Is the onslaught of remote workers as a result of COVID-19 what finally brings VPN technology to its end?
The software-as-a-service (SaaS) cloud application boom has fundamentally transformed how businesses operate. Virtually every application now runs in the cloud, making it easier than ever to acquire and leverage those applications to make businesses more agile and efficient. Most importantly, it has enabled a world of mobility where users can be productive from any location, as access to those applications is no longer restricted to being in the office. It has also made possible emergency work-from-home precautions triggered by the coronavirus outbreak—at least, we thought.
Before the cloud movement, applications were installed and hosted within the office and could only be accessed while on the office network. To get on the office network, users had two choices: Physically show up to the office, or use a company provided virtual private network (VPN) application. Of course, the popularity of VPN applications boomed, as users needed access to applications while working remotely. Whenever users needed to gain access to applications in the office, they simply turned on the VPN which connected them to the office network and granted connections to applications sitting inside the company network. It’s important to note is that applications provide their value only if users can connect to them—without network connectivity, applications are completely inaccessible and isolated from the users who have no way to access them.
Fortunately, many applications that once were installed and hosted within the office have transitioned to the cloud, including productivity applications such as Microsoft Office 365, Google G-Suite, cloud-delivered phone systems and communication platforms such as Slack. Given those applications run in the cloud, the need for VPN applications would seem to be eliminated as connections back to the office for application access are no longer necessary. After all, the cloud applications do not live or run in the office, so why would a user connect to the office to get to them?
Unfortunately, theory doesn’t match reality, as most organizations still rely on VPNs to grant users access to applications even though those applications run in the cloud. Why force users to connect through the office via VPNs to access cloud applications that could be accessed directly from a user’s home? The reason is cybersecurity.
Data must move between users and cloud applications, but the data must be secured from threats as it moves between the users and the applications. To protect this data, network security is applied to ensure clean and secure transfers to cloud applications and the public internet. Unfortunately, network security is riddled with proxies and firewalls, which sit at the office and act much like the TSA. Instead of checking luggage during travel for malicious content, like the TSA, network security firewalls and proxies inspect network traffic during travel between users and the internet looking for malware and data loss. The network security appliances still sit at the office, so to ensure secure connections to the cloud organizations force those connections through the VPN and back to the office to be inspected by the appliances before going on the way to their destination.
Here’s where the dilemma resides: Network security appliances are designed to handle a pre-determined volume of traffic. The appliances are sized and purchased to match the bandwidth available at the office. For example, if an office has 100Mbps, network and security administrators will buy appliances capable of handling at least 100Mbps but not much more. When the office increases bandwidth speeds every few years—let’s say to 200Mbps—administrators buy bigger appliances scoped to handle the increased volume.
When users are sent home and asked to connect through the office via VPNs to access cloud applications, the amount of bandwidth coming from those users is highly variable and high in volume. At home, users can easily get 100Mbps of bandwidth for $50/month or less. In fact, Google now offers Gigabit service for a mere $70/month—that’s 1,000Mbps of connectivity per user from their home.
With the Coronavirus pandemic, full office closures occur overnight and users are asked to work from home. Many of those users have turned on their VPN to access their business applications only to find out that either their connections are down or are so slow they cannot use the cloud applications. This is because when you multiply the number of users working remotely by the amount of bandwidth those users have, they completely saturate all aspects of the office network, including the network cybersecurity stack. For example, if the office has 100Mbps of connectivity, a single user at home can consume the entire bandwidth alone. With 1,000 users connected to the VPN, 100,000Mbps (or 100Gbps) are sent to the office on their way to cloud applications. First, the network link at the office immediately gets saturated. Second, the VPN infrastructure collapses under load. Third, the network security appliances that were responsible for handling 100Mbps of traffic drop to their knees. Users are left helpless with applications that are ready to help them but no way to connect to them. The organization comes to a halt.
There is no amount of bandwidth or infrastructure that an organization can buy to solve this problem using legacy approaches, including the use of VPNs and network security appliances for cloud application traffic. At the same time, users cannot drive on the internet highway without a seatbelt and cybersecurity. If they do that, organizations are bound to be breached and irrecoverable data loss will occur.
Fortunately, the problem is easily solved. Why wouldn’t the network security that is sitting at the office, as the applications once did, move to the cloud and be consumed via SaaS just like those applications? This allows users to connect to cloud applications by sending their data directly to the cloud, not through VPNs. This also allows users to connect with speed and security as any amount of bandwidth—even the minimum 1000Mbps provided by Google Fiber—is instantly secured without taking down the office network. In addition, just like SaaS makes applications easy to acquire and implement, SaaS makes cloud network security easy to acquire and implement.