VPNs: Go Virtual Young Man, Go Virtual

Exploring new frontiers is often risky. Imagine believing the world is flat and attempting to sail around it anyway. Virtual private networks (VPNs) were once part of this category of the unknown. But, over time and with exploration, it became clear that VPNs make sense for security. Although they use a shared public infrastructure like the Internet, they maintain its privacy with tunneling protocols that encrypt and decrypt the data at the sending and receiving ends.

VPNs also scale and allow relatively low-cost international connections. Some claim that there are no security concerns with VPNs, but we know better. CSO recently spoke with Bently Au, manager of information security for Toyota Motor Sales USA, which has implemented VPNs to connect dealerships with the corporate mother ship. CSO: How did you talk with the dealerships prior to using VPNs to connect them with Toyota USA?Bently Au: We used dial-up and satellite connectivity. The dial-up network that we had in place was 192Kbps. New Web-based apps required 128Kbps minimum, so we had to make a switch. We looked at frame relay as well. Did you find VPN technology to be cost-effective?That’s tough to measure. Dealers are paying for their own connections, so for them the cost is higher, but they are happy with what they got.Did your parts suppliers have to make the VPN transition as well?Our suppliers are still on frame relay. They’re waiting until the availability is a little higher on the VPN. On frame relay availability is 99.9 percent, but it’s 98 percent on the VPN. Our suppliers have some server-to-server [communications] that are time-critical and have to get out immediately; they have a bit of a different requirement.Did you have security concerns with moving to a VPN?We weighed the security options. We realized that any way we went about installing the VPN we could secure it; it was just a matter of cost. Frame relay might be more secure, but it’s also more expensive. The VPN that we chose has an integrated firewall because an open Internet solution would require us to do more SSL [secure sockets layer] encryption to make it secure.

We’ll handle any security concerns that we have through education. [You can’t] address security through a mandate. It behooves CSOs to do due diligence; lay down some security policies, and educate users as to what your expectations are. This is critical for any business connecting via a VPN.

In our case, most dealerships aren’t savvy about security, and they’re even less savvy about privacy. So, we’re refining dealer agreements now and putting an education network in place.What problems or concerns have you encountered with VPNs that you would encourage other CSOs to look for?The problem we still have is figuring out whether or not we need to go beyond VPN for encryption. We currently use SSL to encrypt users’ passwords when they log on, but we’re wondering if that’s enough.

Security at the connecting dealerships is another concern. They’re a VPN endpoint for us, and there’s a certain amount of trust inherent in that endpoint.

CSOs should expect VPN implementation to take longer than they might think. Getting the LAN [local area network] infrastructure together at all of our dealerships took some time18 months from beginning to end. We thought it’d be closer to 12 months.