In the blink of an eye, everything changed. March 2020 marked a huge shift in the way we approach remote work and the infrastructure needed to support the future of business. According to Gartner's recent CFO survey, 74% of organizations will move at least 5% of their previously on-site workforce to permanently remote positions following the pandemic. In the very near future, remote work will be the norm rather than the exception, necessitating a shift in how we approach security.
The reality of the modern, mobile-enabled workplace is that we need to go where the users are — an approach that requires security measures beyond virtual private networks (VPNs). While a VPN is a step in the right direction, it's not the be-all and end-all when it comes to security and falls short in many ways. Here are four challenges I see with traditional VPNs:
1. VPNs Are Physically Limited
Traditional VPNs typically have an on-premises appliance that is constrained by hardware in the number of users that can be supported. Many businesses determined specifications for their VPN appliances using remote work statistics from many years ago, leaving them unprepared for the surge in teleworking that occurred when COVID-19 hit. VPNs are failing and companies are struggling to figure out how to scale to support so many users. Organizations are resorting to creative approaches, such as limiting VPN use to select workers, purchasing a secondary solution, enforcing inconsistent policies, etc. — but these aren't viable long-term strategies.
2. VPNs Fail to Balance Productivity & Security
The age-old debate over productivity and security rages on, and VPNs don't provide a workable solution. Do organizations enable productivity and allow access, effectively endangering security? Or is all traffic routed through the security infrastructure so it can be filtered, overloading the VPN, Web gateways, and firewalls, while negatively affecting productivity because of the resulting substandard user experience? Ask VPN users and they'll tell you about getting half the work done in double the time. Then there are the IT pros who relate countless examples of employees who've infected their corporate laptops with malware or compromised sensitive information by failing to use appropriate security measures. With traditional VPNs, the war between productivity and security has no resolution.
3. VPNs Fall Short on Mobile
VPNs were designed to use a protocol that's resource-intensive on the setup — it takes a bit of time to connect, but the assumption is that the connection will stay alive for the duration of the user's needs. This all changes with mobile. Every time your device goes to sleep or you change networks, the VPN gets interrupted and has to reconnect. Furthermore, mobile apps are not built to be VPN-aware; when the VPN has to reconnect, app responsiveness suffers and user experience suffers. Consider this: Wandera finds that typical knowledge workers will engage with their mobile device almost 100 times in a typical day — that's 100 times a day the VPN has to reconnect and 100 instances of a remote worker who cannot be productive. For businesses, time is money, so that wasted time translates into lost revenue.
4. VPNs Aren't Built for the Modern Workforce
In today's business ecosystem, various remote users are making choices for their own devices and collaborating with individuals outside of their organizations. The way VPNs have been managed in the past is via certificates that sit on the devices and are used to initiate a session. Access to the organization's infrastructure is granted via access to the certificate and, therefore, VPN use is often restricted to company-managed devices. This means that BYOD devices and those used by contractors or partners are often unable to utilize the company's remote access tool.
According to a 2016 research report, the average company's network is accessed by 89 different vendors — contractors, partners, freelancers, etc. — every week, a figure that's likely grown given the rapid digital transformation across industries. These third parties aren't able to access the corporate VPN given they have devices that aren't managed by the company, yet they often have access to sensitive information or collaboration tools. Beyond third-party risk management, the surge in remote work spurred by coronavirus has seen organizations shifting their policies toward lenience. Countless organizations tried and failed to supply employees with approved corporate devices, forcing many to rethink their BYOD policies and take a "whatever you've got, make it work" approach to remote work. And this explosion in unmanaged, insecure devices opens organizations up to countless threats.
As companies transition to the cloud, a big part of that shift involves moving to software-as-a-service applications. In today's world, corporate information isn't on the private network anymore — some assets still live behind firewalls, but most users and the most usage is already on the Internet. This requires a new way of thinking and a new approach to security — that is, cloud-based security. [Editor's note: The author's company is one of a number that offer cloud-centric security.] Rather than the traditional VPN, organizations need cloud-based protection for traffic filtering and mobile-friendly traffic vectoring that doesn't break modern applications that are running on any device being used for remote work, whether it's a Windows 10 laptop, a MacBook, an iOS tablet, or an Android smartphone. Organizations still need filtering and the ability to provide access control to applications, but those protections must move to the cloud to prepare for the business of the future.
- VPN Usage Surges as More Nations Shut Down Offices
- Widely Known Flaw in Pulse Secure VPN Being Used in Ransomware Attacks
- VPNs' Future: Less Reliant on Users, More Transparent, and Smarter
- Latest Security News & Commentary About COVID-19
- State of Cybersecurity Incident Response
A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19.