VPN is dead – long live remote access!

Author
Reinhold Zurfluh
Published
19. June 2020

VPNs have become the standard solution for the secure remote access to corporate networks, to such an extent that many people use the terms “remote access” and “VPN” as synonyms. The increasing use of cloud applications means that the demands placed on networks and network security are constantly evolving. Consequently, companies have to address the issue of whether these new requirements be met with VPNs, or whether it’s time to take a completely new look at remote access and switch to a more up-to-date solution. In this article we will be showing you some ways to start meeting the requirements with ease.

Your users and applications are moving outside the premises

A lot of your colleagues are constantly working, even when they are outside the company – this can be on the customer's premises, in their home offices or on the train. So it's clear that access all data and applications must be made available. At the same time, threats need to be consistently countered and data protection guidelines have to be implemented. On top of that, global business expansion, the growing number of people working on the go and the increasing use of cloud computing are changing the way companies are implementing and delivering applications

The limitations of classic remote access

VPNs were originally designed for a very specific purpose, to act as a gateway for legitimate users who are outside the firewall perimeter and who need to access central resources. However, the situation becomes fundamentally different once cloud applications are part of the infrastructure. This is because data traffic is always routed to the VPN gateway first, even if it is intended for an application that is hosted in the cloud. This makes sense from a security point of view, but from the point of view of network optimisation, it is not effective.

In addition, this diversion can affect the experience of using cloud applications so severely that many employees will only use the VPN when they absolutely have to, for instance when they need to access the corporate data centre, and then they log off. However, once users do not log on via the VPN, the company does not have any overview of the applications they are using. This means that it is neither able to prevent access to unauthorised applications nor rigorously enforce other security policies.

From remote access to first-generation cloud security

Given the growing number of remote workers and cloud-based applications, you've probably also come to the conclusion that traditional remote access is unable to keep pace or provide the level of security required. This calls for a new approach – and that's called cloud security! However, many “cloud security 1.0” products are only focusing on yesterday's problems, so they are unable to meet today's requirements. Security should be just as good and just as comprehensive no matter where your staff is and where business data is being used. But if the level of protection varies depending on the location of applications and users, that’s not the case.

The first generation of cloud security was based on point solutions with specific features but did not provide the opportunity for coordinated protection. This quickly creates vulnerabilities that can lead to data loss or theft. In parallel, it also becomes difficult to detect the attackers' subtle, highly intelligent methods. Consequently, the use of proxies, secure web gateways, remote access VPN, DNS filtering services and proxies for Cloud Access Security Broker (CASB) creates security problems that are difficult to overcome.

Don't get me wrong: all these security solutions are still justified – but not for primary use for your “on the road” employees. We need to reinvent the paradigm for cloud security. The next step in this evolution requires new strategies that protect all applications, users and branch offices more effectively. But what would a better concept actually be like? Here is one potential approach:

The latest generation of cloud security

Your staff needs access to the data centre, the Internet and applications in public, private and hybrid clouds. In other words, any new approach needs to provide users in every location with optimal access to all applications and at all times.

Cloud security needs a modern architecture for mobile staff

A prerequisite for this is that the security infrastructure not only piles up at the perimeter but also migrates into the cloud. This is the only way to ensure that users are always able to connect securely to a nearby cloud gateway. This cloud service not only provides secure access to all applications but also assists with the checking and monitoring of all data traffic, no matter which port and protocol is used. This is exactly what Prisma™ Access, a Secure Access Service Edge (SASE) from Palo Alto Networks does.

Cloud security for managed mobile devices

To do this, we recommend the “GlobalProtect" app, which you can install on all devices managed by you (laptops, mobile phones and tablets) and used by your employees. The app automatically establishes a connection to Prisma Access when the device is connected to the Internet. What Prisma Access does is connect applications at different locations via its connectivity layer. This gives your staff access to all applications whether or not they are hosted in the cloud or in the data centre. Prisma Access also provides the security measures needed to detect known and new malware, exploits, communication with command and control servers, and attacks with stolen credentials.

Cloud security for unmanaged devices or BYOD

Prisma Access, used in combination with MDM (Mobile Device Management), can be used to implement BYOD (Bring Your Own Devices) policies. As a result, employees working for external contractors and contractual partners, other users with unmanaged devices (“unmanaged users”), and your own staff with BYOD devices, also have clientless VPN remote access to the data centre. Using this approach, these users can be provided with secure access to SaaS applications via inline security measures.

For future-proof cloud security

Prisma Access was developed to ensure efficient prevention of cyber attacks. Just blocking Internet threats is not enough; all incoming and outgoing data traffic also has to be inspected, and any compromises can lead to dangerous gaps in security. With Prisma Access, “bottlenecks” at the perimeter that come with VPN-based remote access are eliminated, and your users have secure access to all applications, irrespective of from where they want to access them.

Share article