Introduction
Since the onset of the COVID-19 pandemic, many employees in our company have shifted from working in the office to remote working. This type of employment presents significant risks to the security of our sensitive corporate data when employees get access to the internal network from their personal computers. Unless we implement an appropriate VPN solution, we put our company at the risk of significant losses should the data leakage occur.
What the Problem Is and Why It Needs to Be Addressed
Due to the COVID-19 pandemic, businesses have been forced to transform the way they operate. To prevent the further spreading of the virus, social distancing was imposed, resulting in companies’ transition to remote working. While telework has revealed new opportunities for businesses, it has also increased the security risks because, with remote work, it is more difficult to back up and protect company data (Malecki, 2020). One common solution used to address most issues is the application of Virtual Private Networks (VPNs). It is a general term comprising different tunneling protocols; the choice of a particular protocol determines how secure the connection of remote workers to the company’s intranet will be. The four main tunneling protocols are PPTP, L2TP/IPSec, SSTP, and OpenVPN.
VPN ensures greater data security by establishing a private connection over the internet. In essence, it allows remote workers to access the company’s intranet safely by using a public network. VPN redirects the data sent by the user through a secure server before forwarding it to the intended destination (Bui et al., 2019). Thus, it serves as a notional tunnel through which sensitive data can be safely shared using a public network. VPN fulfills two main purposes: first, it enables employees to access the company’s services without incurring high costs, as happens with VPS servers and clouds (Muc et al., 2020). Second, the transmitted data is encrypted, thus ensuring the security of corporate information (Muc et al., 2020). Various VPN tunneling protocols differ mainly in the type of encryption.
The Point-to-Point Tunneling Protocol (PPTP) is the earliest protocol that was developed by Microsoft. PPTP uses a Point-to-Point Protocol (PPP), which supports the only encryption scheme called “Microsoft Point-to-Point Encryption (MPPE)” (Bui et al., 2019, p. 108). Although PPTP mostly uses 128-bit encryption keys, the security provided by this protocol is substandard. In addition, it is known that the NSA spies on PPTP networks because of their insecurity (Roach, 2019). Thus, the main disadvantage of this protocol is that it does not provide the necessary level of data safety. At the same time, due to the lower form of encryption, PPTP provides users with a high connection speed (Jadhav & Sheth, 2021). Its other advantage is that it is available on multiple platforms and is easy to set up. Due to its weak security, this protocol is not recommended for corporate use.
Secure socket tunneling protocol (SSTP) was also developed by Microsoft. Like PPTP, it uses PPP to transmit data; however, in SSTP, PPP packets are encapsulated in HTTPS (Bui et al., 2019). As a result, HTTPS encryption protects the transferred data from passive and active attacks (Bui et al., 2019). Another advantage of SSTP is that it easily passes through firewalls (Roach, 2019). However, SSTP cannot use UDP, which is why it is subject to the problem of TCP meltdown that delays the transfer of data (Roach, 2019). Furthermore, SSTP operates only on Windows and Linux, so it is not available for the users of macOS (Roach, 2019).
Due to its strong security, it can be used for corporate purposes. SSTP can be utilized within a VPN solution, for example, if the company prioritizes the reliability of passing through firewalls, uses only Windows devices, and does not require the high speed of data transfer.
L2TP/IPSec is a combination of two protocols – L2TP and IPSec – that are paired together for ensuring higher security. This is because L2TP per se only creates a tunnel between two connections but does not encrypt data (Roach, 2019). Therefore, it is combined with encryption protocols such as IPSec, which allows for the secure transfer of information. L2TP/IPSec usually uses AES 128-bit or 256-bit encryption, which is resistant to brute force attacks (Roach, 2019). It is available on multiple platforms and is considered highly secure, but it also has disadvantages. Since it uses fixed ports, it can be blocked by firewalls (Roach, 2019).
Further, due to two layers of protection, the connection speed provided by L2TP/IPSec can be rather low. This protocol can be implemented within a VPN solution, for example, for sharing a company’s sensitive data among employees in different locations. However, to ensure the effectiveness of L2TP/IPSec, the organization should not use pre-shared keys because they can be accessed by outsiders.
OpenVPN is a free, open-source protocol, which means its code is available for different developers. Due to this fact, OpenVPN is highly configurable, and its weaknesses are constantly searched for and eliminated (Jadhav & Sheth, 2021). It supports two transport protocols – TCP and UDP – and, thus, can avoid the problem of TCP meltdown, in contrast to SSTP (Roach, 2019). OpenVPN adheres to high encryption standards; for example, it can provide AES-256-bit encryption and 2048-bit RSA authentication (Jadhav & Sheth, 2021). Smaller key sizes are also available, but they are less secure. Thus, OpenVPN is known for its high security, which, however, comes at the cost of speed. This protocol works slower than less secure ones, such as PPTP. By using OpenVPN, employees can log into their office networks from various locations and have safe access to corporate resources.
What Secondary Research I Have Conducted About the Problem
I have researched articles published in scholarly journals and on credible technology websites. A synthesis of the findings shows that VPN, especially the OpenVPN tunneling protocol, is a viable option for addressing most security risks linked to remote working.
Why We Will Benefit from the Implementation of a VPN Solution
Our company will benefit from the implementation of a VPN solution because it will significantly improve the security of our corporate data. In addition, research shows that remote working is the new normal and is likely to remain after the pandemic, which is why safeguarding company infrastructure with a strong VPN solution has long-term benefits (Malecki, 2020). Moreover, unprotected organizations often become the targets of cyber-attacks (Malecki, 2020). Therefore, if granted authorization to implement a VPN solution, our company would be more protected against cybercrimes and economic losses due to sensitive data leakages.
Conclusion
It is of great importance to secure our corporate data by providing remote employees with a safe means of getting access to the company’s internal network. I believe that with your permission, the implementation of a VPN solution will increase our company’s protection against data leakage and subsequent economic losses. I would recommend that our organization choose the OpenVPN protocol as it is free, reliable, available on multiple platforms, and highly secure.
References
Bui, T., Rao, S. P., Antikainen, M., & Aura, T. (2019). Client-side vulnerabilities in commercial VPNs. In A. Askarov, R. R. Hansen, & W. Rafnsson (Eds.), Secure IT systems (pp. 103–119). Springer International Publishing.
Jadhav, R. R., & Sheth, P. S. (2021). VPN: Overview and security risks. International Journal of Advanced Research in Science, Communication and Technology, 7(1), 305–309.
Malecki, F. (2020). Overcoming the security risks of remote working. Computer Fraud & Security, 2020(7), 10–12. Web.
Muc, A., Muchowski, T., Murawski, L., & Szeleziński, A. (2020). Providing the ability of working remotely on local company server via VPN. Multidisciplinary Aspects of Production Engineering, 3, 195-205.
Roach, J. (2019). VPN protocol breakdown: VPNs behind the scenes. Cloudwards. Web.