The Internet has facilitated a great number of recreational, educational, and business-related opportunities. But as the internet continues to progress in these areas, it also creates a level of dependency and additional security concerns. Remote access via a Virtual Private Network (VPN) has been a significant innovation in securing how we use the internet. Remote access has allowed many professionals in various fields to continue to be both productive and mobile while not physically within the brick and mortar. As with anything, change is inevitable, and changes with VPNs can be seen in the evolution and optimization of new and existing technology to better secure teleworking situations and keep users productive. We will look at how VPN has progressed and what additional options exist for secure remote access.
A VPN is a connection across a shared infrastructure, namely the Internet. Traditionally, remote workers manually established a connection back to a corporate network via a VPN gateway to access corporate applications and resources. This connection leveraged a “tunneling” technology using encryption (IPSec, L2TP, SSL, etc.) to encapsulate all or part of the Internet and Corporate Network communications, which benefits from the perimeter network security stack. The VPN gateways are predominantly located in the primary or closest data center for the company and proximity to the user. Engineers and architects can proactively plan the growth of the VPN infrastructure to accommodate for normal usage. If you suddenly have a large influx of new VPN users due to local/regional events, natural disasters, an epidemic, or (dare to say) a pandemic, etc., the traditional VPN can surpass its limits very quickly. The VPN gateway does have several additional disadvantages to consider. It may not have adequate throughput capacity, licensing may be exceeded, or even bandwidth to the Internet Service Provider (ISP) may become saturated. None of these challenges have a simple or quick resolution and often require additional hardware to be purchased, shipped, installed, and configured before they can be used.
While traditional VPNs are predominantly used in every enterprise organization as the remote access VPN of choice, organizations should consider Mobile VPN technologies when requiring corporate asset connectivity. Traditional VPNs provide simple network connectivity with some minor features depending on the vendor. Whereas, Mobile VPNs provide the same level of encryption with the added benefit of the following areas:
- Application Session Persistence
- Packet Loss Recovery
- Link Optimization and Automatic Failover
- Application Optimization
- Enterprise-level Quality of Services
- Granular Visibility and Control of all Tunnel Communications
- Enforcement occurring at the endpoint
- Ideal for high-latency, low bandwidth, and unstable connections
- Granular Split-Tunneling
- Hot Spot Connectivity Accommodations
A cloud-based alternative to traditional VPNs is being considered and implemented by many organizations. Instead of using a client tunneling system, cloud-based solutions provide a Virtual Desktop Infrastructure (VDI) or Desktop-as-a-Service (DaaS). This changes the approach from the client-side, applications, and infrastructure, but still allows for a bring-your-own-devise (BYOD) option. However, cloud connectivity isn’t the panacea for all problems (services, access, security, etc.) and shouldn't be used primarily as a reactive measure. Cloud-based solutions present new challenges to overcome, secure, learn, and support; especially if the applications that remote users are connecting to aren’t residing in that same cloud. In addition to these new challenges, the connectivity of peripherals can also be a constraint. However, from a security perspective, VDI may be one of the better approaches because it allows the data to remain within the protected corporate environment.
The introduction of SaaS (Software-as-a-Service) has been a whole new technique for providing application accessibility, to name one of many strengths of SaaS, via the cloud for consumption. While this is a whole new discussion beyond our topic of secure remote access, it does drastically change the methods and requirements organizations need to implement to leverage and secure its use. Connectivity is secured via SSL, but it’s seamless via browsers, in most cases, and often can be accessed from almost anywhere on any device, including various form factors. This is one example of the eroding perimeter (edge) and how organizations must ensure security is nearest to the data, which is a foundational principle within Identity and Data Security.
Similar to SaaS, there are enterprise web-based VPN solutions emerging that allow the use of any security approved device to access applications within the corporate private data center(s). This method even allows for partners, third parties, and contractors to access systems without the client application (Client VPN) requirements and networking complexities to provide for application accessibility. This can be considered a “Clientless” VPN solution, allowing users direct access on an application-by-application basis. This negates the need to build bandwidth restricting tunnels between all remote users needing access. While some privilege access solutions are offering similar capabilities in “jump box” solutions, this method can also be leveraged for a much larger teleworker population.
While many organizations are still providing their teleworkers with an operating system “Desktop Environment”, like those provided via the corporate laptop, VDI, DaaS, etc., we all should consider the value of this moving forward. While most applications have gone web-based or the public cloud (SaaS) route, in addition to the proliferation of ubiquitous form factors and computers along with BYOD, how necessary is the desktop environment?
Some teleworkers still insist on using this, but can they perform their duties with just as secure access to corporate cloud-accessible applications? Adopting a desktop environment approach will provide the end-users with access to the information and data they need to perform their job and reduce, or eliminate, the need to maintain an expensive VDI infrastructure.
To address the infrastructure and application evolution with modern security approaches, Gartner recently created a new enterprise category called SASE (Secure Access Service Edge). While the term is relatively new (coined in late 2019), many of the components are not. SASE provides for an integrated cybersecurity architecture that should be leveraged in this eroding perimeter progression; especially for teleworkers. SASE can include, but is not limited to, the following technologies:
- Cloud VPN
- SD-WAN (Software-defined Wide Area Network)
- Cloud SWG (Secure Web Gateway)
- ZTNA (Zero Trust Network Access)
- CASB (Cloud Access Security Broker)
- FWaaS (Firewall as a Service)
- NWaaS (Networks as a Service)
When reevaluating teleworkers' secure connectivity to corporate resources, we would highly recommend a more in-depth discussion around SASE. These solutions are allowing users to easily and automatically establish secure tunnels to near point-of-presence (POPS) in the cloud that will backhaul, route, and seamlessly secure Internet and Corporate communications. What makes SASE even more attractive is that network security, cloud security, and user security can all be consolidated and managed under one umbrella.
With so many secure connectivity solutions, how do you choose the right fit for your organization moving forward? Think about where your applications reside (private data center, SaaS, Public Cloud), how are they accessed (from the Internet or via VPN), by whom are they being accessed (Identity), from which devices (corporate-owned, BYOD, form factors), from what locations (remote offices, hotspots, Work From Home (WFH)), and over what networks (stable/unstable, dedicated/shared, wired, wireless, 5G). Is elasticity going to be necessary for anticipated or unexpected growth? How is solution licensed; concurrent, device, user?
If you’re interested in having a more detailed discussion on your teleworking and secure connectivity strategy, contact us today to schedule a call focused on your business requirements.