Two-Thirds of Tech Workers Now Use a VPN, Survey Finds (9to5mac.com) 87
An anonymous reader shares a report: According to a survey, 65% of U.S. tech sector workers now use a virtual private network (VPN) on either work devices, personal ones or both. While much of that usage will be because it's installed as standard on work devices, a growing number of people are choosing to use a VPN on their own devices in response to past and proposed legislative changes. The Wombat Security survey found that 41% of those surveyed use a VPN on their personal laptop, with 31% doing so on mobile devices.
One VPN? (Score:1)
DACA (Score:1)
DACA...is CACA
Isn't everyone? (Score:1)
I have a VPN autolaunch on my laptop when I sart-up because I travel about 50% of my time and I am frequently on some random wifi connection. I was recently taken aside by an IT person who asked me very suspiciously why I was running a VPN. My response was "Almost everyone here works remotely at some point during the week. Isn't everyone running a VPN?" He grumbled something and walked off.
Re:Isn't everyone? (Score:5, Insightful)
Your answer should have been, "The very fact that you know I'm on a VPN proves why I need it". Had he not been trying to spy on your data he would never have known.
Re: (Score:2)
Realistically, who would not be using a VPN with Wi-Fi links? So many places abuse it, from the restaurant chain that says that they can log every packet and sell the info as they see fit to the place that tries to MITM every connection with an oddball key... using a VPN is just like using FDE... a necessity.
Re: (Score:3)
Depends what you're doing over that link. If the sites you go to are HTTPS, and the computer is still controlled by you, then they are getting somewhat limited data on your browsing, knowing only what sites you visit, not what you did once you got there. Conversely, using the VPN adds significant latency to your connection, and possibly some cost (depending on your VPN provider's plan, or if you provide your own, depending on your data usage plan for the connection it runs over)
For most things I do, the VPN
Re: (Score:2)
Additionally, how do you really know that the pipe out of the VPN is any more secure than the pipe you're on to start with?
I'm 99% certain that all traffic out of my VPN can be intercepted by a foreign government, because my VPN is located in a foreign country that is well known for having no privacy rights, and an authoritarian government that monitors everything. Whereas most of the time my devices are connecting to networks in a country that has actual privacy laws. (I'm still 90% sure someone is monitor
Re: (Score:2, Funny)
Have you considered switching to a VPN located outside the United States?
Re: (Score:2)
I can control what VPN I use. With an ISP, I really can't, where at best, I'd have cable or the telco. If one VPN has a bad privacy policy, I can switch fairly easily. Offshore? Easily done.
Of course, the VPN owner spilling the beans about what I'm doing is one thing... but if that is done and it is made public, the customer base of the VPN will disappear overnight.
Re:Isn't everyone? (Score:5, Informative)
I would then come back with:
You're on company equipment and on a company network. Of course it's monitored. The fact that your data is not inspectable is what raised the flag on the automated system.
Re: Isn't everyone? (Score:1)
Apple broke VPN in El Capitan.... Grrrr (Score:2)
I used to use VPN on my Mac to connect to work until Apple broke PPTP in Sierra. I'm not bitter..... grrrr
As for pubilc wifi, I use OpenVPN back to my home router.
As for sending secrets to wikileaks, I use dual VPN (IP Vanish) and the tails OS through the TOR proxy.
Re: (Score:2)
I just use my BIL's computer.
He don't know that.
Re: (Score:2)
Re: (Score:3)
Your IT staff needs to update. PPTP is old and broken.
Re: (Score:2)
Re:Apple broke VPN in El Capitan.... Grrrr (Score:5, Informative)
They didn't break it, they removed it. I can't tell if you're aware of that and just being facetious by saying "broke". Choice of words matter.
But yeah, it was annoying. On the other hand it took all of half an hour to figure out how to enable L2TP/IPSec at work, so not exactly the end of the world. The rigidity of IT in larger corporations is probably more of a stumbling block than the technical side of it.
Re:Apple broke VPN in El Capitan.... Grrrr (Score:4, Informative)
Re: Apple broke VPN in El Capitan.... Grrrr (Score:1)
Re: (Score:2)
Said the AC.
Useless data (Score:2, Insightful)
This survey is useless. It includes work-issued devices (where the VPN client is installed for corporate privacy) and doesn't specify the end user's purpose for using a VPN.
Re: (Score:3)
Hey, we have someone that actually read the article here! I am impressed! Must be to honor the first day back to school. :)
Asking the wrong question? (Score:2, Insightful)
Seems to me like the classic metrics analysis mistake of measuring the wrong thing for your desired conclusion. Using a VPN... to do what, and why? To access internal company systems while you're working remotely? To fool content geolocation restrictions? To browse the web when you want privacy? Because your Internet-savvy friend or computer repair-person told you you should?
If we're to draw more meaningful conclusions from a survey like this, we'd need to know more about the reasons behind each respon
Usage (Score:3)
Not mentioned in the study: 60% use a VPN to bypass a geoblocked hulu.
