Find out how a VPN works and how it can help charity staff work securely from home
Staff working from home because of the pandemic pose a huge cyber security risk for charities and other organisations. That’s because, in order to get access to the charity’s computer systems such as an intranet, constituent relationship management (CRM) system, or email server, staff have to make a connection to the charity network over the internet.
The reason that’s a problem is that the internet is a public network which was never designed to be secure. Anyone can connect to it, end users have no control over how their data travels over it from source to destination, and anyone could be intercepting, reading, or altering data sent over it.
The good news is that charity staff working from home can overcome this problem by using a remote access virtual private network (VPN) to connect to the charity network from home.
A VPN is a software-based solution which creates a secure connection or "tunnel" between a home worker’s computer and their charity’s office computer network. Once this tunnel has been established, all data that travels between home and the charity over the internet is encrypted before it leaves and decrypted when it arrives.
That means that the data is safe while it travels over the insecure internet: if a hacker were to intercept the data, all they would be able to see is undecipherable encrypted gobbledegook.
Home workers protected by network cyber security systems
When a charity worker connects to the charity network from home using a VPN, it is as if their computer was actually inside the charity network, on the staff member’s desk. Another way to look at this is that a VPN extends the charity network to include computers at staff members’ homes.
The benefit of this is that it means that home workers computers receive the protection of all the cyber security systems that may be running on the charity network such as Skurio’s Digital Risk Protection Platform, or Okta. This could also include web page security scans, anti-virus scans at the charity’s email gateway, and data loss protection systems.
Remote access to older systems
A VPN allows home workers to access older or so-called "legacy" systems remotely, even though those systems were never designed to be accessed from outside the network. That’s because, as mentioned previously, a home worker accessing a legacy system such as a file server over a VPN is effectively accessing it from within the charity network.
In order to operate a VPN, a charity needs to have some form of VPN gateway software running on their network. The job of this software is to take incoming VPN connections, authorise them (by checking login credentials such as a username and password or a security certificate) and handle the decryption of data arriving from the other end of the VPN connection before letting it onto the network. It also encrypts data before it is sent off the network and down a VPN connection to home workers’ computers.
Most organisations including charities run firewall and security router devices to protect their network, and many of these, such as Cisco’s 890 Series Security Router include VPN gateway software. Charities can use this either at no extra cost or by paying a small license fee to unlock it.
VPN gateway software is also included on some cyber security appliances such as Cisco’s ASA 5506-X, and it can also be installed on a standalone VPN gateway appliance.
VPN client software
In order for charity workers to connect to their charity’s VPN gateway, staff also need to have a piece of software known as a "VPN client" running on their computer or mobile device. The VPN client software’s primary job is to supply login credentials and establish a VPN connection with the VPN gateway, and then to intercept all data which is destined for the internet, encrypt it, and send it through the VPN to the gateway and on to the charity network.
Most device operating systems have VPN client software built-in, but some VPN gateways work best with proprietary VPN client software.
In order to be most effective, the VPN is usually configured to start automatically whenever the home worker’s device attempts to access the internet. This ensures that all network traffic is protected by the VPN without the user having to remember to first establish the VPN connection manually.
While a VPN connection is running, all of a home worker’s network traffic travels first to the charity network. Because of the performance degradation mentioned above, this can be a problem for certain applications such as internet telephony or video conferencing software which rely on fast connections. These applications also use a large amount of bandwidth, so large numbers of home workers on a video conference could swamp the charity network, degrading performance further.
One solution to this is to use a technique known as split tunnelling. This routes most data from a device through the VPN but allows certain types of traffic (such as video conferencing data) to travel straight into the internet. It does not receive the protection of the VPN, but it does relieve the strain on the VPN and thus on the charity network as well.
Split tunnelling is an advanced feature which is not offered by all VPN gateways and clients.