In my last blog, I explored how the COVID-19 global pandemic has accelerated the future of work. Literally overnight, the population of remote employees at most organizations went from 10 percent to 100 percent of the workforce. This has put an enormous strain on network architectures that were built on a traditional hub-and-spoke model that requires security to be delivered centrally. Both inbound and outbound traffic is backhauled through a VPN to the data center, where security policies are then applied—essentially extending data center control and visibility to remote workers.
The problem is that the hub-and-spoke model is not ideal for heavy volumes of traffic or the type of traffic now running through the network, resulting in overwhelmed VPN connections. Users are reporting capacity and bandwidth issues. They’re unable to log on or stay connected. Performance is sluggish, and latency is creating bottlenecks in regular business processes. Remote users are not able to access the tools and information they need to keep the business up and running—impacting business continuity. In addition, VPN infrastructure is extremely difficult and time consuming to scale—and doing so for 100 percent of the workforce would take months, if not years.
Organizations have tried to remedy overwhelmed VPNs with split tunneling. Split tunneling splits traffic into two buckets. Traffic to on-premises applications continues to flow through a VPN, where IT teams have visibility and control to monitor, manage, and safeguard data. Internet traffic (web browsing, web-based email, SaaS platforms, web apps), on the other hand, is sent directly to the Internet without going through the VPN. This configuration can reduce VPN traffic by more than 70 percent—giving remote users secure access to internal applications without overburdening the infrastructure.
However, giving users free rein to surf the Internet with impunity moves computing activity and data outside the traditional security perimeter and greatly widens attack surfaces. Users have no protection against increasingly sophisticated cybersecurity threats, such as drive-by and zero-day attacks, malware downloads, ransomware, and phishing. All it takes is a single user to click on a single malicious link to compromise the organization’s business systems and data. Multiply that by the entire workforce working remotely beyond the firewall and the watchful eye of the security team, and you have greatly increased risk.
The only way to secure Internet traffic that bypasses the VPN is to deliver security services through the cloud. Cloud security ensures that policies follow users wherever they log on from. A global cloud proxy acts as the central security control point for all traffic, providing a ubiquitous and separate security layer in the cloud through which all web traffic flows. It’s here where security policies can be applied, ensuring policy enforcement regardless of whether the user is behind a firewall or logging on from home.
A global cloud proxy enables split tunneling without sacrificing security. In this model, traffic going to the data center is controlled and secured by the VPN, while traffic going to the Internet is secured by the global cloud proxy. This ensures complete security policy enforcement across all traffic (including HTTPS) while reducing VPN bandwidth by up to 70 percent—allowing organizations to scale their work-from-home capabilities in an emergency.
The future of work is here, but traditional VPNs are not up to the task of meeting the security needs of today’s remote workforce. Split tunneling could mitigate the performance issues but would leave web traffic completely vulnerable to cybersecurity threats. Moving security services to the cloud solves this issue by allowing organizations to reroute Internet traffic through a ubiquitous security layer in the cloud, while continuing to rely on VPN protection for traffic flowing in and out of the data center.
My next blog will discuss Gartner’s recommendations for setting up the best architecture for delivering security services through the cloud.
Please do not hesitate to contact us with any questions.