Remote employees need the same secure access to applications and data as office-bound workers. Typically, agencies have been able to provide access to internal network resources and the internet for remote users by using remote access virtual private network (VPN) devices combined with mobile device management (MDM) for policy enforcement.
In times of major growth or event-based activities — like the current pandemic — this model falls short. When demand increases significantly, the remote VPN device can quickly reach a saturation point.
“Enterprises typically don’t account for having 100% of their traffic committed to a VPN at any given time. So when the need arises, the system can overload quickly,” said Dan Beaman, a district manager at Palo Alto Networks.
With the traditional VPN model, latency becomes a bigger issue when demand is high because it essentially forces all traffic, regardless of destination, through the VPN concentrator. The combination of limited geographical redundancy of access points and limited bandwidth at the internet access point can cause bottlenecks.
Cost is another unanticipated concern. Organizations typically buy enough VPN licenses for a certain percentage of the workforce to work concurrently, but in times of major spikes, those licenses don’t go very far. That may cause an organization to have to buy more licenses very quickly.
Explosive demand and growth can stretch VPNs to the limit. For example, if users get frustrated enough by performance and access issues, they may choose to bypass the VPN and go directly to the internet, risking exposure. In other cases, misconfigurations may create unintended vulnerabilities that could allow users to unintentionally share sensitive data with those who shouldn’t have it.
Solution: TIC + SASE Proves a Winning Combination
TIC 3.0, the latest version of the Cybersecurity and Infrastructure Security Agency (CISA) guidelines, focuses squarely on these issues by providing templates and guidance for secure remote access. The ultimate goal of TIC 3.0 is to provide a better user experience and performance in the most secure way, while paving the way for the adoption of emerging technologies.
TIC 3.0 is just that, though — guidance. Providing the right level of access, performance and security for remote workers using the cloud requires solutions that can scale virtually infinitely. That’s the only way for agencies to be able to add users and capacity rapidly without compromising performance, manageability and security.
One modern approach takes advantage of the increasingly popular secure access service edge (SASE) model, a cloud-based network architecture that combines wide-area networking and network security services. The SASE model fits the TIC 3.0 remote user use case well. It provides both the mechanism for secure VPN access to the data center and the security necessary for access to internal data, cloud and the larger internet.
“Traditionally, the VPN was one piece, and the security services were the other pieces, which required traffic to be funneled through a security stack,” said Wayne LeRiche, a systems engineer at Palo Alto Networks. “SASE converges these functions through one interface, which results in a secure VPN with distributed security services that give users the same experience, no matter where they are.”
The cloud-based SASE model also supports a related TIC 3.0 use case on remote and branch offices, which encourages the use of SD-WAN technology to connect traffic to the internet directly. By choosing a SASE solution that includes SD-WAN capabilities, agencies can help ensure secure, application-aware routing of resources on demand instead of relying on more expensive multi-protocol label switching connections.
This article is an excerpt from GovLoop’s recent report, “The New Work Reality: Securing Remote Access for the Long Term.” Download the full report here.