Versions Compared

Version Old Version 5 New Version 6
Changes made by

Harry Sanderson

Harry Sanderson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Page Properties
hiddentrue

Document number:

GUIDOC-XXX-XXXXX

Document type:

Guidance

Responsibility for implementation & training:

Cyber Essentials Manager

CB contract doc/ schedule:

No

Scope:

Cyber Essentials

Reason for change:

Initial version

Approved by:

Approved date:

Next review:

Review and consultation process:

Reviewed Annually by

Master Link:

Associated documentation:

Distribution:

Controlled in Confluence Quality Management System.

Page Properties
idAll

Title of Content

Primary Category

Secondary Category

Date Last Reviewed

Author

Graphic

Date created:

Date approved:

Date published:


What is a VPN?

A virtual private network is a technology that allows a secure and private connection on the internet.

Why do I need a secure and private connection on the internet?

A regular internet connection is at risk of being tracked, intercepted and spied upon which is a threat to the security and privacy of your internet activity and data.

How does this happen?

Your IP address
Every device connected to the internet has a unique digital address called an IP address which is used to help it communicate with websites and other devices. The IP (internet protocol) address is a unique series of numbers separated by decimal points that identify it (eg 198.169.0.100.), as a post code would a building.
Your IP address can reveal your general geographic location, it also carries the name of your internet service provider (the company that gives you internet access).
Websites and services can use your IP address to prevent you from performing certain online activities, such as blocking you from a forum or a game if you violate the rules. Your IP address can also be combined with details from other sources to piece together data about your identity.

...

A virtual private network will mask your IP address and encrypt your data

How does a VPN work?

An organisation will first need to set up their corporate virtual private network from the organisation firewall or network. Client VPN software will need to be downloaded and installed onto every device that they wish to connect to the VPN. 
If the VPN isn't automatically enabled, it will be necessary for the users/employees to manually log onto the virtual private network and make sure they actually use it when they go online. Once logged in, they will  choose a  VPN server to connect to and then all internet traffic will be directed through that VPN remote server and onto the wider internet. Internet use, therefore,  is visible only as that of the VPN server rather than the device's IP address. What's more, the VPN uses data encryption which is a system that encodes your data so others can't read it. If someone accesses your VPN connection, they'll see scrambled data. Only your device and the VPN server you're using can encrypt and decrypt, or unscramble your data.
In this way, a VPN makes it more difficult for third parties to track your activities online,  steal your data and intercept your email messages. 

...

A VPN is a network because it creates a connection between multiple computers — your device and the VPN server

Privacy and security

Many individuals (including hackers) use private VPNs as an anonymising tool to hide their IP address as they use the internet in order to bypass censorship, content block and regional restrictions. These type of VPN's usually have pre-configured firewall settings and allow the user no control over the boundary firewall. This is not compliant with Cyber Essentials.

Organisations typically use a corporate VPN to give remote employees secure access to internal applications and data, or to create a single shared network between multiple office locations. When using a corporate VPN, even on free wifi in public spaces, it would not be possible for a hacker to read your internet traffic. The motivating factor for providing a corporate VPN is to prevent data breaches. 

Single tunnel, site to site and split tunnel VPNs


A direct single tunnel virtual private network (VPN) or corporate VPN allows remote workers to route their online activity through a server that connects them directly to their company's secure private network. Through their virtual private network, they are able to safely share and access organisational data and services on the private network while using a public network (the internet).

...

Not all VPNs provide the same level of security. The strength of a tunnel depends on the type of tunnelling protocol your VPN uses. Some tunnelling protocols are outdated and may not provide data encryption that is strong enough to keep out cyber criminals.

Which VPN is recommended for Cyber Essentials?

Cyber Essentials recommends using a direct single tunnel network to the corporate network – any other type is not secure enough. A corporate VPN is a secure solution that connects remote workers back to their organisation's office location, or to a virtual or cloud firewall.