VPN uses are a-many (Score:1)
Do they mean to say that the VPNs are used for everyday browsing? Or in order to do work that requires connecting to computer via WAN? There are some regulations that require VPN in certain circumstances. For instance HIPPA regulations require VPC connection(s) for use in anything that sends/receives medical records.
At any rate, how is this news for those of us in the field? Kinda looks like FUD.
Re:VPN uses are a-many (Score:5, Informative)
Yes, though it comes down to primarily two basically opposite reasons;
I use a VPN to securely access my work resources from home. With two factor authentication and associated firewall rules that control my access to internal resources. They know who I am, they know what I do when I am connected (and since I am with the corp network team I'm actually one of the watchers as well).
I also use a personal VPN, not to access work resources but for the totally reverse functionality - so that people who may be watching my activity DO NOT know who I am, as well as greatly limiting, though not completely removing, the number of people who can watch in the first place.
Pretty versatile thing those VPNs.
Re: (Score:2)
VPN on all my devices (Score:3)
Re: (Score:1)
Almost every IT workplace uses a VPN, even internally, because it allows one to limit access to things to that range. Plus, with 2FA, if someone is on a VPN, they at least passed authentication.
I also use personal VPNs. One even tunnels from my internal router to a nearby VPN provider, just because I trust my ISP's router as far as I can drop-kick it.
Torrents? Yep, VPN to somewhere overseas, so some witch hunt has to escalate into an international incident before it affects me.
Re: (Score:2)
Really? If your ISP gave you $2/month (or whatever the marginal value of one customer's browsing history is) on the condition that all your traffic is inspectable, you'd agree?
Re: (Score:3)
Sure, you'd agree. Then use the VPN the whole time anyway.
Pointless Article (Score:3, Informative)
Depends on use case. (Score:5, Interesting)
I use my work laptop to work from home over the company VPN. It's necessary to use it to do any work, and makes perfect sense.
I have a personal VPN that connects my home computer (on my xDSL connection), my server (VPS in a data centre) and my car's computer (connected by cellular data) so that I can securely transmit information between them, and not have to worry about the fact that 2 of those 3 devices are on dynamic IPs.
But I don't use a VPN for general internet use because it slows down the connection and racks up billable data usage at 2 locations (home and server) instead of just 1 location (home).
Sure, I know people are probably spying on me, but the tradeoff just isn't really worth it.
Re: (Score:2)
Last place I worked (Score:2)
Had a couple different VPN solutions to access work-related services externally.
There was no other way to access them externally without a VPN.
Personal VPN services are a horse of a different color, as in much more optional, depending on what you're doing on the Internet. I have one for accessing services on my home network from outside the home network for example.
A few VPNs here. (Score:1)
Re: (Score:2)
Hugs.
Two thirds sounds low (Score:2)
Our whole company was using VPN back in 2012 and it was considered standard practice at that point. Every company I've dealt with since then has also had VPN.
Re: Two thirds sounds low (Score:1)
Re: Personal Devices? (Score:1)
Not at Google. Google has deprecated VPNs. (Score:5, Interesting)
VPNs are part of a badly broken security model: the perimeter defense model. It doesn't work very well at small scales, definitely does not scale for large enterprises and generally creates a lot of misunderstandings that result in bad security decisions.
Google had a segmented perimeter defense model for several years, but has spent the last five years or so getting rid of it. The VPNs aren't entirely gone, but nearly so. You now have to get special permission to run a service that requires VPNs to access.
The perimeter defense model is based on the notion that it's possible to build a network that is physically secure and which contains only trusted, managed systems. The assumption is that any machine connected to the network is inherently trusted to some degree, and has access to some potentially-sensitive resources merely by virtue of being connected.
The problem is that it's cost-prohibitive to build a physically-secure network, and a management nightmare to try to ensure that only trusted systems can be connected to it. 802.11X authentication, which requires every device that connects to perform a cryptographic authentication, can help keep unauthorized devices off the network but it doesn't prevent sniffing or impersonation, and can't prevent compromised devices from exploiting the trust they're given.
That last point is a really telling one, because if you assume that there's some ambient authority available to any device on the network, you inevitably end up granting that ambient authority permission to access resources that only a subset of the connected devices should actually have. Also, for all of the systems that require more authorization than the ambient authority, you still have to have some sort of login system, either per application, or else build out some sort of single sign-on infrastructure.
The solution is a zero-trust network, where no device is assumed to have any authority merely by virtue of being connected, and all connections are end-to-end authenticated and encrypted. Then, a compromised device still can only access the resources that it is supposed to be able to access, because it doesn't have authorization for anything else. It also means there's no need to try to keep unauthorized devices off the network, and no worry about attackers having physical access to the network (other than DoS concerns). This approach does increase the importance of keeping all "legitimate" devices on the network secured and patched, but that really has to be done anyway.
