In the wake of the COVID-19 pandemic, many organizations are considering extended or permanent support for telework. The security challenges associated with the recent surge in support for telework have highlighted the fact that traditional approaches to network security no longer meet the needs of the modern enterprise.
With the growth in telework, virtual private networks (VPNs) have been shown to be an unscalable solution for secure network connectivity.
As organizations evolve and support increasingly remote workforces, transitioning from legacy VPN infrastructure to modern solutions, such as secure access service edge (SASE) is necessary to ensure both worker productivity and security.
Telework Dissolves the Network Perimeter
In the past, many organizations security relied upon a perimeter-based security model. At the time, an organization’s employees primarily used devices connected directly to the enterprise network.
The main advantage of the perimeter-based security model is that it is simple to understand and implement security under this model. Most organizations have a single point of connection between their internal network and the public Internet through which all traffic entering and leaving the network flows.
By deploying a security stack at this location, an organization maintains visibility into this traffic and is able to identify and respond to a high percentage of malware and other threats attempting to gain access to the enterprise network.
The perimeter-based security model has several issues. A major issue is the fact that a perimeter-based security model assumes that all of an organization’s “trusted” infrastructure lies within the network perimeter.
With the rise of cloud computing and remote work, the traditional network perimeter is dissolving. A growing percentage of an organization’s business traffic originates and terminates outside of the network perimeter.
As a result, traditional, perimeter-based security solutions have a significant negative impact on network performance.
VPNs Degrade Network Performance
Most organizations, in an attempt to secure remote workers’ network connections, require remote workers to connect to the enterprise network via a VPN, which encrypts the traffic between the VPN client and a VPN endpoint on the enterprise network.
This approach to teleworker security has a number of negative impacts on network performance. In general, VPNs dramatically increase network latency for cloud-bound traffic since the traffic is routed through the enterprise network before continuing on to its destination.
However, as organizations’ remote workforces grow, VPN infrastructure also experiences scalability issues. Many organizations’ VPN infrastructure is designed to support a fraction of the workforce and is incapable of scaling far beyond the intended maximum capacity.
As the use of enterprise VPNs exceed design parameters, remote workers experience degraded productivity and network performance.
The number of inbound connections exceed the capacity of existing VPN infrastructure, and the need to perform computationally expensive decryption and encryption operations for all inbound and outbound traffic eats up computational resources and slows network throughput.
Scalability Solutions Compromise Security
Organizations are increasingly reliant upon cloud-based infrastructure for core business functionality. Currently, over 93% of organizations have multiple cloud deployments.
This includes everything from cloud-based data storage to web applications hosted on cloud infrastructure to use of Software-as-a-Service (SaaS) applications such as Microsoft 365 or Salesforce.
As a result of increased cloud adoption, a high percentage of teleworkers’ network traffic – the same traffic placing strain on enterprise VPN infrastructure – is intended for cloud-based infrastructure outside the organization’s network perimeter.
This traffic intended for external destinations places an especially high load on an organization’s network and security infrastructure. Unlike network traffic bound for servers within the network perimeter, remote workers’ cloud-bound traffic passes through the perimeter twice (inbound and outbound).
As a result, a large contingent of remote workers accessing cloud-based resources has a significant impact on network throughput and performance.
In order to improve the scalability of network and security infrastructure, the use of split-tunnel VPNs have been recommended by Microsoft and other organizations.
Unlike a full-tunnel VPN, which sends all traffic over the encrypted VPN connection, split-tunnel VPNs enable traffic intended for the public Internet (or certain trusted sites on it) to go directly to its destination. This greatly decreases the load on the organization’s perimeter-based security solutions.
However, this increased scalability can come at the cost of security. With direct access to the public Internet, a teleworker’s computer does not benefit from the enterprise’s security scanning for this traffic.
This enables malware to infect the teleworker’s computer and then use it as a stepping stone to infect the enterprise network via its VPN connection.
Cloud-Based Security Meets the Needs of Telework
While VPNs may have been an effective solution in the past, they do not meet the needs of the modern enterprise. With growing numbers of teleworkers and reliance upon cloud-based infrastructure, the network perimeter has moved to these endpoints. Attempting to keep security at the former network perimeter is inefficient and unscalable.
SASE provides security designed for the modern organization. Cloud-based points of presence (PoPs) integrate security functionality, such as a next-generation firewall (NGFW) and secure web gateway (SWG), and the optimized network routing offered by software-defined networking (SD-WAN).
This enables an organization to deploy security at the network edge close to cloud-based resources and teleworkers, which minimizes the latency impacts of routing traffic over the corporate WAN.
SASE enables an organization to maintain network visibility and security scanning while minimizing the associated impacts on network performance and latency for remote workers.
