Why a self-managed VPN solution is the right choice for your business

Introduction

Our world has changed and as business leaders we face a new reality of remote and hybrid work that is requiring us to adapt or else we risk to perish while other businesses thrive. Microsoft believes it’s the next Great Disruption - as significant a paradigm shift as e-Commerce or the sharing economy. In an effort to adapt company culture to flexible work and be attractive to a fundamentally different talent landscape, more and more enterprises are re-thinking their strategies for bringing employees back into the office. Work trend surveys tells us that up to 82% of businesses plan to enable their employees to work both remotely and in the office at least partially to satisfy their employees’ desire for best of both worlds: flexible work with the ability to have in-person time with their teams to collaborate and bond.

When creating your plan for empowering your workforce in the year(s) ahead for extreme flexibility, you are likely looking at three areas: policy, physical space, and technology. In answering the question of who will be able to work remotely, how often and what do they need to do so productively, a core technology concern for many businesses is that of the safety of mission-critical business data that is now processed outside of their controlled corporate networks and transmitted between residential homes, coffee shops and various other unsecured network ingress points. Exposure of the this data, or worse: hijacking of the data and injection of malware can have disastrous outcomes putting the entire business infrastructure at risk.

Securing your business data

Now that your hybrid and remote workforce is more de-centralized than ever before, data security has become a pressing priority for business leaders. More and more processing of business and mission-critical data is now being done in home data processing environments, with this data being transported between residential networks, the main office and the cloud. A key tool for securing data in transit is the use of Virtual Private Networks (VPN): encrypted network tunnels that create private overlay networks over the public internet between these residential networks and your company-private networks.

However, Virtual Private Networks are highly unpopular among employees with key complaints revolving around the complexity to establish a connection, especially for non-technical staff, brittleness of the connection, slow speeds, and network access issues. In a recent survey carried out by Entrust 54% of employees reported up to six instances of lost productivity due to network access issues, while business leaders cited home internet security (21%) and leakage of sensitive company data (20%) among their top security challenges for a transition to hybrid work models.

When deploying a VPN solution for your business, there are three options to choose from:

1. Physical VPN and firewall appliance: a hardware network security solution that connects to your office network’s public network ingress points to filter incoming traffic. Many of these security appliances offer a remote access or VPN services as an add-on component.

2. VPN-as-a-Service provider: a hosted service, often offered as a monthly subscription fee, where a VPN server is hosted and managed by a SaaS business.

3. Self-managed VPN service in the cloud: a private VPN service that you host yourself on your business cloud infrastructure.

Physical VPN and Firewall Appliances

Hardware firewalls are a key component of network security for corporate networks. They are physical units that act as a gatekeeper for all data coming into the office network from a router that connects the office to the internet or another wide-area network (WAN). The job of the hardware box is to analyze each incoming network packet and filtering out specific threats as they come across the device. The hardware appliance plugs between the ingress router and the rest of the network and all incoming and outgoing data is processed through the appliance.

Since hardware firewalls already control the flow of incoming and outgoing data according to a pre-configured set of rules, many manufacturers such as Fortinet, Cisco, SonicWall, Uniquiti, FireWalla or Palo Alto Networks also offer VPN capabilities for their firewall appliances.

A key problem with using your hardware firewall as a VPN gateway is that of processing power: appliances, especially under increased network traffic to and from the internet are already under significant strain to inspect, analyze and filter every single network package flowing through the network. A VPN service running on top of that requires additional processing power, often impacting network quality for all - resulting in decreased productivity for both remote workers and workers in the office.

VPN-as-a-Service

To mitigate the limitations of deploying, operating and maintaining additional and costly hardware to offer data protection to remote workers, you might be looking at a public VPN service, such as ExpressVPN, NordVPN, Surfshark , Mozilla VPN or Tailscale.

The more traditional VPN-as-a-Service offerings route all internet-bound traffic from connected devices through their VPN servers, with multiple servers available in almost every country. Tailscale is different in that the hosted service part acts as a coordination engine for devices to connect to each other in a form of encrypted peer-to-peer network, without exposing actual traffic data to the service provider - a major concern with traditional VPN services as reflected in the recent ExpressVPN scandal.

Self-Managed VPN

A self-managed and self-hosted VPN in the cloud combines the best of both worlds: full data privacy and control over your business data, while eliminating the need to purchase and operate costly physical hardware on premises. Self-hosted solutions such as OpenVPN, Hamachi by LogMeIn, Pritunl or KUY.io Konnect™ offer a variety of solutions for settings up and operating a VPN server on your own on-premises or cloud infrastructure.

Why Konnect™ is the right choice for a modern self-managed VPN

No matter which route you go, be that a hardware appliance, a VPN service, or a self-managed solution, you need to understand the critical differences in VPN protocols and solutions out there today. In spring 2020, we tried all existing VPN solutions when we had to transition our own company to a remote-first work model and found each one lacking in one key area critical for a small business. As a result, we created KUY.io Konnect™ which has been successfully powering our business and our customers’ businesses for the past 12 months, carrying terabytes of data securely, reliably and fast from home offices, coffee shops, airplanes and hotels all over the world.

Here are the key criteria by which we judged:

Total Cost of Ownership

The total cost of ownership for each solution is a combination of the acquisition cost / capital investment, the operating costs and the resource costs associated with the solution. Under this criterium, hardware appliance solutions have a significant disadvantage over software VPN solutions: the hardware is associated with a significant capital investment, requires specialized personell to be configured, and operated, and operating costs need to factor in power, cooling, and potential hardware replacements.

