VPN security — Do you know where your keys are?

Demand for mobile and remote access to small- and midsized business (SMB) networks has increased dramatically. Even the most basic VPN technologies are so accessible and affordable that there is no good reason for failing to utilize them. That said, the real question for SMBs is which type of VPN to implement: Standard IPSec or SSL?

Demand for mobile and remote access to small- and midsized business networks has increased dramatically. Even the most basic VPN technologies are so accessible and affordable that there is no good reason for failing to utilize them. That said, the real question for SMBs is which type of VPN to implement: Standard IPSec or SSL?

SSL is best

SMBs that have limited budgets and/or those that do not share highly sensitive data may opt for a standard VPN because of cost; this technology is virtually free. In fact, most operating systems have built-in VPN protocols, but you typically get what you pay for here. Such protocols often rely on little more than usernames and passwords, they usually lack robust authentication and encryption components, and they can easily become open doorways into corporate networks.

Furthermore, standard VPNs require the deployment of software and clients – an administrative headache at best.

SSL VPNs use the same encryption protocols as many e-commerce sites and Web-enabled applications. They are therefore more compatible with the networks through which your remote users connect. Further, SSL is simple to install and leverages firewall ports already opened to secure Internet traffic, enabling users to connect to a network securely via a standard Web browser, without the need to install special software on the client (for example desktops or laptops).

SSL VPNs will support security policies that regulate access depending on the user, device or location. SSL can also deny access if a less-than-secure situation is detected, such as a user logging on via an unsecured wireless LAN at a local coffee shop. In a word, while SSL may cost more up front than standard VPN solutions, it pays for itself in reduced management costs and improved network security.

SSL encryption for data protection

Because most VPNs operate over the Internet, SMBs must deal with the challenge of keeping the transactions and data confidential and protected. This is where SSL encryption comes in – encryption scrambles the data and keeps it unreadable by unauthorized users. Each SSL certificate consists of a public and private key – the public key encrypts information and the private key decrypts it. When a Web browser points to a secured domain, an SSL handshake either authenticates the server and the client or blocks unauthorized users.

Tips and best practices for managing encryption keys

If an SMB loses an encryption key or the key becomes corrupted, the SMB may lose access to all of the systems and data housed on the network. The worst case scenario is that the system becomes completely unusable unless it is re-formatted and re-installed. Further, if a business neglects the security of keys, it could pay big time, according to the Ponemon Institute. In a recent study, Ponemon reported that there has been an 8% increase in the average total cost of encryption key breaches year over year, with a price tag of $197 per record. Don’t fall victim to poor key management. Keep these best practices top of mind:

 Back it up: Back up your encryption keys to a secure location. Further, make sure you’re able to recover backed-up encryption keys – you’ll need an effective disaster-recovery plan that outlines the encryption key recovery process and that plan will need to be tested often. Finally, do not store encryption and decryption keys in the same place – and don’t store any keys on tapes that contain encrypted, archived data.

 Be protective of your keys: Only give authorized users access to encryption/decryption keys, and whatever you do, don’t send keys via e-mail. While it may seem obvious, this indiscretion happens surprisingly frequently. Ensure that the key is only transferred or used from a secure system – be cautious at Internet kiosks and other public facilities.

 Avoid compliance headaches: Stay informed of corporate governance or regulatory compliance measures such as the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act and Sarbanes-Oxley that mandate privacy and confidentiality of computer records. Keeping in mind the potential repercussions of negligent key management may be a motivator to get it right.

 Consider the end-user: The mantra here is “the simpler, the better.” And quite frankly, change tends to make users uncomfortable. Products shouldn’t change the look and feel, and should have a minimal impact on the user experience. End user comfort makes it easier for keys to be used correctly and securely.

The remote access market is enormous, even overwhelming at times. According to IDC, 28% of all firms, or 2.4 million companies, have some sort of branch office. As remote access continues to grow, SSL will be in greater demand – especially for SMBs. Through SSL and effective key management, IT managers and end-users alike can share information securely and conveniently.