Oct 09 2020

5 VPN Myths Your End Users Need to Know

Common user misconceptions about VPNs create security risks. Here’s what your end users may not know.

Virtual private networks play a critical role in securing access — and improving anonymity — for higher education end users. But as VPN adoption rises rapidly to meet remote learning requirements, colleges and universities must tackle common misconceptions that users may have about VPN adoption, implementation and use.

Post-secondary schools are back in session. But for many students, the educational experience has changed drastically. As noted by the Harvard Business Review, “online learning became the default in 2020.” As the pandemic pushes schools to boost IT budgets, higher education is quickly developing distance learning frameworks that can scale on demand.

LEARN MORE: Get the Defense-in-Depth strategy checklist.

This is creating a big end-user security challenge for campus IT teams. As the number of connected devices and access requests skyrocket, students and staff become the weakest links. Many campuses have deployed VPN solutions to help offset potential security issues, but common user misunderstandings about VPNs remain a security stumbling block. Let’s take a look at five of the most prevalent — and problematic — VPN myths.

Myth 1: VPNs Offer Complete Anonymity

Since VPNs are designed to obfuscate user information, many users assume virtual private networks confer complete, end-to-end anonymity. This couldn’t be further from the truth.

“There is no anonymity for VPN users,” says Brad Tilley, director of security architecture and red team at Virginia Tech.

“To connect to a VPN, the users would have to authenticate. This authentication could be via username and password, certificates, keys, etc.,” Tilley explains. “In any case, the user or device connecting to it is known and associated with a person or department within the organization.”

Myth 2: VPNs Collect No Data

Since VPN tunnels are designed to protect information, users might also assume VPNs don’t collect data. This is not accurate.

“Since they operate at the IP layer, they collect IP addresses, dates, times and duration of connections,” says Tilley. “Some may also collect the number of bytes sent and received over the connection.”

Meanwhile, advanced VPN agents can also capture and share client data — such as operating system versions, anti-virus statuses and information about patches and software.

MORE ON EDTECH: Read our exclusive Q&A with EDUCAUSE Cybersecurity Program Director Brian Kelly.

Myth 3: Free and Pay-to-Play VPNs Are the Same

There are myriad free and commercial VPNs available, but most post-secondary schools tend to lean toward paid solutions.

It is worth noting that although the fundamental building blocks of paid and free VPNs are the same, free VPNs aren’t always upfront about their data sharing policies. Some less reputable versions may even contain malware.

According to Tilley, commercial services offer more bells and whistles, such as the ability to customize key functions and control specific conditions. When combined with more transparent data use agreements, commercial VPNs tend to offer better value.

MORE ON EDTECH: Learn how to secure your VPN, no matter what.

Myth 4: VPNs Are ‘Fire and Forget’

VPNs can encrypt traffic and obfuscate user actions, but bear in mind, there are potential infrastructure costs.

“Full-tunnel VPN connections place all remote host traffic on the organizational network,” says Tilley. “This can lead to performance issues, compliance issues such as DCMA notices when home users mix personal and organizational browsing and increased licensing costs.”

“If the VPN has policies that interrogate its clients before connecting, such as requiring Windows 10 or having the latest anti-virus signatures, the organization must be prepared to keep up with constant changes and connection denials due to clients not meeting the bar,” he says.

MORE ON EDTECH: Learn about higher ed's new approach to pandemic cybersecurity.

Myth 5: Virtual Private Networks Are Impenetrable

VPNs certainly improve operational security, but this can lead to the common misconception that users have impenetrable protection.

Tilley makes this much clear: The security of a VPN connection is only as strong as the credentials used to access the VPN. “If an organization allows weak passwords, for example, the VPN and corresponding organizational data will be compromised,” he says.

In other words, VPNs can only serve as one layer of higher education security frameworks. Alongside robust passwords and authentication controls, Tilley recommends schools pair VPNs with more advanced options, such as software-defined perimeter solutions, to maximize protection.

To secure remote learning initiatives at scale, it’s critical that higher education IT departments debunk common myths that end users may have about how VPNs work.

This way, users can do their part to stay secure.

IncrediVFX/ Getty Images