The legacy remote access model was built around the need to enable a relatively small number of employees who worked from home to access resources in a corporate data center. Initially, the fact that VPNs were operationally complex was not a major stumbling block because the number of remote workers was so small.
Since then, remote access requirements have changed dramatically. In addition, over time, we have discovered more about the operational and security limitations of VPNs. The combined impact of these factors leads to an obvious conclusion: IT organizations need a fundamentally new remote access model.
Expanding Remote Access Requirements
While IT organizations still need to support remote employees, it is no longer a small number. Currently 70% of people work remotely at least one day a week. In addition to supporting employees who work from home, IT organizations also need to support employees who work at locations like coffee shops, hotels, airports and airplanes. Unfortunately, the access networks at these locations are shared and inherently insecure. Another change to the traditional view of remote access is that in addition to accessing resources in a corporate data center, remote employees also need secure access to multiple cloud providers.
It is well known that coworking spaces are very popular with startups. However, a recent Forbes article reveals "Wework, undisputedly the largest organization operating in the co-working space, cites that the fastest growing segment of their business is members who work for large corporations."
Similar to other public spaces, the access networks in coworking spaces are shared and inherently insecure. The growth in the number of employees who make use of coworking spaces and, hence, need secure remote access was quantified in a report which stated, "Back in 2007, the trend was almost unheard of, with only 14 documented coworking spaces in the United States. Now, there are more than 11,100, and we’re projected to see more than 26,000 spaces hosting 3.8 million people by 2020."
The Growing Role of Contractors
There is nothing new about businesses using contract employees to complement the full-time workforce. What is new, is both the extent to which businesses use contractors and the way in which contractors engage with the business.
When the legacy remote access model was first implemented, contractors were used relatively infrequently, and they usually worked onsite alongside full-time employees. When IT organizations began to add contractors to their networks, it created security vulnerabilities. However, given both the relatively small number of contractors and the lack of alternative solutions, most IT organizations ignored the problem.
The problem can no longer be ignored; over the last several years, the number of contract workers has skyrocketed. For example, according to a recent estimate, 40% of the U.S. workforce will be contract workers and freelancers by 2020.
Driven by cultural changes, the last few years have seen the emergence of a new way for companies to engage contract workers – crowdsourcing. According to Forbes, "Crowdsourcing is the process of obtaining needed services, ideas, or content by soliciting contributions from a large group of people, especially an online community, rather than from employees or suppliers."
Independent of how they are engaged and whether or not they work onsite, the tremendous growth in the use of contract workers means that IT organizations need to implement functionality that limits contractors to only being able to gain access to the resources that they need to perform their job.
VPNs are operationally complex; they also have inherent security weaknesses. For example, if a VPN is used for remote access, once users are authenticated, they are considered trusted and are granted broad access. As a result, once a hacker penetrates an organization’s firewalls he/she can move through the network with little - if any - resistance.
These limitations alone would be sufficient reason for IT organizations to seek new remote access solutions. However, remote access is no longer a narrowly defined use case that can be responded to with a point solution. Remote access has evolved to where supporting a wide variety of remote workers will soon be a more common use case than is supporting workers at their desk in a corporate facility.
IT organizations must adopt a new strategy based on a software defined perimeter (SDP) and a zero-trust approach to security. To overcome the operational complexity of VPNs, IT organizations need to implement a remote access solution which is centrally managed and enables the organization to implement identity-based policy enforcement. As the number of remote workers continues to grow, enterprises can not afford to wait.