Demystifying Security: Virtual Private Network (VPN)

Demystifying Security: Virtual Private Network (VPN)
© Sikov –

A Virtual Private Network (VPN) is a proven technology that allows secure access to corporate resources from outside of the corporate network, through unmanaged and unsecure networks like the mother of all networks, The Internet. One would typically think of a sales consultant connecting to the company network from his laptop in a hotel or customer office to check his email, download a sales pitch, or access the internal CRM system to prepare a PO. 


You may wonder, “Is VPN still a thing in 2020?” Well, it is, and more than ever! VPN remains the safest way to provide secure, managed, and controlled connections onto your back-end internal infrastructure in today’s modern digital workplace where mobile devices/apps are slowly replacing desktop computers/apps.


Types of VPN

There are many types of VPN connections, but let’s focus on the ones used in the digital workplace and compare their benefits and limitations. 


a. Standard VPN

This is the default VPN connection, either configured manually or provisioned using an EMM/UEM software: 

  • Connection manually turned on/off by end-user or automatically using a dedicated VPN client 
  • All data, including both personal and work apps, will travel to/through the company network 
    • Potential unsecure (personal) apps traffic 
    • Reduced connection speeds 

b. Always-on VPN

  • Suitable for company-owned devices, business-only (COBO) deployments
  • For regulated customers with high security needs (healthcare, government, finance) 
  • Set up and configured using EMM/UEM software 
    • Connection automatically turned on when device is started 
    • ALL traffic is going through company network, controlled and monitored 
    • Only managed application traffic allowed 
    • Lower administrative effort
    • Higher data and battery usage 

c. On demand VPN

  • Connection automatically turned on when accessing specific web resources (defined by IT admin) 
  • Only work data traffic traveling to/through company network 
    • No action from end-user required 
    • Personal apps traffic not affected 
    • Improved connection speed 
    • Lower security risks 
    • Low data and battery usage 
  • Dedicated back-end and advanced configuration required  
    • More suitable for larger infrastructure 
    • Provided natively by most EMM/UEM software vendors 

d. Per-app VPN

  • Suitable for Bring Your Own Device (BYOD) deployments 
  • IT administrators can assign VPN connections to individual EMM/UEM-managed apps 
    • Connection automatically turned on/off when app connecting to a specific web resource 
  • Different apps can use different VPN connections to connect to different resources if needed 
    • Keeps traffic from different apps separated 
    • No action from end-user required 
    • Personal apps traffic not affected 
    • Higher administrative effort 
    • More efficient data and battery usage 
    • That is the option used for mobile app containerization by most EMM/UEM software vendors. 


In all cases, data will travel encrypted end-to-end from device or mobile apps up to the destination resources, like a web, database, or email server hosted internally. 



Before a VPN tunnel is established, endpoints must be authenticated; there are a variety of authentication methods available, often used in combination: 

  • User credentials (ex: Active Directory username/password) 
  • Biometrics (fingerprint, face recognition) 
  • Multi-factor authentication (ex: Mobile ZSO, 2FA…) 
  • Digital certificates 

For mobile app containers, digital certificates are usually used so end-users are not required to enter any kind of credentials. Minimizing user interaction provides a more seamless experience. 


Which one to use?

This will all depend on your use case, infrastructure, and need for security. If using an EMM/UEM solution, you might not even have to think about it and this will all be set up in the background. You, as an administrator, will just need to specify which apps and/or mobile traffic you want to allow onto your internal network. 


Either on-demand or per-app VPN remain the best options as they allow you to differentiate private and work traffic and only trigger VPN connections when needed/requested which translates into lower data and battery usage. 


Learn more about Virtual Private Networks and master your security solutions.  Let´s get in contact:

Note: Please fill out the fields marked with an asterisk.


(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group