If you’ve tried looking for a connectivity solution for your IoT M2M, you’ve likely come across terms like APN and VPN, seemingly with vague and overlapping definitions. Network providers like to throw these words around, touting their high levels of security for your IoT devices.

The truth is that no network is ever 100% secure, especially when your network is accessible through hundreds or thousands of devices. Keeping an IoT network secure is a complicated task, just as sourcing a secure network is a complicated process.

In this article, we’ll break down the differences between APN and VPN connections, the importance of encryption keys, and the varying levels of security throughout IoT.

Understanding what these terms really mean and what the tradeoffs are between security and performance will help you make the best decision possible when choosing your IoT connectivity provider.

APN is short for Access Point Name, and it’s one of the most basic ways to connect a device to the internet. In fact, if you have an Android phone, you may have even come across your APN settings before. An APN essentially tells a device which network to connect to, acting as a gateway of sorts. For example, if you have Verizon as your smartphone carrier, your APN is what facilitates the connection between your phone and Verizon’s network.

In the realm of IoT, APNs work much the same way. They tell your IoT devices which network to connect to and which channel on that network to stay on. The benefit of APNs is that they reduce the number of entry points to your devices since they can only connect to the specifically named network. Even so, they are not much more secure than any other kind of connectivity.

Because username/password combinations are no longer required when connecting to cellular networks, APNs are essentially just network naming tools.

Most networks that have their users connect via APN follow very similar GSM standards, so there is little variation among the available options. The only difference between networks that use APNs are the credentials and the SIM installed on a device, which are what grant it access to connect to a particular network.

graphic of a device pointing an APN 1 box to an antenna which has APN 1, APN 2 and APN 3 boxes on the other side of antenna.

1. The device communicates APN it wishes to access.

graphic of a device pointing to an antenna with an APN 1 moving on a line to APN 1 box instead of lines to APN 2 or APN 3 box

2. The network checks its records for the devices credentials before granting access.

VPN connections.

You’re probably more familiar with VPN connections since they are becoming more popular among individuals and businesses alike.

Broadly speaking, a VPN — short for Virtual Private Network — is any network within a larger network (in our case, the internet) that is separated from the rest of the network by encryption keysets. The reason for using a VPN instead of a standard internet connection is the implementation of these encryption keys and the extra security they provide.

How secure are VPN connections?

VPN services are generally touted as being one of the most secure solutions on the market, and, granted, they are more secure than a standard unencrypted connection. However, not all VPN connections are created equal, and they are not a complete security solution on their own.

How secure a VPN is will depend primarily on how the encrypted keysets are implemented. Keep in mind that the more encrypted a particular VPN is, the more processing power and time requests will take. So it isn’t just about having the highest level of encryption possible but balancing your security needs with your processing and speed needs.

How an encryption key works.

An encryption key is a tool used to strategically scramble your data in such a way that only specific parties can understand it. You start off with plain, unencrypted data (A-B-C) and combine it with an encryption key (2–4–1), leaving you with secure encrypted data (C-F-D). The only people who can read the encrypted data are those with the encryption key.

A graphic of a device pointing a key to a computer

1. The encryption key is sent to its destination.

A graphic of a computer pointing a key to a device

2. The destination uses the key to encrypt its key and send it back.

A graphic of a device and computer connected by a line with a padlock on it

3. The destination’s key is decrypted using the first’s private key and a secure connection is established

When is the data encrypted?

In end-to-end encryption, your data is encrypted on your device, and the data is then sent to its destination with the encryption key, where it is then decrypted. This requires your device to do all of the encryption work as well as send larger packets of data at the same.

A graphic of a deice pointing a key over a server to a computer and a computer pointing a key over a server to a device

End-to-end encryption keys are swapped with both parties.

Client-to-server encryption is how most VPN services work. The data is sent unencrypted from the client device to the VPN, which then encrypts it before sending the data to the destination. This offloads the encryption work from the device and breaks up the path between the device and destination. However, the data is also briefly accessible on the VPN server before being encrypted, meaning that your VPN provider has the chance to log the data that you send to them before they encrypt it.

A graphic of a device with a locked line to a server and a second locked line from the server to a computer

The server provides a service, which encrypts the data before leaving its network.

Keeping your encryption keys secure.

An encryption key on its own does not guarantee total security. There are different ways to implement an encryption key, each with their own tradeoffs.

The least secure way to use an encryption key is to have one shared key between all of your devices on a single network. While this makes it easy to keep your data encrypted, it’s a little like having the same password for all of your accounts — once a person has cracked one entry point, they have the keys to the entire house.

A graphic with an arrow pointing a key to three different devices.

One encryption key is shared between all devices.

While this isn’t such a big deal on your home computer, when using IoT devices that are potentially going to be deployed at scale in the real world, it can pose a serious threat to your IoT operation’s security. Imagine an IoT autonomous car fleet that only used one encryption code. It wouldn’t take too long before a hacker had control of hundreds of vehicles throughout multiple cities — definitely not good for business.

The next step up in security involves having a unique encryption key for every device. While it requires a little more work, this ensures that even if someone is able to crack into one of your devices, they only have access to the one device. This means that your network of IoT devices is much harder to break into, and there is significantly less incentive for criminals to try in the first place.

A graphic of a computer with an arrow and three keys to three devices

Each device has its own key, isolating it from other devices.

The most secure way to utilize encryption keys is to change your keys for all of your devices on a regular basis. This means that every device would have a unique key, and each key would only be in use for a short amount of time, so breaking into even one device would be nearly impossible. That said, while achieving this isn’t impossible, it’s a very slow and intensive process, and generally isn’t attempted with continuously connected systems like IoT.

Choosing the best connection for your IoT security.

The best connectivity option for your IoT project will be one that isolates each of your devices from one another and the network. Otherwise, you risk losing the entire proverbial fleet over one ship.

One solution is choosing a network that will give each device a unique encryption key. While a changing encryption key solution is more secure, the power and time investment that it requires is difficult to manage with an IoT network. The issue with each device having its own encryption key, however, is that the sensitive information is being stored on a device that could be out in the world, making it vulnerable. Not to mention that every device in the IoT fleet would have this vulnerability. Another solution that solves this issue is to choose a provider that has complete control over their network. This way, the provider would know each of their SIMs independently rather than relying on encryption keys that could be retrieved.

The trouble with finding the right connectivity provider for your project is in being able to get past the marketing hype and buzzwords of the IoT industry, and you do this by asking the right questions. “Does a VPN offer end-to-end encryption?”; “How are encryption keys created and shared among devices?”; “How frequently do the encryption keys change?”

The more you learn about IoT and how devices securely connect with one another, the easier it will be to sift through the options available to you. While “APN”, “VPN”, and “encryption keysets” are vaguely thrown around throughout the industry, understanding what they mean and being able to cut to the point with providers will help you secure the best connectivity solution for your IoT project.

Get in touch today to find out more about how thinking differently about your IoT security through your choice of connectivity.