Since virtual private networks were invented nearly 30 years ago as a way to extend a corporate network across the world, they’ve gone through a complete role reversal, even as they’ve continued to evolve to help protect business users’ data and communications.

Today’s VPN is now the linchpin for a series of edge business security technologies, taking center stage thanks to a few trends: the popularity of hybrid working conditions brought on by the COVID pandemic, the movement to the cloud away from on-premises servers, and the acceptance of software-as-a-service tools that made it easier to deploy and manage these clouds.

But these trends have also moved the classic VPN from center stage to a bit player at the edge of the stage. Instead of being the go-to tool that businesses once relied upon, it is just another piece in the security acronym soup that has become ways to protect the edges of their computing infrastructure.

To understand this better, let’s go back in history.

The first VPN is generally credited to Gurdeep Singh Pall, a Microsoft engineer who developed the first version of the Point-to-Point Tunneling Protocol back in 1996. It leveraged the growing use of the internet in business and was used to encrypt traffic between corporate networks and remote users. These early VPNs were used to prevent unauthorized access to the databases and files on the corporate network and to encrypt traffic as it traversed the public internet.

“This was an isolation play,” Tom Mullen, senior vice president of business alliances for Opswat, a longtime tools provider in the VPN market, told SiliconANGLE. “VPNs were used to protect your network traffic when you connected remotely and obfuscate what you are doing.”

Those early VPN protocols – including ones using Secure Sockets Layer, or SSL, and IPsec — were difficult to configure, performed poorly and connected unreliably. Those VPNs depended on network firewalls to segment traffic and ran on hardware servers that collected all the VPN connections at a central source. This hardware was typically installed inside a corporate data center.

But as zero-trust networks came into vogue, VPNs had to adapt accordingly. “As applications moved to the cloud, VPNs had to get smarter about how they provided access, including differentiating among what users are specifically authorized to do and from what particular endpoint they are connecting,” said Mullen. “This also includes granting special permission that accounts for the time of day or the particular originating geography.”

This was particularly evident as COVID forced many office workers home and they had to use their home networks and laptops. Instead of relying on a VPN to isolate their computer in their hotels and airports, the VPN was rendered obsolete under these circumstances, as the New York Times Brian Chen wrote about a few years ago.

Well, almost obsolete: This evolution has flipped the notion of what today’s VPNs are trying to do Now they keep bad stuff from invading a user’s endpoint, offering protection from outside rather than from within a corporate network.

But I disagree with Chen’s point of view a bit: There is still an important role for the modern VPN to play, and that brings us back to the network edge.

Three trends for modern VPNs

The evolution happened thanks to four trends: the growing reliance on the web and software-as-a-service applications, the popularity of consumer VPNs, new open-source protocols that were more potent and flexible at handling encrypted connections across the internet, and the demise of antivirus as a first protective filter.

The growth of web-based applications was first felt by VPNs that moved from the original peering protocols to tools based on SSL. That helped make them easier to configure and maintain, and also easier to integrate with various cloud applications.

The second trend for the modern business VPN ironically has its roots in consumer-grade products, from companies such as Surfshark B.V., Nord Security Ltd., Mullvad VPN AB and Proton AB. These are software solutions that depend on a wide network of thousands of servers placed at critical internet peering points, offering the best connections for users working remotely.

In essence, these new VPN providers have replaced the original dial-up networks from AOL and CompuServe. The difference today is that these new connection points combine access with secure communications.

But the software-centric VPNs bring up an entirely new set of issues, including protecting user privacy, performing regular independent security audits, and having a wide enough access server network across the globe. The leading consumer VPNs have stepped up their game accordingly to be more secure and transparent about their operations. They have also begun to offer business-grade VPNs, such as Proton did this week.

The third trend is that these modern VPNs make use of specialized VPN protocols called WireGuard and OpenVPN that are focused on performance and maintaining connection link integrity.

Finally, there is the demise of the antivirus software as a first line of defense when it comes to protecting the typical endpoint. This doesn’t mean that antivirus software shouldn’t be used; quite the contrary. But as threats have gotten more sophisticated, AV has become part of desktop and mobile operating systems.

Look at the evolution of Microsoft’s Defender as a case in point. Years ago, most of us would have laughed at users who chose this as their sole AV protection. Now it is a credible product and keystone to other Microsoft protective technology.

But running AV screens to stop malware doesn’t prevent the most determined attacker from stealing credentials via phishing or social engineering. That’s why having an endpoint running a VPN and isolating it from the rest of a corporate network can help.

Changing with the times

This evolution of the business VPN has left a lot of the early players in the dust. Many of the big players have gone out of business, and others were acquired and then eventually shut down. In some cases they’ve tried to evolve their products to keep up with the progress of security tools such as cloud access security brokers, secure services edge or zero-trust networking.

All three of these product categories — if indeed they can be separated at all nowadays — rely on the essential security frameworks and network isolation that also underly VPNs. It is just a different way to look at the picture: This isolation now happens internally, at the edge device, rather than inside some data center box of the OG VPNs.

The Times’ Chen has ditched his consumer-grade commercial VPNs to build his own. But that just goes to show that the technology is still very much relevant to his daily computing life. It’s yet another proof point for the value of this 30-year-old technology.

The VPN will keep evolving with the times, and will continue to offer powerful security features for businesses. It just operates differently now.

Image: Pixabay