At the start of 2020, many ‘industry insiders’ would have told you that the VPN is dead, but like, seemingly, everything this year, expectations could not have been further from reality. COVID-19 and the expedited need for work-from-home solutions across practically all industries and verticals has clearly proven that notion wrong, and it would be a fair assumption that there are more client VPNs in use for enabling work-from-home and remote work solutions than at any other time in IT history - many of these hastily put-in-place or quickly expanded in their usage by urgent necessity. As more time passes, however, and we transition from solutions of ‘immediate need’ to ones of ‘long-term outlook,’ the new question may not be ‘Is VPN dead?’ but rather, ‘Should it be?’ In this post, we’ll review a few of the key concerns around a VPN-centric ‘work-from-home’ solution, and how Evolve IP’s Workspaces solution can help to address and alleviate these concerns.
Let’s start by addressing the elephant in the room. VPNs, by their very nature, present an inherent security risk for your network. There are a number of mitigating technologies and practices which can help to manage the level of risk involved, but the risk of allowing external machines to become an extension of your internal network still carries with it a number of concerns.
One of the most obvious ways that organizations look to secure their VPN is to ensure that when client devices connect, they are placed into a ‘quarantine’ network which exists adjacent to (rather than as part of) the internal network. The challenge, here, is that the whole purpose of the VPN is to enable access to those internal resources which reside on that internal network, so you still need to provide some form of crossover between those networks. Why is this risky? Simply, the biggest concern here is that any of those external devices that connect via VPN could be compromised; they could have viruses, malware, ransomware, or a range of other potential infections or issues that will attempt to propagate across whatever networks and devices they are connected to. This begs the question, ‘Can’t I just make sure that the devices have antivirus?’ Sure… you could, but now you have just expanded your role to managing and securing all of these devices as well. This comes with a cost, both financial and administrative. You now have to supply the licensing for the security software you choose to leverage, you need to ensure that users have installed it, you need to maintain definitions for it to keep it updated as well as ensure patching of the device Operating Systems in order to ensure no vulnerabilities there may be exploited. Many folks now turn to the idea of SDP, or a Software-Defined Perimeter solution, which provides Network Access Control and automates the process of ensuring the client devices meet certain minimum requirements like: running a supported OS, running approved antivirus/anti-malware, etc. Unfortunately, this then further increases the cost and complexity of a traditional VPN solution, and frankly, many organizations don’t take these additional needs into consideration as a result.
Many organizations tend to focus their time, attention, and finances on ensuring that their network is most secure at its assumed weakest point, the firewall. This makes a ton of logical sense because we can think of the firewall like the front door of your home. Naturally, you feel safer if that door has more and better locks or maybe a thicker or more secure door and door frame, but many organizations make these significant investments in providing the best door and best locks possible, but then, in the interest of providing simple and fast remote access simply leave the door unlocked so that everyone can come and go as they need.
Why not embrace a solution in which there is no need to actually establish a connection between the end-users’ devices and the internal network, though? This solves many of the aforementioned concerns because it effectively makes the user’s device simply a terminal to connect to published desktop sessions or applications, and internal company or organizational data never has to leave the datacenter and be processed locally on the client device. This is the type of solution afforded by Evolve IP’s Workspaces solution which even goes a step further by securing access to those applications and desktop sessions behind an included Identity and Access Management platform that can utilize both Multifactor Authentication and Single Sign-On capabilities.