S 2.420 Selecting a trusted VPN service provider

Initiation responsibility: Top Management

Implementation responsibility: IT Security Officer, Top Management

The stand-alone operation of a VPN often requires a high level of expert knowledge on the part of the administrator responsible. In addition to the VPN-specific settings, it is also necessary to take into consideration additional cryptographic aspects and to optimise the connection to public networks. Once the best possible settings have been selected, it is possible to protect the confidentiality and integrity of the data, but the settings cannot affect the availability. Failures in the public network the VPN gateway is connected to may still interrupt the flow of data between the locations connected using the VPN.

An alternative to "secure VPNs" administrated separately, includes "trusted VPNs". In a trusted VPN, an external service provider is contracted to ensure secure transmission of the information. The service provider can be obligated to protect the confidentiality, integrity, and availability of the information transmitted with the help of contractual agreements.

In the case of trusted VPNs, the information is generally transmitted using the dedicated lines of the provider (carrier network) instead of using a public network like the internet. Since the carrier network is under the control of the service provider, the provider is able to guarantee the protection of the information to a certain degree.

From the point of view of the customer, the service provider provides the customer with devices that are then connected to the LANs the customer wants to connect. Since the data from the service provider is not encrypted in many cases and the external service provider is responsible for all support, trusted VPNs should only be used for data requiring little protection and without the customer implementing any additional security mechanisms. Even in this case, though, it is still highly recommended for the customer to encrypt the data. Data with higher protection requirements must be encrypted before it is transmitted.

One major disadvantage of using trusted VPNs is the resulting high dependency on the service provider. Switching to another service provider often entails great time and expense.

A major advantage of trusted VPNs is that the corresponding service provider often has an international presence. In the international environment in particular, organisations are often only able to provide a limited number of qualified personnel and processes at every location for the operation of their own VPN.

When selecting a trusted VPN service provider and during the subsequent contract negotiations, the aspects described in S 2.252 Choice of a suitable outsourcing service provider and S 2.253 Contractual arrangements with the outsourcing service provider must be taken into account. The following aspects also need to be taken into account for the operation of a trusted VPN:

• Service level agreement
  Due to the high cost, it is not economical to select the product with the highest possible level of quality that is offered by a service provider. Instead, it is necessary to decide in advance which level of quality is needed. This must be negotiated and documented in service level agreements (SLAs). SLAs contain a measurable description of the service to be provided, including the required level of quality and the measurement parameters to be used for this purpose. Furthermore, it is necessary to agree on the consequences of violations of the negotiated SLA by the service provider and how such violations will be correspondingly reported.
• Global connectivity:
  In many cases, VPNs are not only used to connect different locations, but also to integrate mobile employees into the LAN. If mobile employees will be allowed to connect using a trusted VPN, the service provider must offer connection points which these employees can establish connections to using one of the following solutions:
• Data connections using public networks:
  In this case, a data connection is established using a public network like the internet. Since the transmission quality of data connections via public networks cannot be influenced, incidents may occur under some circumstances. For example, terminal server applications often require a high bandwidth and it may not be possible to provide this bandwidth everywhere.

• Dial-up connections
  Using a dial-up connection, a mobile employee can dial directly into the access point of the service provider using a telephone connection, for example using a mobile communication network. This may lead to problems, particularly for mobile employees who often work in foreign countries, when a telephone connection needs to be established over a long distance. For this reason, it should be ensured if this solution is selected that the service provider offers a variety of connection points.

• Coverage
  VPNs are often used to connect several locations with each other. In contrast to the connections used by mobile employees, the connections between the various sites and properties usually have a much higher bandwidth so that more information can be transmitted. Instead of using dial-in connections provided by a third party, the sites are connected to the trusted VPN using dedicated lines as a general rule. It is especially important for companies operating globally to be able to connect locations in foreign countries. It is therefore necessary to clarify if the provider can and may provide suitable connections to this end.
• Tariff structures
  The financial framework is also important in addition to the technical requirements. Service providers have cost models for the bandwidth provided, but they often offer additional support services or a certain guarantee, for example of high availability, at additional cost.
• Monitoring (reports)
  In general, service providers guarantee the customers a certain quality in terms of availability, confidentiality, and integrity. A high-performance monitoring system forms the foundation for monitoring the requirements specified in the SLAs. The customer must be allowed to examine the requirements specified accordingly.
• Incident handling
  The customer must know whom to turn to in case of an incident. Examples of incidents include transmission problems in the network of the service provider and defects in the gateways used to connect the LAN and the network of the service provider.

All services agreed to must be specified as clearly and concisely as possible in writing. The security of the trusted VPN must be checked regularly so that it remains a trusted network. The client of the service provider must possess the rights needed to monitor the services. The service provider should be informed of the results of the examinations performed by independent third parties. All organisations that perform examinations of the service provider (e.g. supervisory agencies) also need to be granted rights for the corresponding monitoring capabilities by the VPN service provider (for example the corresponding site access rights, rights to view the data, etc.).

Review questions:

• Are all agreements with trusted VPN service providers documented in writing?
• Is the security of trusted VPNs checked regularly?