The COVID-19 pandemic accelerated the digital transformation efforts of many organizations. While the trend toward remote work has been growing steadily for years, COVID-19 made it necessary for many organizations to transition from no telework program at all to a mostly or wholly remote workforce in a matter of weeks.
During this transition, providing employees with secure enterprise remote access was a priority. However, the rush to do so meant that many organizations implemented “band-aid” solutions that cannot effectively and securely support a remote workforce for an extended period of time.
The enforced telework of the COVID-19 pandemic provided many organizations and employees with the opportunity to discover the benefits of remote work. As companies plan for extended or permanent telework programs, they need to acknowledge the limitations of their existing remote access solutions and build a secure and sustainable telework infrastructure.
The Limitations of Legacy Remote Access Solutions
Virtual private networks (VPNs) are the most well-known and widely used solution for providing remote workers with secure access to the enterprise network. VPNs work by creating an encrypted tunnel between the remote worker’s computer and a VPN endpoint on the enterprise network. All traffic flowing between these two points is encrypted, protecting it against eavesdroppers and verifying its integrity and authenticity.
The problem with VPNs is that they are designed for a very specific application, and large-scale telework is not it. VPNs have a number of limitations that place the effectiveness and security of an enterprise telework program at risk, including:
- Lack of Scalability: With VPNs, each remote user has an independent, encrypted connection to the VPN endpoint on the enterprise network. This means that VPN-based solutions scale poorly, and large-scale remote workplaces strain on on-premises infrastructure, resulting in degraded network performance. As a result, many organizations have adopted split-tunnel VPNs, which allow Internet-bound traffic to go directly to its destination without inspection, exposing remote workers’ computers to attack.
- No Integrated Security: VPN solutions are designed to provide an encrypted tunnel between two points and perform no inspection of the traffic flowing over this tunnel. This means that a full security stack must also be deployed anywhere that an organization places a VPN endpoint.
- Limited Access Control: VPNs are designed to authenticate a user and then provide them with an experience similar to a direct connection to the enterprise network. This means that a compromised user account or a malicious user has unfettered network access unless additional access management solutions are in place.
- Inefficient Network Routing: Since many organizations have perimeter-based security solutions, VPNs are configured to route all traffic through the enterprise network for security inspection before forwarding it to its destination. With the increased usage of cloud infrastructure, this detour increases network latency and degrades performance.
- Impaired Network Visibility: All remote VPN users have an independent, encrypted connection to the enterprise network. This can make it difficult for security teams to achieve full network visibility, making threat detection and response slower and more complex.
- Vulnerability to Attack: VPN software is prone to vulnerabilities, and VPN endpoints are a prime target for Distributed Denial of Service (DDoS) attacks. These attacks may allow an attacker to gain access to the enterprise network or degrade or destroy remote workers’ ability to do their jobs.
VPNs are a “band-aid” solution to the infrastructure and security challenges of supporting a remote workforce. While these legacy solutions may work in the short term, they negatively impact enterprise productivity and increase cybersecurity risk in the long term.
Designing Telework Infrastructure for the Modern Enterprise
The response to the forced telework of COVID-19 varied from some organizations planning to fully return to the office as soon as possible to others selling off office space and embracing remote work. However, many organizations plan to support telework – at least part-time for some of their workforce – for the foreseeable future.
Implementing a sustained telework program means that organizations should invest in the infrastructure required to support and secure it. This includes selecting solutions that eliminate or minimize the challenges and limitations associated with VPN-based remote work.
Secure Access Service Edge (SASE) is a good option for organizations with remote workforces. SASE combines the network optimization capabilities of software-defined WAN (SD-WAN) with a full security stack into a single solution that is deployed as a virtualized cloud-based appliance. This provides a number of benefits for remote work, including:
- Global Accessibility: SASE points of presence (PoPs) are hosted in the cloud, meaning that they can be deployed anywhere. This allows an organization to achieve full network visibility and security inspection with minimal performance impact by routing traffic through the nearest SASE PoP.
- Optimized Routing: SASE solutions integrate SD-WAN functionality, which optimally routes traffic between the SASE PoPs closest to its source and destination. This optimizes performance and minimizes the impact of using the SASE network rather than sending traffic directly to its destination.
- Integrated Security: SASE PoPs include a fully-integrated security stack. This eliminates the need to detour traffic through perimeter-based security stacks on the enterprise network for inspection.
- Identity-Based Access Control: zero-trust network access (ZTNA) is a core capability of a SASE solution. By providing access to resources and applications on a case-by-case basis driven by role-based access controls, ZTNA limits an organization’s cybersecurity risk and the impact of a compromised account or malicious user.
Remote work is not going away anytime soon. Organizations need to invest in the solutions capable of supporting it securely.