COLUMBIA, S.C. – When the term virtual private network (VPN) entered the lexicon of financial technology, it had a pretty specific meaning: a pipeline of data transfer through the wide-open Internet secured by SSL or other encryption methods. That definition is now expanding. For instance, there's this from Harold Randolph, director of the CUNA Network Services (CNS) Operations Center in Tempe, Ariz.: "A virtual private network is any set of technologies and practices that manage and control access to information resources residing on a public Internet domain." And his boss, John Hobko, president of the new CNS operation, expands it to this: "VPN as an acronym has become so generic, with so many different methods geared toward the client's requirements, that it's very difficult to give a specific answer," he says. In fact, at this point, just like the whole issue of data security in general, it comes down to policies and practices as much as hardware and software, says Hobko, a data-transmission security veteran brought in to head up CUNA's new electronic-networks services venture. In other words, don't put the cart before the horse. "This is where most organizations fail when it comes to VPN deployment," Hobko says. "You should deploy the technology in order to deploy the policies and practices." The methods of moving data back and forth from credit union to customer and clearinghouse (and within many credit union's far-flung operations themselves) have indeed become varied, as service bureaus now share space with the Internet and dedicated lines of numerous shapes and sizes. "There are so many different kinds of VPN deployments," Hobko says. "One traditional one is an intranet, which basically is a network enterprise that manages connectivity between branches and the main office environment. "A lot of that is done on a point-to-point basis with dedicated circuits, and it's only accessible to anyone on the LAN (local-access network), but that's really a virtual private network, even though it doesn't touch the Internet at all. A lot of companies don't think of that as a VPN, but in essence it is." Another form of VPN, Hobko says, is the remote-access VPN for traveling and remote employees, such as the loan officer sitting at a car dealership during a sale that's expected to attract CU members. Such use can either involve "tunneling techniques across the Internet using authentication techniques or not using the Internet at all." Another functionality that can be put in use is customizing the kind of access: for instance, giving board members the ability to access information not available to employees. Then there's what can be called the extranet, Hobko says, which can take the form of a "private cloud that a major organization like, say GM, might set up to allow all its major suppliers and customers to touch that network in some form. For instance, you're a bumper manufacturer. You would use that VPN to communicate with them in a secure fashion to electronically process orders." Choosing and installing that network is something all credit unions of any size have already faced or will, because of the need to be on the Internet to meet member demand, Randolph says. The CNS Operations Center director adds: "Setup of VPN's can be as complex as selecting and deploying piecemeal each product and service required to satisfy requirements, or as simple as employing the services of one or two full-service VPN vendors to develop your particular solution. "Regardless, it is highly recommended that a security audit be performed on the front end before products, services and VPN vendors are selected. It is also important to look for highly scalable solutions so your VPN can grow as your member base does." From simple password schemes to public key infrastructure (PKI) and digital certificates, the security schemes have grown just as have the modes of access, which Randolph says now include such technologies as dial-up V.90, ISDN, cable modem, dedicated access, frame relay, T1, point-to-point and DSL. Regardless of the avenue of transmission, Hobko says, the "real issues are complying with NCUA data-integrity rules, as well as security, traffic control and bandwidth management, and management of the enterprise." The latter is the rub of Hobko's argument, because "the policy and integration of the VPN means that someone has to have control, to make sure that security polices and practices are in place and adhered to. "If you don't have that, then VPN doesn't mean anything." Transmitting that philosophy will be Hobko's challenge in his new role as CNS president. "Our goal is to work with credit unions to help them stay NCUA-compliant, understand the requirements, develop policies and practices, and look at the technology as a way to implement them." [email protected]