The best mobile VPNs for the enterprise and how to evaluate them

Do cloud-based mobile VPNs work for the enterprise? Many businesses are saying "yes," but you need to choose a moble VPN and how you use it carefully.

Virtual private networks (VPNs) are a necessary protection in an inherently insecure internet world. Enterprise-class VPNs have been around forever and there are a multitude of vendors to choose among. Most require a dedicated centralized device (e.g., an appliance, gateway, firewall, concentrator or server) to which all participating VPN users connect.

Now a growing new class of VPN vendors, especially in the small business and mobile space, uses the power of the cloud to scale their decentralized offerings. Some are even completely free. Could one of these new offerings be a part of your mobile VPN strategy? Depending on your requirements, the answer may be yes.

How does a mobile VPN work?

A mobile VPN allows devices such as notebook computers, smartphones or tablets used by employees to provide encrypted, authenticated tunneled access to a corporate network from any location. Both types of VPN require a device such as a server that users can connect to, although with a mobile VPN that server may be part of a cloud service.

Traditional VPNs rely on the IP address of the user to remain stable. Mobile VPNs can adapt to changing IP addresses as users move around and connect through, say, a hotel LAN or wifi hotspot. This is because mobile VPNs are bound to logical IP addresses whereas traditional VPNs require a stationary address. The logical IP address is tied to the device.

According to a 2017 paper by P&S Market Research, the global mobile VPN market is expected to grow 21 percent per year to be a $2.4 billion market by 2022. Seven of today’s leading mobile enterprise VPN vendors (Cisco, Columbiatech, IBM, Netmotion, Radio IP, Smith Micro and Techstep) will be challenged like never before by new and innovating competitors.

The new players aren’t likely to completely replace enterprise-class mobile VPN vendors in most companies for a variety of reasons, including the following enterprise-class VPN features:

  • Scalability to handle up to tens to hundreds of thousands of concurrent connections
  • Support for multiple authentication types, including multi-factor and digital certificates
  • Conditional access policies
  • Granular configurations
  • Enterprise management consoles and tools
  • Integration with other software and devices (e.g., Unified Threat Management, access points, and firewalls)
  • Hardware crypto offloading for better performance
  • Proven reliable track record

When most mobile devices come with built-in VPN support, however, and a plethora of new competitors are arriving with features often not offered in enterprise-class mobile VPNs, mobile security admins are starting to use a mixture of traditional and fresher, and sometimes even seemingly exotic solutions.

The rising value of anonymity

Some of the lesser known solutions are simply that, less popular solutions that offer the same traditional features, sometimes for free in trade for watching ads. Many others, including NordVPN and HideMyAss!, promise features that traditional VPNs just don’t have, such as better anonymity. Anonymity used to be considered a feature  only for privacy zealots, but it’s being increasingly adopted by more companies as the instances of prying corporate and government interests intensifies. Google reported more than 83,000 legal requests in the first six months of 2017 alone.

VPN anonymity can be accomplished in a number of ways, including blocking the user’s true IP address and metadata information, randomizing the IP address used, and not logging any user’s identifiable information, so that even if the VPN provider gets a legal search warrant they don’t have anything that would be useful to law enforcement or governments.

Any user seeking anonymity should be forewarned, however, that perfect anonymity is almost impossible to get, as many past lawbreakers have belatedly learned. Authorities have often summoned VPN vendors' connection records, and even if the VPN product doesn’t have anything to do with revealing a user’s identity, the user’s other software and configuration settings may leak identifying information. Don’t expect any VPN to keep your identify hidden, no matter what the marketing hype may promise.

Whether it’s privacy or security concerns driving the VPN market, users are flocking to VPNs like never before. NordVPN CMO, Marty P. Kamden, says, “We definitely see a huge demand from the market for internet privacy and security. Due to new regulations, surveillance, and a rise in hacking attacks, more and more users sign up for VPNs. We have seen our users triple both in the US and the UK in the past year.”

Are mobile VPNs secure?

The biggest common factor in these growing mobile VPN solutions is that instead of connecting to a centralized VPN concentrator, the participating clients often connect to the VPN vendor’s cloud resources, and from there, eventually to your company’s network. Many vendors brag of hundreds and hundreds of globally distributed servers with hundreds of thousands of different IP addresses.

This is one of the major points to consider. Will your company’s risk acceptance allow your end-users to connect and rely upon someone else’s equipment and network to ensure data integrity and security? In today’s cloud world, this question may not be as hard to answer as it once was, but if you work with a new, distributed mobile VPN, you’ll want to do your due diligence research and make sure that the mobile VPN vendor isn’t one of the many that were found to be over promising or delivering no security at all. More on that later below. 

Fee-based mobile VPNs

Many of the newer mobile VPN solutions are sold on a monthly per-user fee, such as VyperVPN and SaferVPN. Prices often range from less than $1 per month per user to a few dollars per month per user, although many require an annual subscription fee up front.