Overall, unless you are running a large enterprise with a dedicated IT department that is already operating a private data center, chance are that a software solution will save you a substantial amount of money.

Data Privacy

The ultimate reason for deploying a VPN solution in the first place is that you want to empower your remote workers to reliably access office networks and resources, as well as cloud resources from untrusted remote network locations without exposing your business and mission critical data. By routing your business data through a third party service provider you are ultimately giving up a large portion of your privacy. While you’d think that giving up data privacy is simply a fact one must accept in the age of Everything-as-a-Service, we’d argue that while giving up some data to trusted third parties with strong checks, balanced, SLAs and security governance in place is one thing (e.g., storing Office documents on an enterprise Sharepoint in Microsoft Office 365), network traffic to and from mission critical business services should considered very seriously. Some VPN service providers claim they don’t keep any logs but were proven completely false and actually tracked user behaviour through visited websites.

Overall, if you are concerned for the privacy of your business data, chances are that a self-managed VPN solution will offer you the peace of mind that you business data stays secure and never leaves the umbrella of your own governance.

Ease of Use

VPN protocols such as IPSec, PPTP, or OpenVPN use outdated and cumbersome cryptographic algorithms for establishing network tunnels and encrypting data. Users are required to install client software with custom modules that are often outdated, cause system crashes or incompatible across platforms. In addition, many VPN solutions required users to maintain an additional set of login credentials as a major friction point before they can even attempt to access the remote office network.

Connecting to KUY.io Konnect™ cannot get any easier. After logging in to the self-service portal that comes with every Konnect™ access server deployment, users follow simple instructions to setup their laptop, PC, or mobile device, and get connected with a single click. The overwhelming response from our non-technical users: “we love it because it’s the first VPN that is actually easy to use”.

Connection Speed and Reliability

A NetMotion survey about the top 10 remote worker frustrations revealed that poor network connectivity, restrictive security, terrible mobile app experience and login issues where the biggest friction points for remote workers.

That’s why we made Konnect™ ultra fast and reliable. How fast? Independent benchmarks on the protocol performance demonstrate up to ten times the throughput and six times better latency than other VPN solutions on the market. The impact of being connected to Konnect™ VPN is less than 3% compared to a connection without VPN. Additionally, the VPN protocol used in Konnect™ is based on stateless packets and crypto key routing - making connection drop outs and losing unsaved work a thing of the past.

Mobile Functionality

Lack of mobile clients, or even when mobile clients are available degraded network performance and battery drain, as well as requiring constant switching on and off / back and forth between networks are major usability obstacles, especially on portable devices. It’s wasting time and adding up to the level of frustration.

KUY.io Konnect™ is a set and forget solution. With native support for virtually every mobile platform, you flip one switch on your mobile device to connect to the VPN and forget about it. Moving from Wifi to a mobile network? Putting your mobile device to sleep? Easy, because Konnect™ stays connected across network switches and instantly reconnects when a device wakes up, so users can forget about fiddling with switches and get work done.

Security

When it comes to keeping data in transit safe, security considerations span multiple different domains. First, the cryptographic primitives used to establish a connection to the VPN gateway, and the crypto used to encrypt data packets in transit. Second, the security of the actual VPN gateway: is the code frequently audited for security issues, are patches and updates to problems as they arise provided quickly, as well as the evaluation of the attack surface of the VPN gateway.

We built KUY.io Konnect™ with a very serious take on security. The underlying VPN protocol has been independently audited by industry experts and undergone multiple formal verification processes of the underlying crypto as well as the protocol itself. The source code for KUY.io Konnect™ undergoes automated code security audits for every source code change, and each release undergoes automated vulnerability scanning of the application software itself, as well as all software and operating system dependencies.

Integration with Existing Infrastructure

Offering remote workers a productive (remote) work environment in which they can get work done efficiently and without friction and frustration is a concerted effort of many different tools, services and solutions that need to cooperate, coordinate and work in unison. One such key service is single-sign on, with a single source of managing users, their identities and credentials.

We built KUY.io Konnect™ such that it can integrate with your existing user directories, be that an Active Directory server on-premises or a cloud directory like Azure AD or JumpCloud.

Summary

No matter where your workers use a device, unencrypted data is vulnerable and puts your business at risk of a data breach and malware attacks. By deploying a Virtual Private Network (VPN) for your remote workers, you can mitigate the security risks of untrusted networks, especially places that offer free WiFi, but to a certain extent also home internet service providers (ISP). A VPN encrypts data such as an attacker cannot tell what data a remote employee is sending, or where it is being sent, and keeps messages, browsing history, sensitive information, downloads and anything else that is sent over the network private and confidential. Paired with an endpoint protection platform that ensure security of remote devices, IT and security teams for organizations of any size can significantly improve the security footprint of any business when transitioning to hybrid and remote-first work models.

A self-managed VPN solution like KUY.io Konnect™ can offer significantly reduced total cost of ownership, eliminate frustrations and friction points common with other VPN solutions while safeguarding your business data in transit. If you want to see for yourself how KUY.io Konnect™ can empower your remote workforce, we offer a free trial version that you can evaluate with up to 3 devices for as long as you need.