Google's calls its version of this approach BeyondCorp [google.com]. It's build around a set of proxies which take responsibility for user authentication and identification. User devices connect to the proxy (in the case of web apps it's a literal HTTPS proxy) and strongly authenticate themselves with username, password and two-factor auth token. The proxy then has an already strongly-secure connection to the backend system the user is trying to reach, and it forward's the user's request to the backend with the user's identity (in an HTTP header, for web requests). The backend (or a service it delegates to) can then decide whether the user is authorized to connect and use the service, and if so which parts of the service the user can use, what data the user can see, etc.
The approach divides authentication from authorization, doing the first in the proxy and the latter in the backend that knows what different users are allowed to do. The backend doesn't have to know anything about user authentication, meaning as authentication needs and approaches change, they can all be implemented in the client and proxy, without touching the backends. Meanwhile the proxy doesn't know anything about authorization; it's a backend-agnostic, general-purpose single sign-on service. And, of course, all connections are encrypted and authenticated, all the time.
What all of this means to Google employees is that there is exactly zero difference bet
Re: (Score:2)
> The perimeter defense model is based on the notion that it's possible to build a network that is physically secure and which contains only trusted, managed systems.
If I may disagree? It's based on the notion that it's possible to reduce your vulnerability, profoundly, by reducing your exposed surface and enabling some tracking of who is accessing the internal network with what privileges. I'm afraid there is not complete security. Locking casual access outside the local network is never absolutely effe
Re: (Score:2)
Re: (Score:2)
My wife works for a major bank, and understandably they are rather anal retentive about security, to the point where trying to get access to a database is a three day affair involving reams of paperwork and authorizations. In a way also understandable, but as a developer who needs to connect to multiple databases (staging, QA etc.) it is a real pain in the ass. Googles approach sounds like a nightmare in comparison. I will let her know tonight that it can be way worse, it might stop her whining about it as much.
At Google it would have taken her 15 minutes to get access, all done electronically (unless regulations required ink on paper signatures). Her manager would have submitted a request to have her added to the group that has access, and forwarded that request to the appropriate authorizing people (actually, the forwarding is generally automated, but it can be done either way). Those people would have checked what they needed to check and approved. Once added to the group, the same login she uses to get to her
Re: (Score:2)
> The perimeter defense model is based on the notion that it's possible to build a network that is physically secure and which contains only trusted, managed systems.
If I may disagree? It's based on the notion that it's possible to reduce your vulnerability, profoundly, by reducing your exposed surface and enabling some tracking of who is accessing the internal network with what privileges.
You may disagree, but you're wrong :-)
Perimeter defense as a defense in depth strategy is fine. In theory. In practice, it breeds an assumption that the network is "safe" in some important sense. That's the "ambient authority" to which I referred. If you can avoid that assumption and properly secure everything within the network in addition to implementing strong perimeter defense, great. If you tell me you have done this, I will laugh at you. I was a corporate security consultant for 15 years, working fo
Re: (Score:2)
> Perimeter defense as a defense in depth strategy is fine. In theory. In practice, it breeds an assumption that the network is "safe" in some important sense.
"Safer" is the operative word. A VPN is typically associated with a firewall that restricts access to certain systems or certain portions of a network through a gatekeeper. This often includes components that are relatively difficult to activate a full-blown "single sign-on" method on, or services that are far more difficult to secure individually.
Re: (Score:2)
All of your points are trumped by the simple fact that when people believe their network to be secure, they don't adequately secure the endpoints behind the firewall -- and that the network is never secure. And I don't mean that in a "perfectly hermetic" sense, I mean that in a practical "attackers can always get in" sense. With the exception of databases on laptops, this is the single largest root cause of leaked corporate data. The problem here is that you're talking about theory, and I'm talking about pr
Re: (Score:2)
Sort of. That's part of why people have a VPN. The other part is to associate a specific user to a specific endpoint, not an IP, and to provide an encrypted sheath for interactions with company resources to make DNS leakages and TLS MITM attacks more difficult.
(Per my sig, I don't normally read or respond to ACs. I happened to see this one, though, and it's good so I'll answer.)
The specific endpoint in Google's model is at least as strong as that provided by a VPN. It's a per-device client-side digital certificate. On devices with a TPM, the private key is in the TPM, which attests the specific identity of the device. VPN solutions may or may not provide that level of endpoint validation.
Regarding the encrypted sheath, TLS provides it. Regarding TLS MITM atta
Security services respond? (Score:2)
XKeyscore https://en.wikipedia.org/wiki/... [wikipedia.org] to find the user. A Turbulence like project to get into the users systems. https://en.wikipedia.org/wiki/... [wikipedia.org]
NSA’s automated hacking engine offers hands-free pwning of the world (3/13/2014)
https://arstechnica.com/inform... [arstechnica.com]
I dumped VPN (Score:2)
I dumped VPN at my company in favor of virtual desktops (vmware view). It is much safer, I don't have to worry about "dirty" outside computers connecting to the network. Instead, employees get the same desktop every time, the same resources every time. It's generally safer. The employees love it because it's generally much faster.
It's one of the few win-win scenarios in I.T. for mobile workers.
OK... (Score:2)
So privacy isn't really dead?
How I (Score:1)