Who’s NGI: Tangui Coulouarn and D4S, the cloak of invisibility

NGI’s D4S project is helping students adopt safe access to research through a VPN so secure it’s been called ‘Harry Potter’s cloak of invisibility’ by the students helping to shape it.

Due to COVID-19 containment, people throughout the world are unable to go into the office or go to school but they need remote, secure access to internal applications and files, made possible through a Virtual Private Network (VPN). NGI-funded VPN solutions Let’s Connect! (for organisations) and EduVPN (for academics and researchers) have a strong focus on security and cryptography thanks to another NGI funded-project, D4S. Tangui Coulouarn explains more.

 

How has the ongoing response to Coronavirus affected your project?

In recent weeks, as an increasing number of people work from home, the projects I’m working on, eduVPN and Let’s Connect! get more and more attention. People in charge of IT at companies and diverse organisations realise that there are very few totally free open-source VPN solutions that have been audited, are easy to use, scale and that their remote users must be protected.

What is your experience of Internet Security?

The need for security is not always perceived by end-users. I have been engaged in the development of IT services for the research and education community. Our experience over the years reveals a security paradox: even though users are aware of risks, they don’t necessarily use the right solutions. The D4S project, which received the support of NGI Trust, has given us the opportunity to explore this paradox and work on solutions.

What is innovative about the D4S solution?

VPNs allow remote access of applications and data. EduVPN (for the research and education community) and its sister software suite Let’s Connect! (for everyone) have been around for almost five years. The project started at SURFnet, the Dutch National Research and Education Network. The goal is to enhance the security and privacy of end-users online – very much in line with the goals of NGI, by giving them the possibility to easily encrypt their traffic to known and trusted points, thanks to VPNs.

Very quickly the idea developed that the same apps could provide access to two kinds of VPNs: VPNs to secure traffic to a known trusted access point to the Internet (“Secure Internet”) and VPNs to access private resources, for example the Intranet of universities (“Institute Access”). The project grew to become an international platform where multiple VPN providers (NRENs, research institutions, etc.) use the same apps. Moreover, the VPN providers offering Secure Internet, even though they are distinct, independent organisations, offer guest access to their VPNs. This means that if a user is allowed by a VPN provider to use a Secure Internet point, then this user will also be allowed to use all other Secure Internet points. This solution is unique.

We regularly get the same questions. Very often, we have to explain how seemingly opposite characteristics are actually both present in eduVPN. For example, people sometimes ask us about the need to authenticate and how it relates to the trust model in these solutions; often we have to explain that the VPNs are actually provided by multiple actors, etc. While answering these questions we realise how crucial it is that this complexity doesn’t lead to confusion. But it is usually easy with IT people who want to offer the service.

How did NGI support your project?

Intuitively, we thought that some users were not understanding how they could use these apps or why. But we never had the chance to use time and resources on exploring these issues as this was always a bit out of scope given the way we are funded. So when we heard about the NGI Trust call, we contacted the Royal Academy of Arts – School of Design in Copenhagen and Commons Caretakers in the Netherlands to submit a project on the user experience of Let’s Connect! / eduVPN.

We were awarded the NGI Trust grant and started our collaboration with the Royal Academy of Arts, School of Design in Copenhagen and Commons Caretakers in the Netherlands by going to a segment of our target audience – students. We found out that the biggest issues users face are not necessarily solved by a VPN solution but are more generally in the field of “endpoint security”. How can they make sure their computer is safe to use, i.e. does not contain viruses, or the stability of their Windows system in general?  A computer containing malware requires someone to remove that malware and not provide them with a VPN that does nothing to solve that.

At first, trying to explain that a “Secure Internet” VPN can help their online security seemed unconvincing to most, except a few “geeks” who knew VPNs already because they use them to download movies. The first conclusion of this investigation was therefore a bit unexpected and underlined the importance of educating users in how to safely use a computer. Starting from the basics, i.e. making sure updates are all installed, anti-virus enabled and up-to-date, malware removed and other bloatware that slows their computer down is removed.

We also talked about VPN solutions to further improve their online safety – and heard funny metaphors, one student comparing VPNs with Harry Potter’s cloak of invisibility. It was much easier to understand the need of VPNs to access resources at their institute, e.g. access to research papers.

We tested our current solution during the student interviews. The most commonly-heard feedback was that the user-flow in the app wasn’t clear. Users tend to be confused when seeing the use case buttons in the apps. They don’t know which one to choose. This made it clear we had to remove these buttons and make it much more intuitive to use the apps. This is what we are currently implementing with the support of the NGI Trust funding.

The whole approach is rather new for us. We have long focused on the quality of the technical solution: make sure it’s secure, make sure it performs, etc. The NGI Trust gave us a rare opportunity to work with our potential users and be more “human centric”.