Earlier this year, VPN technology celebrated its 25th anniversary and revenue projections suggests the industry is on the up and up, in part thanks to healthy competition between rival services and protocols.
However, despite the longevity of VPN and the meteoric rise of consumer services in recent years, there are those that believe VPN is on its way out, set to be displaced by technologies such as SASE.
TechRadar Pro spoke to Vykintas Maknickas, Product Strategist at Nord Security, the company behind NordVPN, to hear his thoughts on the VPN protocols available today, challenger technologies and where the industry is headed next.
WireGuard has emerged as the leading alternative to OpenVPN. A number of providers – including NordVPN – have chosen to develop their own proprietary technologies. But why?
First of all, WireGuard is a great protocol; we are amazed by its high speed and low resource consumption as well as overwhelmed by the possibilities to build on top of it. That being said, the protocol itself is not enough to provide consumer VPN service. What works for one particular VPN setup doesn’t work for a few million users in real-time using NordVPN infrastructure every day.
Historically, VPN protocols were built for secure access to some internal infrastructure, and in this sense, we use these protocols for not the intended purposes. We aim to ensure the privacy and security of our users’ information by being the layer between the user and the internet – and do it without losing the internet speed. This requires changes. But at the same time, we contribute to open source protocol development as well.
Doomsayers predict the end of printers, email and VPN. SASE is pegged as the leading candidate to replace VPN. What’s your take?
The majority of the people who used business VPNs back in the day might say that VPN as a technology should be sunsetted – and I agree with them. Corporate VPNs, where all of your traffic flows through the physical appliance in your office in order for you to get access to some Word documents on the SMB server, is how we did things when there was no better way. But the VPN technology is not about the round trip your traffic needs to take, nor is it about some clunky app where you need to configure some ports and upload some XML files for your connection to work.
VPN is about connecting safely, meaning that your traffic is encrypted on your device and flows through the internet securely. The clunkiness is solved. Also, you don’t need to compromise your internet speed while being on a VPN.
So, the VPN technology isn’t going anywhere. But the bad user experience for corporate network access is drawing closer to an end, and that is from where the doomsayers get their ideas.
One thing to add is the historical context of how network access technology evolved.
First, there were only local networks until companies required access from outside the office. Then, VPNs emerged as a possibility to securely access resources from outside the office. The downside from a user perspective was that you shouldn’t have to send all your traffic through the office in order to access some documents. So it was inefficient. From an administrator’s perspective, there was a lack of control on who can access what. So it wasn’t very secure either. And that’s how the zero-trust network access (ZTNA) concept emerged.
Another thing to keep in mind is that VPN is a term to define technology, while ZTNA or SASE are concepts that can use various technologies, including VPN.
VPN (or more precisely PPTP) turned 25 in March and Microsoft didn’t actually patent it! How different would the world be without VPN?
Since people actually needed the technology, I believe it would be created either way in some form or another. One could say the same thing about most early problem-centric tech. Even if they would have patented it, I believe we would see an equivalent unpatented technology emerge. It’s like you can patent some new kind of door lock that would be used by your household only. But other households will sooner or later figure out the way to lock their home without infringing the patent if necessary.
What does the future of VPNs look like?
I believe this question is two-sided. One side of it is about the consumer VPN market and where it’s going; another is about the technology itself and what’s next for it.
The market itself isn’t and never was solely about the technology (VPN), but rather about consumer security in general. Suppose you look into Google Trends data and compare two keywords – VPN and antivirus – over a long period of time. You’ll see that VPN is attracting more and more attention over time, while interest in antivirus is fading. And here, history is important.
In the early days of operating systems, they were very open, meaning that you could access way more OS internals or files with fewer permissions. Like with many open platforms in the early days, some people exploited the openness. The same happened with Google and its ranking algorithm in the early days, same with Facebook and its user data access over API, same happening now with trendy startups like Clubhouse.
So one way of handling the abuse on early operating systems was to restrict everything. A good example of such an approach is iOS, of course, which learned from early Windows mistakes. Another way of handling it is hoping that the market will fill the gap for anti-abuse software while you gradually migrate to a model with more restrictions. This model for OS developers looks quite attractive but narrows the market for anti-abuse software over time. That’s what happened to the antivirus market, and that’s where I believe it’s headed.
Consumer VPNs are in a bit of a different ecosystem. Their primary purpose is to fix internet shortcomings, not the OS itself. Shortcomings such as providing each site owner with your unique identifier (IP address). Or encryption of traffic in transit. So most of our attempts at Nord Security are about finding what else we believe is broken on the internet and trying to fix it. Be it passwords and their leaks with NordPass or an upcoming Threat Protection feature on NordVPN that filters your internet traffic from downloading malicious stuff.
So returning to the market side of the question – my answer is that VPNs will look for more internet shortcomings and try to fix them, one way or another.
This conclusion hints into possible technology evolution steps as well. In order to guess where VPN technology is going, we need to answer what internet use cases it doesn’t cover currently. As per my understanding and as mentioned in the question, one of them is connecting peer-to-peer devices.
Last month, VPN Mentor, the largest independent VPN publisher, was acquired by Kape. What are your thoughts about it?
I’m a firm believer in editorial independence in the sense that, in the long run, I think people will choose to read journalists who express their true beliefs. People will read journalists who write in a way that would best inform their audience.
In this way, there are only two possible outcomes of this acquisition, and both are positive for the industry and humanity itself.
Following the case of Encrochat last year, would you say that privacy is essentially a myth? i.e. if someone wants to hack you, it’s just a matter of how much resources they want to put into it
To be completely fair, that is how the economy of cybercrime works. Criminals will seek the biggest possible upside for themselves and attack the most vulnerable companies or individuals before those with a low upside or fewer vulnerabilities. And it seems to be quite effective – the less an industry spends on cybersecurity, the more hackers focus on it.
So the question is, how many resources does one need? While we don’t have exact figures, we aim to increase the number of resources one needs to hack an individual to the same amount that’s required to hack an average business. Our thinking is that if consumers have access to the same cybersecurity technology that companies have, the costs of hacking an individual will outweigh its benefits.