As we grapple with the implications of Coronavirus, IT professionals need to ready themselves for what’s being called the largest work from home experiment in history.
Numerous countries are requiring workers to be remote. Just last month, Cato Network reported seeing a 75% jump in active remote users.
Over here at SASE Experts, we’ve seen several customers pull back their RFPs for SD-WANs to insert a remote access component. It’s an intriguing shift as for the most part SD-WAN vendors have ignored security and especially remote access. That’s no surprise as SD-WAN has also been about replacing, well, the WAN. Remote access was always seen as something different.
But even before Coronavirus, that perspective made increasingly less sense. What was once the exception, today, mobility is the rule. Most of us are checking our emails from the road, while we walk, and at home. Work has extended outside of the office and it’s only natural that so will our networks. Corona just brought this point home.
Remote Access is not Mobile Access
Rethinking remote access for your SD-WAN isn’t going to be as simple as upgrading your mobile VPN servers. A remote worker is online quite literally the entire working day; a mobile user is only online for short spurts. This significantly impacts the oversubscription ratio at the VPN server. You may no longer be able to assume that you only need 200 concurrent licenses for 2,000 employees. Now you’re going to need something far closer to 2,000 concurrent users and that’s going to mean a significant investment in the size of your VPN concentrator (or firewall).
Placement of VPN Servers
You’ll also need to think about purchasing more VPN servers. Since remote users need to connect back to the VPN server before accessing corporate or cloud applications it’s important to minimize the latency to that server. Otherwise you end up adding latency backhauling mobile user traffic to the VPN server and leave that traffic exposed to the latency and unpredictability of the Internet. When users are in a specific geographic region, organizations can get away with a VPN server at a single site in that region. But when companies depend on remote access as their primary communications, IT needs to think about installing one, and more likely two servers for redundancy purposes, in each region.
Remote Access Poses Significant Security Risks
Keep in mind that issuing 100 more VPN licenses to users is like making 100 copies of your front door keys and giving them to your best friends. You better trust those friends. Unfortunately too often users aren’t as trustworthy as those friends. Threat actors exploit those credentials, as happened at Target and Home Depot, to gain access to network access. In fact, 29% of breaches involved the use of stolen credentials according to Verizon’s 2019 DBIR report. And if your remote access is like most that’s going to mean putting them a password away from essential applications.
Management and Process is Essential
Rolling out remote access to your employee base involves several management issues. There’s the obvious, how easy it is to get users equipped for remote access. But in addition there’s configuring the security policies to restrict network access. Once users are onboard, you’ll need the management and monitoring tools for those remote users.
Coronavirus: The Argument For SASE?
It may very well be that Coronavirus becomes the best argument for a secure access service edge (SASE) architecture. Having all types of access — mobile access, SD-WAN, cloud connectivity, etc. — in one platform with security built-in would allow organizations to respond faster and easier to these kinds of situations.
Rather than upgrading and rolling what’s effectively a whole new network, you’d be able to leverage your existing infrastructure, the SASE service. Rather than investing in additional management and monitoring tools for your remote users, you’d be able to use the existing ones as they would accommodate mobile or stationary users.
One network for the entire organization — it’s a radical concept whose time has finally come…unfortunately.
