg. connecting from Africa to the USA)
PPTP is one of the first VPN protocols. It is still very popular due to its simple configuration and support. It has been implemented in almost every device / OS, despite its security being broken. macOS was the first OS deprecating this protocol, and it is no longer available there.
Cloud VPN securely interconnects remote users and business systems, regardless of their physical and network locations. Cloud VPN is based on traditional hardware VPN principles such as tunneling, encryption, and decryption, data integrity, etc., however, without its pains. Typical components of the cloud VPN are cloud VPN gateway, VPN client (apps), and cloud-based web application for management (so-called Control Panel).
Running a VPN in the cloud rather than a piece of often expensive hardware installed in your network has several benefits:
Since computers, computer networks, and ICT have become a part of every modern business, you can find use-case anywhere. However typical use-cases are:
When an enterprise wants to build its own VPN infrastructure to support remote access for engineering and other teams that access critical resources, it is usually a complex task. An on-premise VPN infrastructure usually requires hardware for:
Cloud VPN has significantly simplified the solution architecture (from the customer point of view), brought instant scalability and cost-efficiency. Businesses don't need to invest time and costs into the building and maintaining VPN infrastructure (buy hardware and software for every location, interconnect them via MPLS/SD-WAN networks, ensure upgrades and replacements are covered, etc.).
When evaluating a particular cloud VPN service, you should focus on its scalability, price, feature set, and trustworthiness:
Scalability (global reach): Especially small and midsize businesses might find themselves short when supporting the global reach of their VPN infrastructure. Cloud VPN vendors usually run distributed networks across locations, ensuring the best possible QoS (the closer the gateway is to the user, the better).
Cost-efficiency (price): When using cloud VPN, the business does not run any hardware infrastructure, so there are no fixed and maintenance fees. You only pay for the service "as you go" so that significant savings should be reached.
Feature set: VPNs have evolved, and even their original purpose remains unchanged, additional features bring added value as well as extra comfort when using the service. Check whether the provider offers a backup gateway. If there is identity and access management to manage users/devices access rights easily, if there is support for 2FA/MFA, what kind of support the vendor offers, and if they are keen to help you with initial setup (if needed).
Trustworthiness: As in every industry, finding a trusted vendor might take some time, but it pays off. You don't want to lose your data because the provider accidentally deleted your virtual resources without backups or doesn't have enough capacity, so that customers stole bandwidth from each other. You should be able to try the service for free, check how the VPN works, if the customer/technical support is responsive, and if there are real people behind the service.