What is the difference between a VPN service and a corporate VPN?
Publié le 01/7/2021
Author : Arnaud Dufournet, Chief Marketing Officer
The pandemic has brought new words to our vocabulary and new uses for existing terms. The acronym VPN is one of them. This is not surprising considering the number of businesses that have had to let their employees work from home during mandatory lockdowns. As an ultimate reward for this newfound popularity, acronyms, such as WFH (work from home), and terms, such as digital nomad have been added to recent editions of the Merriam-Webster dictionary.
While the term has become part of mainstream vocabulary, there is still great confusion about the difference between corporate VPNs and VPN services, even among IT security specialists. That is why we thought it useful to explain what is really at stake.
What is a VPN?
Let us start with a reminder of what a VPN is. VPN stands for virtual private network. It consists in establishing a tunnel within a network that is known to be insecure, such as the internet, to secure data exchanges. In practical terms, a VPN performs the following three operations successively:
- Authentication: Before opening the tunnel, the VPN ensures that the workstation and the VPN router at either end of the tunnel are authorized to communicate with each other. This authentication is achieved using keys and certificates.
- Encryption: Once the tunnel is open, the actual communication can begin. Data exchanges are now held in the strictest confidentiality, since they are encrypted with algorithms. The confidentiality of the communication is thus ensured through encryption.
- Integrity: Lastly, the VPN verifies that all data sent is received without suffering any alteration, modification, or even any addition or loss. The VPN’s data hashing process guarantees the connection’s reliability. This is an often overlooked advantage of VPNs. Yet, this is a very valuable feature in VPN clients when data integrity is of paramount importance, e.g. within the scope of commercial transactions or when transmitting critical information.
Private or professional use?
To fully understand the difference between corporate VPNs and VPN services, it is essential to distinguish between private and professional uses. Let us start with private uses, which are the ones that immediately come to mind when we talk about VPNs. The most common needs of private individuals include the following:
- Simply stay anonymous by using another IP address and thus hide your actual location.
- Protect your personal data when you connect to a public Wi-Fi network. When you stop by a Starbucks, you do so for great coffee, of course, but also to get free Wi-Fi to surf the internet. However, the risk you expose yourself to, when using public hotspots without taking any precautions, is a man-in-the-middle attack. It consists in setting up a malicious public Wi-Fi hotspot based on a legitimate one so that people are tricked into connecting to it. The hacker can then intercept all the data that is being transmitted.
- Bypass geographical restrictions on websites or video and audio streaming services. For example, you may want to unlock “HBO Max” so that you can watch your favorite series when you are abroad. Another example is when you want to change the Netflix region to access another country’s Netflix catalog. To do so, you need to display a local IP address from that country.
- Prevent IP tracking on online shopping sites to hunt for the best price. The need is quite similar to the previous examples. You need an IP address from another country to access different prices.
- Download and share files by circumventing bandwidth restrictions and intellectual property laws. When you share files using peer-to-peer software, you are better off doing so anonymously to avoid surveillance or bandwidth throttling by your internet service provider.
A VPN service is suitable for all these uses. Once you are connected to one of these services, your IP address is hidden. Communications are redirected to a VPN server that encrypts the data exchanged.
However, there is a major caveat to the so-called guaranteed confidentiality. Many of these services are located in countries outside European jurisdiction on personal data and actually store their users’ browsing data to monetize it, especially when these services are very cheap or free.
What’s more, law enforcement agencies can requisition the IP addresses, as was the case for Proton Technologies.
A corporate VPN, on the other hand, meets the needs of professional uses that have much higher requirements in terms of security and where the stakes are far more critical.
Allowing mobile employees to access the company’s IT resources from their workstations or mobile terminals is the most common use. However, many other uses are likely to develop soon. Regulations, such as the NIS directive or the GDPR, require central administrations, government agencies, critical market operators, and operators of essential services (OESs) to secure access to their sensitive information systems.
Defense and security organizations use VPN clients to preserve the confidentiality and integrity of critical communications. Businesses that turn to subcontracting (managed services, maintenance, etc.) must control and secure access by external service providers to their information system. The reliability and security of communications between two devices in the supply chain (often a mobile terminal and a server) are increasingly common issues that the VPN client addresses. One last example of how a VPN client can be used to address an issue that is becoming a major challenge in the world of industry, increasingly confronted with cyber threats, is securing sensitive data exchanged between connected objects. If you want to find out more about all these uses, we recommend our white paper on the subject.
Only corporate VPNs can meet the security challenges
We have just seen that VPN services and VPN clients do not meet the same needs at all. VPN client software provides access to a gateway located within the company according to a configuration that it has itself defined. It thus has complete control over the tunnel and its encryption, which is a fundamental difference with VPN services. VPN services also use encrypted tunnels, but they do so to access gateways located in various countries whose regulations do not always guarantee confidentiality. The processes implemented to secure data flows cannot be controlled. Outsourcing your VPN infrastructure does not provide you with the same guarantees of security. To our knowledge, no VPN service has been certified by a trustworthy authority, such as the CISA in the U.S. or ANSSI in France.
Another major difference lies in the features that a corporate VPN offers, which allow you to raise the level of security, such as integration with the public key infrastructure, log management, two‑factor authentication, token management, trusted network, etc. In summary, a corporate VPN solution offers professionals much better protection considering what is at stake and the responsibilities involved.
