As companies continue to support increasing numbers of work-from-home employees, the pressure to secure access and reduce risk has never been greater.

Rob Smith, Research Director, Gartner Endpoint & Operations Security Group

April 20, 2020

4 Min Read

For more than two decades, enterprises have relied on VPN technologies to enable remote access to corporate applications and data. In recent years, these technologies have diminished in importance as more businesses transition to cloud-based applications and users are less dependent on access to the corporate network. Yet with enterprises forced to support a sudden surge in remote work during the coronavirus outbreak, remote access technologies have quickly made a comeback as a critical component of the enterprise technology stack.

VPNs remain popular for enterprises to connect remote users to corporate resources. Yet many organizations don't have the capacity and licenses to enable all employees for remote work during critical events such as the COVID-19 pandemic. Furthermore, always-on VPNs are being used for all of a user's connections and resource consumption, even when some users only need access to cloud-based applications and data. This often results in performance degradation, which leads to users seeking ways to bypass security and instead access applications directly.

As companies support more work-from-home employees, security teams must have the right technology in place to avoid poor performance and ensure secure access. Here are four ways that security and risk management leaders can address today's COVID-19 remote work challenges.

Challenge 1: Choose the Right Remote Access Product
VPN is not the only technology that can be used to enable remote access. Solutions such as a cloud access security broker (CASB) or zero-trust network access (ZTNA) technology can also be used for secure remote connections if the user needs access to software-as-a-service applications. These types of products offer additional corporate controls to users accessing applications outside of the corporate network through an access management (AM) tool.

Here are four key questions for security teams to consider when choosing and deploying modern high-volume remote access products:

1. Who is the user, and what is his or her job function? Some users require more bandwidth than others, like executives or mission-critical employees with above-average data analysis needs. Consider a user's job function when defining any remote use case.

2. What kind of device is being used, and who owns it? Usability and security vary widely across the spectrum of available remote devices. A corporate-owned PC is much easier to secure than a personally owned smartphone.

3. What kind of applications and data do users need to access? If employees use dedicated cloud applications, a CASB makes more sense from a performance perspective than an always-on VPN. Think about whether employees are more often accessing applications located in the cloud or on-premises.

4. Where is the user located? Consider differing data security, labor, and privacy across countries and state/local jurisdictions when choosing the remote access solution. Whether you select a VPN, CASB, or ZTNA for secure remote access, test products for scale to support critical unplanned events such as COVID-19. All enterprises should also pilot and deploy multifactor authentication (MFA) for any kind of remote access, such as phone-as-a-token authentication.

Challenge 2: Evaluate the Risks of Bring-Your-Own-Device
When the COVID-19 outbreak suddenly forced employees across a variety of sectors to work from home, some who were not equipped with the technology solutions to do so turned to personal devices, including phones, laptops, and tablets, to continue working. Bring-your-own-device (BYOD) is a practice that enables employee-owned devices (such as mobile phones, laptops, and so on) to use remote access technologies to connect to secure company networks.

While BYOD can be beneficial in some cases for reducing infrastructure costs, it presents a significant security risk when implemented without the proper technologies and policies in place. If BYOD is a part of your continuity plan, consider the type of user and the device being used when choosing a technology for BYOD access. If a user is a temporary employee or one with a lower trust level and connecting using a PC or Mac, a virtual desktop is a good option. For smartphone users, the easiest method to enable remote access for an unmanaged device is to install an application-based container.

Challenge 3: Develop a Usable Remote Work Policy
After determining use cases and technology, build an end-user remote access policy with buy-in from all business units. Ensure that any BYOD considerations are reflected in the policy. In urgent situations, such as COVID-19, escalate the policy to legal counsel. Use simple and local language, and stress the importance of employees physically signing the policy document as soon as possible.

For more information about how to lead organizations through the disruption of coronavirus, check out the Gartner coronavirus resource center, a collection of complimentary Gartner research and webinars to help organizations respond, manage, and prepare for the rapid spread and global impact of COVID-19.

Related Content:

Check out this listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

About the Author(s)

Rob Smith

Research Director, Gartner Endpoint & Operations Security Group

Rob Smith is a Research Director within the Gartner Endpoint and Operations Security Group and is based in London. Mr. Smith advises clients on all aspects of enterprise mobility. His research predominantly focuses on life cycle management and security of mobile devices. He also covers remote access VPN, and enablement and security of frontline workers.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights