It’s a challenge not to consider a spreading health crisis when you’re crushed into a crowded train or bus, clutching a germ-infested pole and dodging a nearby cough. Because the current crisis develops, enterprise business continuity planning and risk management will result in many enterprise users working full time from home. Already we’ve seen the amount of active remote or mobile users of the Cato Cloud rise 75 percent since early January, growing from about 10,000 users to 17,500 users.
In fact, as this Bloomberg article highlights, we’re probably about to start the biggest global work-at-home experiment in history. What does that mean for your business continuity planning and remote work strategy? Consider four categories: connectivity, performance, security, and management. Here’s a summary of each.
Connectivity and Architecture
IT has been supporting remote and mobile users for years, but a sudden spike in staff working from home full time could be a whole new ballgame. Most won’t be connecting occasionally to check email or do some quick catchup at the airport, between meetings, or after hours at the hotel. They’ll be on the network every workday for hours accessing enterprise applications, files, and data. Your current remote access infrastructure was likely never sized to deal with such a large, constant load, which implies you’ll probably need to add or upgrade remote concentrators. In the best of times, this will take days or weeks, but hundreds or thousands of companies will need similar upgrades.
Aside from the company data center, most enterprise users are accessing infrastructure and applications in cloud data centers, which adds connectivity complexity, as we discuss in this eBook, Mobile Access Optimization and Security for the Cloud Era, and below. For security reasons, most organizations prefer to route cloud traffic through datacenter security infrastructure first, then out to cloud datacenters many miles away, which adds latency to the home user’s cloud user experience.
Datacenter network congestion is also a problem, one that Adroll, a company offering a marketing platform for personalized advertising campaigns, had to grapple with. Not only did backhauling remote user cloud traffic add latency to Adroll’s cloud user experience, but it also saturated the San Francisco Internet connection and created availability problems, because the San Francisco firewall had no geo-redundancy. “It puts plenty of stuff in one basket,” says Adroll’s Global Director of IT, Adrian Dunne. “Once the VPN on our primary firewall rebooted. Suddenly 100 engineers couldn’t work anymore.”
Performance and User Experience
Mobile and home VPN users often complain about remote access performance even when infrastructure is sized appropriately, because of the unpredictability, latency and packet loss inherent within the public Internet core. When accessing the cloud, the mobile experience can get so sluggish that users often abandon the company backhauling solution to access the cloud directly, opening significant security gaps. Many newer users also find themselves struggling with unfamiliar VPN client software, passwords, and connections to multiple cloud services.
To make working at home successful, it will need to find ways to simplify and speed up the user experience so it’s more like working at the office. this could mean considering alternatives to backhauling and running traditional VPNs, which we discuss below.
As more and more users work from home, security risks are guaranteed to increase. More remote users mean more opportunities for threat actors to penetrate security defenses. Unfortunately, traditional VPNs authenticate remote users to the whole enterprise network, allowing them to PING or “see” all network resources. Hackers are known to take advantage of this chance, as they did with the infamous Home Depot and Target breaches of a couple of years ago, which took advantage of stolen VPN credentials. Once inside the network, a hacker is simply one administrator password away from access to sensitive applications and data. That’s a big reason why IT security has been moving away from network-centric security towards software-defined Zero Trust Network Access, which grants users access only to what they need when they need it.
Enforcing security policies for many more remote users also can add latency and cut down performance. The choice is to let mobile users connect directly to the cloud and deploy new cloud-based security solutions, like secure Web gateways or secure access security brokers (CASB), that intercept connections before they reach the cloud. Users will still be contending with public Internet performance, however.
Deploying client VPN software on thousands of latest home users’ systems can take considerable resources and time that organizations might not have during a crisis.
AdRoll found VPN onboarding of the latest users a very cumbersome process, especially for contractors. “Using Mac’s management software to push out VPN configurations to users was a pain,” says Dunne. Dunne also had to send instructions for configuring the VPN client to every user. Once these users are onboard, IT also needs appropriate tools for managing and monitoring all those remote users, much as it does for its branch offices and other sites. Shifting to cloud-based Web gateways and CASB’s has its own overhead as well.
Cato’s SASE Solution Provides Access Needed for Remote Workers
There is a solution that will solve many of these connectivity, security, performance, and management issues: a cloud-native network like the Cato Cloud. Built on the principles of Gartner’s secure access service edge (SASE), Cato connects mobile and remote workers to the same network, secured by the same security policy set, as those within the office.
Rather than connecting to the company data center, then out to cloud applications, home users connect with their nearby cloud-native network point of presence (PoP). From there they become a part of a virtual enterprise WAN that the data center and branch offices access through their local PoPs as well. Cato locates its PoP infrastructure in a number of the same data centers as major cloud providers, including AWS and Microsoft Azure, allowing fast direct connections to cloud services.
Connectivity isn’t a problem. Cato’s cloud architecture is meant for massive scalability to support any number of latest users regardless of session duration or frequency. They will work at home or within the office all day, every day and the Cato architecture will accommodate the load transparently. “Cato’s mobile VPN is my secret BCP in my back pocket,” says Stuart Gall then the infrastructure architect within the network and systems group at Paysafe. “If my global network goes down, I can be like Batman and whip this thing out.” Performance improves by eliminating backhaul and inspecting traffic within the PoP instead of the datacenter. Home and mobile users bypass the unpredictable Internet middle mile and instead use the Cato backbone with its optimized routing and built-in WAN optimization to dramatically reduce latency and improve data throughput.
The user experience improves in other ways. Users connect to all their applications and resources, whether spread across multiple clouds or within private datacenters, with a single login. Getting users connected is simple. “The cherry on top was Cato’s VPN solution,” says Don Williams, corporate IT director at Innovex Downhole Solutions. It had been the best technology I’ve seen. In less than 10 minutes we were connected through a VPN on the device. Most of the security and network management is handled by the cloud provider, instead of enterprise IT. Cato’s Security as a Service provides a completely managed suite of agile, enterprise-grade network security capabilities, built directly into the Cato Global Private Backbone, including a next-generation firewall/VPN, a Secure Web Gateway, Advanced Threat Prevention, Cloud, and Mobile Access Protection, and Managed Threat Detection and Response (MDR).
Cato simplifies security management in other ways. “With firewall appliances, you install certificates from your firewall, and only then do you realize that when your user goes to a different site, you again need to install another SSL certificate at that appliance,” says the IT manager at a leading EduTech provider, “With Cato, we were ready to install a single certificate globally so we will do SSL decryption and re-encryption.”
Adding new home users to a cloud-native network could be a quick process that doesn’t require expensive, time-consuming appliance upgrades. “With Cato, we just sent a user an invite to install the client,” says Dunne. “It’s pretty much like a consumer application, which makes it easy for users to install.” Adroll’s San Francisco chokepoint was eliminated, and Cato gave Dunne more granular control over permissions for mobile users.
The current crisis will likely require plenty of quick action from IT to urge users to connect and work from home fast and securely. A cloud-native, SASE network can make the work faster and easier while giving all those home-based workers a satisfying user experience.