BYOD security risks have spurred a lot of conversation around the implementation of IPsec VPNs. Should SSL VPNs also be a part of the discussion?
Over the past several years, Virtual Private Networks (VPNs) have taken an increasingly critical role in businesses' IT security strategies. At the same time, the ranks of workers accessing company networks remotely are growing rapidly and creating more potential points of failure. According to Gartner, 40% of the workforce will be mobile by 2016.
Despite knowing that Bring Your Own Device (BYOD) is becoming more common, only 43% of security executives surveyed by Pricewaterhouse Coopers said they have secure remote access to their corporate networks. Worse than that, only 42% even have a BYOD security strategy in place for employees.
A VPN should be the first step in securing all of the myriad worker devices that are accessing a corporate network. Now is the time for organizations to get serious about their BYOD security strategies and find a VPN that supports today's evolving and more remote work environment.
The two main types of VPN are SSL and IPsec, and each one has distinct advantages and drawbacks for remote users. My colleague Rainer Enders previously detailed many of the security benefits of IPsec, but in the context of the BYOD trend, it is worth taking a closer look at SSL, too.
SSL's remote access ease of use
SSL VPNs were originally introduced to address various limitations of IPsec, such as usability, interoperability and scalability. Because it was built to be operating system (OS)-agnostic, it is well suited for BYOD use. In fact, the client is a Web browser, which is already installed on almost every computing device a user may have.
SSL offers precise access control by creating a secure encrypted tunnel to specific applications rather than the entire corporate network. IT administrators have granular network access control because they can configure access rights to applications on a user-by-user basis. In case an employee loses a device, only specifically assigned applications are accessible for a potential attacker compared to potential network access using transparent VPN connections. However, no matter which VPN technology is used, deactivating VPN access for users should be easy and centrally managed.
Recent advances in SSL give users access to more than just applications. Thin client SSL VPNs can be downloaded and linked via an SSL session to access non-HTTP-enabled applications. For complete transparent access to a company's network, fat clients can be installed on a user's device that will grant access to the entire corporate network and transmit traffic through an encrypted SSL connection.
Finding the right SSL VPN
Choosing what kind of SSL VPN to use depends on what types of applications an end user might need to access. The browser-based option works best for accessing Web applications or downloading files and is better for BYOD workers who need access from any device, including smartphones and tablets. Thin and fat clients support a wider range of uses but don't have quite as much compatibility, which makes them more suited for laptops.
An additional option to consider for both flexibility and security is combining SSL/IPsec VPN into a single solution. With a hybrid VPN, you can provide access to remote users on all devices and offer the exact type of client and connection to your network that each end user needs.
No matter which VPN you end up choosing, it is important to use one that addresses the trend of BYOD. According to a Symantec survey, a large enterprise can lose up to $429,000 annually by not having sound policies for BYOD security risks. The losses from decreased productivity, direct financial costs and loss of data, among other factors, all add up to a significant reduction in a business' bottom line.
Supporting user devices outside of corporate networks can be a significant challenge, but it is an action that businesses must take to stay relevant. Implementing an SSL VPN lets users access the resources they need to stay productive while working on their own devices and ensures that your network stays secure.
This was first published in July 2013