If you were relatively lucky, you were able to send all your employees home during lockdown and then start working remotely without much difficulty. If you were relatively unlucky, you quickly found that your existing VPN setup was unable to handle the workload. Common VPN problems may include:
· The VPN may be unable to handle all of a company’s employees logging on at once
· The VPN may be incompatible with SaaS or cloud-hosted applications, making it difficult for users to safely access resources in the cloud
· Architecture is flat, without any segmentation, which means that unauthorized users can easily access sensitive information
Nonetheless, companies have demanding customer expectations to fulfill. For some, this has meant working in less-than-ideal conditions using slow, or worse, insecure connections. Now that conditions have begun to stabilize, however, it’s worth investigating potential VPN alternatives: technologies that allow companies to bring faster connections to more people more securely.
SD-WAN – Fast, Secure, and Failure-Resistant
Remote employees face a dilemma. Most of them have consumer-grade broadband internet connections that are much faster to use without connecting via a VPN. What's more, most day-to-day business applications such as email and productivity tools now sit inside the cloud, where information is secured on the end of the cloud service provider. Many employees are probably asking themselves why they can’t just use their fast consumer-grade connections to access their cloud applications, without the added burden of the VPN. Although a VPN is more secure, the answer of “security” tends not to hold a lot of water when it’s standing in the way of convenience. For some, simple best practices like split-channel VPN, or simply not using a VPN when it's not necessary can solve this issue, but for others working in highly regulated environment, a more technical solution could be the answer.
SD-WAN (the software-defined wide-area network) offers a way to create a private network from widespread consumer internet connections without limiting their connectivity. It works like this:
· The enterprise defines a home internet connection as belonging to its network. This can usually be done either using a cloud-based management console or by connecting an SD-WAN appliance to a user’s home internet.
· The SD-WAN service does two things: first, it prioritizes traffic to business applications. Once turned on, it ensures that mission-critical applications such as Salesforce and Office 365 get priority over applications such as Facebook and Netflix.
· Second, SD-WAN orchestrates the wider network. Certain kinds of high-priority or sensitive traffic may need to hop from the home network to a fiber network or an MPLS. Lower-priority traffic may hop from the home network to a cellular network. SD-WAN controls the number and quality of hops, and can fail traffic over from one connection to another if there’s an outage.
· Finally, SD-WAN essentially takes the security tools used to secure application traffic – encryption, authentication, and firewall – out of the data center and into the cloud. Instead of backhauling application traffic from the home user to the data center for inspection, all that security is now performed at the edge.
Using intelligent network orchestration, SD-WAN can ensure that the network never feels congested, even when many employees are working remotely. Given that application traffic from remote users has increased by up to 900 percent, SD-WAN is a premier technology for absorbing the overage.
SD-WAN for Connectivity, SDP for Security
Whereas SD-WAN is a great way to improve connectivity while maintaining security, the software-defined perimeter (SDP) provides improved security without impeding connectivity.
As network access control is to VPN, so is SDP to SD-WAN. Features like device fingerprinting prevent attackers from spoofing access to software-defined networks, while also preventing users from connecting unpatched devices or those with insecure configurations. The SDP can also deploy features such as multi-factor authentication if it suspects that an attacker has stolen a user’s credentials.
Authentication doesn’t stop once the user has logged in. Software-defined perimeters are a crucial component of what’s known as “zero-trust security,” in which authenticated users are still closely monitored and subject to limited privileges.
In this case, the SDP lets administrators create extremely granular micro-segments that contain only the files and applications that a user needs to perform their job. Although VPN can be also be arranged this way, administrators can do this more quickly and with more detail using SPD. Once implemented, the software-defined perimeter prevents users from even seeing the resources that the don’t have access to. Even if an attacker gains entry to the network, they will be unable to perform reconnaissance, escalate their privileges, or move laterally.