Myth 2: VPNs Collect No Data
Since VPN tunnels are designed to protect information, users might also assume VPNs don’t collect data. This is not accurate.
“Since they operate at the IP layer, they collect IP addresses, dates, times and duration of connections,” says Tilley. “Some may also collect the number of bytes sent and received over the connection.”
Meanwhile, advanced VPN agents can also capture and share client data — such as operating system versions, anti-virus statuses and information about patches and software.
MORE ON EDTECH: Read our exclusive Q&A with EDUCAUSE Cybersecurity Program Director Brian Kelly.
Myth 3: Free and Pay-to-Play VPNs Are the Same
There are myriad free and commercial VPNs available, but most post-secondary schools tend to lean toward paid solutions.
It is worth noting that although the fundamental building blocks of paid and free VPNs are the same, free VPNs aren’t always upfront about their data sharing policies. Some less reputable versions may even contain malware.
According to Tilley, commercial services offer more bells and whistles, such as the ability to customize key functions and control specific conditions. When combined with more transparent data use agreements, commercial VPNs tend to offer better value.
MORE ON EDTECH: Learn how to secure your VPN, no matter what.
Myth 4: VPNs Are ‘Fire and Forget’
VPNs can encrypt traffic and obfuscate user actions, but bear in mind, there are potential infrastructure costs.
“Full-tunnel VPN connections place all remote host traffic on the organizational network,” says Tilley. “This can lead to performance issues, compliance issues such as DCMA notices when home users mix personal and organizational browsing and increased licensing costs.”
“If the VPN has policies that interrogate its clients before connecting, such as requiring Windows 10 or having the latest anti-virus signatures, the organization must be prepared to keep up with constant changes and connection denials due to clients not meeting the bar,” he says.
MORE ON EDTECH: Learn about higher ed's new approach to pandemic cybersecurity.
Myth 5: Virtual Private Networks Are Impenetrable
VPNs certainly improve operational security, but this can lead to the common misconception that users have impenetrable protection.
Tilley makes this much clear: The security of a VPN connection is only as strong as the credentials used to access the VPN. “If an organization allows weak passwords, for example, the VPN and corresponding organizational data will be compromised,” he says.
In other words, VPNs can only serve as one layer of higher education security frameworks. Alongside robust passwords and authentication controls, Tilley recommends schools pair VPNs with more advanced options, such as software-defined perimeter solutions, to maximize protection.
To secure remote learning initiatives at scale, it’s critical that higher education IT departments debunk common myths that end users may have about how VPNs work.
This way, users can do their part to stay secure.