Over the past year we have been working with various not-for-profit organizations to better understand their cybersecurity needs and offer bespoke solutions to their specific needs – given their small size and often limited resources. Our approach includes building the competency of small organizations in cybersecurity. At Open North, we proactively assess cybersecurity risks and implement appropriate mitigation measures and processes, rather than having to react to emerging threats and mass incidents, such as “blue-screen Friday” – a global outage of Microsoft systems that took place over the summer.
During this period, one question that merited further discussion came up: “Why do I need a VPN when I already have a cloud solution?”
This is a common question, especially as cloud solution providers in the past few years have started adding increasingly sophisticated cybersecurity solutions on top of their services. At Open North, we are always mindful of the financial, capability, and time constraints small not-for-profits face. As such, we decided to share our internal discussions and rationale around this, so that others can make a better informed decision on this important and common tool.
The short answer? It depends.
This blog post will start off by defining and explaining what VPN and cloud each provide within the context of cybersecurity. It will discuss the benefits of using a strong cloud solution and add-on VPN benefits not defaulted to cloud and discuss another solution, cloud VPNs.
What is VPN?
It stands for virtual private network. A VPN establishes a digital connection between your computer and a remote server. This digital connection is in essence a point-to-point tunnel that encrypts personal data and protects your internet traffic from prying eyes anywhere you are located, including while sipping coffee in your local coffee shop and using its unprotected, password free Wi-Fi.
What are the benefits of VPN?
VPN offers the following data assurance, namely authentication, confidentiality, and integrity:
- Authentication – data received is from the claimed sender and not another source;
- Integrity – the content of the data did not change while in transit;
- Confidentiality – the data itself is scrambled and illegible (encryption) while in transit, thus ensuring the message content is concealed until it is made available to the right audience.
What is the cloud? It’s a network of remote servers that store and manage data, run applications, and deliver content and services over the internet. Cloud service providers offer benefits like scalability, accessibility, and cost-effectiveness. A highly secure cloud provider, for example Azure, may have strong security features in alignment with compliance standards which will increase the security of your environment. Factors that would indicate a cloud provider is highly secure include:
- Alignment to compliance such as
- Advanced security features:
- Built-in encryption for data transmission within their cloud platform;
- Secure access services which include features like secure web gateways, a security solution that prevents unsecured internet traffic from entering an organization’s internal network; or zero-trust network access, which requires all users (including remote users) in a network to be authenticated, authorized, and continuously validated;
- Seamless integration to the company identity access management solution, thus enabling the enforcement of access security controls prior to connecting to the cloud;
- Network security features such as firewall (filters network traffic) and virtual network (VNet within Azure), which provide secure connectivity between the provider and company networks;
- Threat detection and protection features like Azure sentinel, which provide security information and event management that addresses potential security threats and vulnerabilities before they can disrupt business operations, thus reducing the risk of data breaches.
In addition to the benefits that already exist in a cloud service, that often come with your Microsoft/GSuite package, an extra layer of security through a VPN can offer the following benefits that may not be default in the cloud:
- Remote Access: If you are accessing cloud resources from a public Wi-Fi network or a less secure location, a VPN can encrypt your traffic and protect your data from potential threats;
- Data Privacy: If you are handling sensitive data such as customer personal information or dealing with strict data privacy regulations, a VPN can provide an extra layer of protection for your data in transit;
- Geo-blocking and/or other restrictions based on a users geographical location: If you need to access Azure services or content that is restricted based on your geographic location, a VPN can help you bypass these restrictions;
- Enhanced Security: While Azure offers robust security measures, a VPN can provide an additional layer of protection against potential threats, especially if you have concerns about your network infrastructure or internet service provider.
There is a new option, cloud VPN, offered by some cloud service providers. For this discussion, we will be using Azure VPN Gateway as an example of a Cloud VPN.
Traditional VPNs and Azure VPN Gateway both serve the purpose of creating secure, encrypted tunnels between networks. However, they differ significantly in terms of deployment, management, and scalability.
| Traditional VPNs | Azure VPN Gateway |
| – Deployment: Typically deployed on-premises, requiring hardware or software installation; – Management: Requires ongoing management and maintenance by information technology (IT) staff; – Scalability: Can be challenging to scale, especially for large-scale deployments. | – Deployment: Deployed as a service within the Azure cloud platform; – Management: Managed by Azure, reducing the administrative burden on IT staff; – Scalability: Highly scalable, capable of handling large amounts of traffic. |
The usage of a cloud VPN is a possible solution in this debate, as it has the best of both worlds. A cloud VPN includes the following:
Transaction from local applications to internet interactions:
- Encryption: Azure VPN Gateway encrypts all traffic between the local office network and Azure, protecting sensitive data from unauthorized access;
- Authentication: It uses strong authentication methods to ensure only authorized users can access your network;
- Access control: You can configure access control policies to restrict access to specific applications or people.
Remote work to company network connections:
- Secure tunnels: Azure VPN Gateway creates secure tunnels between the local office network and remote devices, i.e. laptops, allowing employees to access company resources remotely;
- Centralized management: You can manage and monitor VPN connections from a central console, ensuring security and compliance;
- Integration with Azure AD: Azure VPN Gateway can be integrated with Azure Active Directory for single sign-on and centralized identity management.
So back to the original question, why do I need a VPN when I already have a cloud solution?
The answer:
You might not need a VPN if your cloud solution provider also offers VPN. If your cloud solution provider does not offer VPN, then VPN will enhance your organization’s security posture by offering remote access, geo-restrictions, and additional data privacy protection.
The main takeaway from this debate is: review the agreement with your current cloud solution provider, and answer the following questions:
- Does your provider offer cloud VPN solutions?
- How much do they charge?
- Would you consider them as a highly secured cloud provider based on the definitions above?
- Can they fully address your basic needs at a low cost compared to local VPN providers?
- Will choosing a cloud VPN not only address current needs but set you up for future strategic enhancements, such as using a cloud based active directory?
Answers to the above questions may help your decision making. As such, Open North continues to navigate and support not-for-profits, small organizations, and municipal governments as they balance cybersecurity needs with their unique context.