The traditional approach to providing VPN services has been to build everything in-house. The wide area network...
(WAN) vendor delivers the connections, and the organization leaves VPN connections to its networking team to deploy and manage. In recent years, however, that approach has been challenged by both external and internal forces, pushing the network manager toward outsourcing the management of the WAN to managed service providers. Any numbers of unique factors may move enterprises to managed VPN services, but there are a few common elements that network managers should consider when making decisions on outsourcing services.
Comparing costs of outsourcing VPN services
Comparing the financial impact of moving your VPN links to a managed services model from an existing in-house deployment can quickly become a lesson about capital expenditures and operational expenses, commonly referred to as CapEx vs. OpEx. For WAN infrastructure like VPNs, capital expenditures are the assets that make up the solution, primarily routers, as well as the costs of maintaining those assets. VPN services already have an operational expense portion, notably the WAN links themselves, but managed service providers take this one step further by rolling all of the costs into a single OpEx number. (Read this article on how cloud VPN services lessen SSL VPN gateway expenses to learn more.) Although enterprises can opt to use their existing hardware for a managed VPN service, the service providers also work with companies such as Cisco Financial to offer customers rentals or lease agreements for the routers. This type of arrangement would make an outsourced VPN a completely operational expense item.
Brian Washburn, research director covering network services for the analyst firm Current Analysis, notes:
"Enterprises have the opportunity to defray the costs of routers, maintenance agreements, etc., under a managed service agreement. Most of the asset cost can get buried within the service cost. If your organization has become averse to capital expenditures, a fully managed VPN might be an opportunity to move budget dollars into the expense column but also upgrade the WAN infrastructure with updated equipment in the process."
Unfortunately, as a rule, service providers will not make pricing public, noting that each deployment is unique and, as such, pricing for a VPN service is specific to that implementation. Getting to the final costs of outsourcing the VPN will certainly require a lengthy RFP process, and the size and scope of your VPN deployment is also certain to play a role in any move to outsourcing. Although a virtual private network spanning dozens of sites is definitely a candidate for moving to a managed service, pricing for smaller deployments will be less appealing.
Management of VPN services
Beyond the capital expense of maintaining the components of the virtual private networks, human resources could also play a role in the decision to outsource. In recent years, the economic conditions and the resulting austerity programs have scaled back IT staffing levels in most organizations, resulting in smaller teams with more responsibilities. In an effort to remove some of the burden from these scaled-back teams, networking managers might consider outsourcing VPN management to a service provider.
To offload some or all of the workload of the network engineering team, most service providers offer three tiers of managed services for enterprise customers, with each tier ultimately tied to the level of control and management the enterprise wants to maintain in-house. The first is simple monitoring and notification services, where routers are polled at specified intervals and the customer is notified if the router does not respond. The second tier includes monitoring but also adds break/fix support into the mix. In the event of a router failure, the service provider will place the call to the hardware vendor and get the truck rolling for repairing or replacing the down equipment. At this level, in-house network engineers are still responsible for getting the field technician the configuration necessary to restore service, but the service provider is accelerating the process of recovery by placing the call immediately. The third tier has the service provider taking over full control of the VPN infrastructure, everything from break/fix resolution to configuration and firmware management.
In particular, configuration and firmware management can be a tedious and seemingly endless process for many network engineers. With multiple versions of the same router model, multiple firmware trees, not to mention new router models, an enterprise network engineer could also be dedicated to the task of keeping the WAN components current. Managed WAN services might serve as an opportunity to move this work off the engineer's plate and allow him to focus on new projects.
The downside of outsourcing VPN services
Of course, there are drawbacks to outsourcing VPN services to a third party. Jumping into a long-term agreement with a service provider ultimately limits the customer's bargaining power and locks the enterprise into a particular vendor. Changing WAN service providers is difficult enough, and transitioning a fully managed service only complicates the situation further, muddying the waters with router leases and vendor support contracts, for example. Enterprises that are looking into outsourcing to managed services need to weigh the loss of that bargaining position against the benefits of moving that service, namely tighter service-level agreements (SLAs) and faster problem resolution than can be supported in-house.
Can in-house WAN teams achieve four 9s of service?
Bearing in mind all of these factors, an enterprise network manager ultimately needs to determine whether or not his own in-house team can deliver the same level of performance and uptime as the service provider promises. Unfortunately, in most cases, the service providers have an advantage in both resources and the ability to compensate the enterprise for any problems that do develop.
Some service providers are promising up to 99.99% uptime on their managed services -- this translates roughly to a little less than an hour of downtime over the course of a year -- going so far as to offer customers an SLA that includes remuneration for any downtime that exceeds this amount. The service provider can back this agreement with teams of network engineers, monitoring their customers' networks 24/7, but also by adding requirements on the customer side. For example, the service provider is likely to require secondary access to the remote routers to ensure that it can troubleshoot and resolve problems if the primary connection is unavailable. These secondary connections could be a dial-up line, DSL service, or even a wireless 3G modem connected to the back of each router, all of which will add to the expense of guaranteeing primary VPN service.
Can an in-house networking team match this level of service? Probably not, as that team would be hard pressed to match the level of resources that a service provider could bring to bear, not to mention the fact that there is less incentive and no remuneration for the organization to provide the network team with this level of resources. While the ability to achieve the "four 9s" of uptime is only one factor in the final decision to outsource VPN services, it highlights how the local network team and service providers offering the same service might be seen in different lights.