- John Burke, Nemertes Research
Whether they're trying to download project files at a client's office or access business applications while stuck at the airport, more and more employees need to make use of enterprise resources from wherever they happen to be working and on whatever device they are using -- be it a laptop, tablet or smartphone. The days of users being satisfied with just webmail access while on the go are long gone.
Mobile platforms have steadily matured to provide the enhanced capabilities and flexibility that enable employees to work on a range of devices, prompting enterprises to develop or license mobile applications that take advantage of this power. As a result, employees are often trying to access corporate resources using public Wi-Fi hotspots or other networks that aren't inside the company's trusted zones.
For this evolving, distributed and virtual workforce, virtual private networks (VPNs) continue to be important features of the enterprise security landscape. A stable, easy-to-use VPN is a critical tool in the ongoing effort to make communications secure enough to be a powerful enabler of business innovation. It provides secured access to systems and applications that are not in the demilitarized zone (DMZ), for example, which are not normally reachable from outside the enterprise network.
VPNs also raise the level of security for users connected via unsecured, public Wi-Fi networks or password-protected wireless networks whose actual security level is not known, such as a client's company Wi-Fi.
With the rapid growth of mobile users and increasing number of use cases, networking professionals need to ensure their VPN strategy includes the following requirements:
- VPN clients must be as easy to use as possible on as many platforms as possible.
- The infrastructure through which employees access the corporate network must be continuously available.
- The VPN infrastructure must be scalable in order to handle dynamic surges in use that result from the regular introduction of new mobile apps or users.
- Licensing must be able to cope with short-term surges in use due to unscheduled events, such as weather or public-health emergencies.
- VPN support must be available 24/7.
Cloud vs. managed VPN services: Which is best for you?
Meeting these requirements can be difficult for IT organizations that don't have sufficient staff or funding, however. Outsourcing the VPN to a third-party provider can offload the burden of maintaining continuous availability, strong customer support and regular updates for a broadening array of mobile platforms. There are two basic approaches to outsourcing VPNs. You can keep the VPN appliance on-premises and have it managed by a managed service provider (MSP), or you can use a hosted or cloud-based VPN service in which the infrastructure resides in the service provider's data center.
The on-premises approach keeps all relevant infrastructure in the hands of IT departments, ultimately enabling them to maintain complete control of the VPN. As is the case with firewalls and other parts of the security infrastructure, IT pros are generally loath to let VPN gear be under someone else's control. That said, the cost of engineering a robust, high-availability environment puts a greater capital burden on the enterprise and can make scaling more challenging. But by shifting the costs of day-to-day monitoring and management to an MSP, networking pros can nearly eliminate the administrative burdens of running the VPN. This can dramatically reduce the number of helpdesk calls that get kicked up to higher-level staff for diagnosis and remediation, enabling IT departments to let their limited helpdesk staff focus on helping users with enterprise application issues, rather than endlessly troubleshooting connectivity problems.
These same operational benefits also apply to hosted or cloud-based VPN services. Additionally, these services shift the cost structure from a mix of capital and operating expenses to just operating expenses, since it becomes the provider's job to create and upgrade infrastructure. This can help make new functionality available to enterprises quickly and transparently, since upgrades can be rolled into the service terms and don't require on-premises hardware upgrades or replacement. A hosted or cloud-based VPN service can also make it easier for enterprises to modify or replace a setup that is no longer meeting its needs, since there is no infrastructure to rip and replace or to hang onto until fully depreciated. Moreover, any scaling issues become the responsibility of the hosting or cloud provider.
Neither approach necessarily helps with the licensing issues that come with temporary bursts in traffic. IT departments will have to negotiate terms with their service providers, which may have little room to negotiate depending on the infrastructure underlying the VPN. Those providers using proprietary platforms are at the mercy of their vendors and whatever deal can be struck with them; those building the service on an open source platform could set whatever concurrent-use policies and fees they want.
Here are some guidelines for choosing between hosted or cloud-based VPN services and premises-based, managed VPNs:
- Is your risk-management group comfortable with not owning the VPN infrastructure and not having it in company's data center? If so, consider cloud.
- Is your security team ready to accept a loss of direct control over VPN infrastructure? Either cloud or on-premises managed services may work out.
- Is your number of mobile users, platforms and use cases changing rapidly? Cloud may be a better fit.
- Do you have a solid outsourcing arrangement already with a provider that manages other pieces of on-premises security, such as firewalls? If so, folding in VPNs may work well.
- Are you starting a greenfield deployment with no legacy VPN in place? Look carefully at cloud first.
- Are you interested in shifting capital costs to operating costs? Look hard at hosted or cloud-based services, but also discuss so-called operationalized or shared-risk models in which the infrastructure is deployed on premises but owned and managed by an MSP.
As always, IT departments should undertake any kind of outsourcing decision with a clear set of goals -- functional, operational and financial. They also need a formal decision-making instrument -- a decision tree, for example, or a weighted scorecard -- to evaluate and select among the options according to their goals. As with so many other things, outsourcing the VPN is going to look attractive to more companies as they come to entrust larger and larger pieces of their mission-critical technology environment to the cloud and to MSPs.