VyperVPN actively promotes its ability to defeat anti-VPN blocking technologies, such as might be used in China, using a proprietary technique called Chameleon. Golden Frog President Sunday Yokubaitis says this about VyperVPN’s technology, “Chameleon scrambles OpenVPN packet metadata to ensure it’s not recognizable via deep packet inspection (DPI), while still keeping it fast and lightweight. The Chameleon technology uses the unmodified OpenVPN 256-bit protocol for the underlying data encryption. The result is that VyprVPN users are able to bypass the Great Firewall of China to achieve an open internet experience without sacrificing the proven security for which OpenVPN has long been known. Our Chinese customers can consistently experience a truly open and uncensored internet with Chameleon VPN.” VyperVPN also touts that it manages 100 percent of its equipment and doesn’t use third parties, unlike most of its competitors. In theory, this should allow VyperVPN to better control and manage its assets.

SaferVPN touts another rock solid VPN network, including ensuring that anytime you are on an insecure WiFi link that SaferVPN automatically kicks in. They offer 24x7 tech support, which not all vendors offer. They support multiple protocols, legacy and newer, even though one VPN protocol is preferred over the others.

SaferVPN recommends that customers use OpenVPN (an open source darling) if they can, stating “OpenVPN is our recommended protocol and the one our service connects with automatically. This is because it offers the highest performance for maximum security and speed. We do, however, believe in giving our customers freedom and flexibility in choice, so we also allow them to manually select among OpenVPN, L2TP over IPSec, PPTP and IKeV2 protocols.”

In general, many of the per-user fee-based VPNs tout their global presence, online privacy, performance, platform support, and ease-of-use. Most allow a single user to connect multiple devices within the same license, usually up four to six devices. Make sure to inquire how many devices can connect and how they are tracked to a single user license. Some will allow you to share your license with other users, up to the maximum limit, while others are specifically tracked to a single user.

Free mobile VPNs

The most popular free mobile VPN is probably OpenVPN. As discussed above, OpenVPN is GNU general public-licensed opensource and well liked for its performance and security. It uses OpenSSL, TLS, and HTTPS, along with an additional custom protocol for its VPN capabilities. It can be run on Windows, Mac, Android and even some WiFi routers.

The free VPN apps like Hotspot Shield and TunnelBear typically support themselves by delivering ads with the service or limit you to certain data maxes. Hotspot Shield claims over 500 million users, the vast majority of which use the ad supported version. If Hotspot Shield users want to get rid of the ads, they can opt over to commercial versions. There used to be more ad-supported VPN products in the past, but they appear to be dwindling as time goes on. TunnelBear is free up to a max of 500MB of protected data per month, and requires a fee of $4.99 to $9.99 per month to handle more than that. For reasons I don’t understand, the commercial versions of many free VPN products cost significantly more than completely user fee-based models.

Mobile VPNs and BYOD

Non-enterprise class mobile VPNs are definitely playing a bigger role in the enterprise. Most of the mobile VPN choices covered here list dozens of corporate clients. Many companies find them the answer in places where they can’t, or don’t want to, purchase and manage expensive VPN concentrators.

In the days where “bring-your-own device” (BYOD) policies often rule the corporate space, many security administrators require that users connecting to the corporate LANs have a VPN, but don’t require particular VPNs. Other companies advertise a list of acceptable VPNs, so that employees must choose one of the pre-vetted choices.

Employees interested in their own privacy and security often install always-on mobile VPNs, so even if the corporation isn’t intentionally requiring one, they are interacting with one. This is important because most mobile VPNs don’t differentiate between corporate and non-corporate networks, even though the same protections apply. A trusted employee connecting to your network using a mobile VPN is going to be as masked as a malicious intruder doing the same. At the very least, the originating IP address and other metadata information cannot be relied upon, for authentication or tracking purposes.

How to select a mobile VPN

At the same time, non-enterprise-class VPNs can have traits and issues that are entirely the reasons why they aren’t considered “enterprise-class.” At the very least, companies need to consider how to treat a VPN that they don’t completely control. Are they comfortable with another company controlling the VPN experience from their employee to their location? Some mobile VPNs might not be providing any security at all, or even worse, may be intentionally, silently, intercepting a user’s data.

In fact, according to a whitepaper by University of California Berkeley, which focused on 283 Android-based mobile VPNs, the protection and security was often non-existent. Seventy-five percent of them used third-party tracking libraries, 38 percent contained malware, 18 percent actually did not encrypt the traffic they claimed to protect. If nothing else, this points out that all users of mobile VPN services need to use a trusted vendor and verify their claims. It’s not enough to read an online guarantee and believe the claims.

Other things to consider include:

  • Does the mobile VPN solution scale enough to meet your enterprise transaction levels?
  • Does the mobile VPN vendor offer an enterprise management tool or console? Do you need one?
  • How does mobile VPN usage impact your existing security monitoring and tracking?
  • What platforms do they support? What protocols (e.g., OpenVPN, L2TP, IPSEC, SSTP, or PPTP)?
  • Do they offer the authentication choices you need, such as multi-factor?
  • Is an ad-supported solution acceptable?
  • Do they offer the granular configuration complexity you need?
  • What is their tech support policy?

Enterprise-class mobile VPNs have all these answers in spades. They have been well tested for a long time to provide the authentication and encryption security they claim to provide. This is not the case with many of the newer mobile VPN options.

Is a mobile VPN right for you?

All enterprise mobile administrators should be aware of the growing class of non-enterprise mobile VPNs, and what it means for their environment, either by choice or force. Mobile VPNs offer a great opportunity to protect information and privacy. How does one fit into your environment?

More VPN articles