I'm not sure I see what the big issue is with VPN access.
The author complains that VPN connections choke the user's bandwidth, but I am not sure I know many examples of this. Typically through a VPN connection I will see higher latency to external internet point if the company does not allow split-tunnel routing. However, decreases in the user's bandwidth only occur if the company does not have the appropriate bandwidth available for the number of VPN users logged in. Perhaps I am just lucky, but I've never had this problem.
Regarding the pain of logging in, Cisco's new Cisco AnyConnect VPN automatically re-authenticates you to the VPN session so you don't need to keep signing in as you shift locations. Microsoft's DirectAccess allows you to have a VPN session automatically established with no additional authentication necessary whenever it finds a network connection available.
The author proposes cloud services? Those don't work too well for large companies in my opinion. In fact, I don't think they work well for small companies yet either. Google Docs just doesn't have the functionality required and STILL lacks the idea of having centralized repositories of information. If you want to share a document with your entire Google Apps organization, you can "share it" but the people in your organization must know to search for it in order to discover it. There is no way to browse "All Documents in My Company" which creates a huge pain.
Most companies and their employees, especially Fortune 100 companies, utilize "Network Volumes". Go into one of these company's and talk to the employees. "Oh, that is on my U drive, and the other documents, those are in the company wide public share on my P drive". They browse to these files seamlessly over the VPN, edit them, and they are updated on the remote server.
VPNs also HELP ensure compliance (though they definitely don't guarantee it). You no longer need to worry whether every single cloud service you are using has the proper security configuration. There may be some wiggle room here, but I know that with Active Directory Group Policies, I can really lock things down on users through one centralized management interface. If I have 10 cloud services, I have 10 different things I need to worry about locking down.
The problems I've had with VPNs are probably down to misconfiguration, but the primary one was limited bandwidth over the VPN, not limited bandwidth to the internet. Living in Europe, but connecting to a VPN server in California, reduced a 4Mbit connection to something closer to 64kbit - I hypothesized that whatever corresponds to the TCP window on the VPN was configured with too low a size, and the latency was killing stream throughput.
I thought I was slowly going insane trying to find the "All Documents in My Company" feature of Google Docs. Glad to know I'm not the only one desperately missing it.
This reads as a very ignorant article and doesn't even come close to addressing the issues that are faced by enterprise IT teams. As soon as you let users bring their own devices (whatever they are) onto your corporate network your security concerns now include those devices. Who knows what Bob in accounting is letting his kid do with his laptop when he gets home at night. All the sudden your entire network is compromised or infected because using a VPN or employer provided devices is "hard".
The bandwidth argument is really not valid anymore. Just about everyone can get broadband at home and most sensible organizations will allow split tunneling so your non-work related traffic can go out whatever local connection you're on.
I think that's a problem with enterprise IT mindset, rather; this idea that there's a binary distinction between inside and outside, trusted and untrusted, and therefore whatever you connect to the network must be vetted because it suddenly has all this trust by default.
I think it's pretty inevitable that the evolution will be in the direction of distrust by default, and internal apps will slowly require more secure programming models, incrementally becoming more like ordinary public-facing sites. The reason is that the trust-by-default (once you're on the "inside") model is too centralized and can't scale to the increased number of devices. Employee devices will need hardening against intrusion from the corporate network just as much as the network needs hardening against intrusion from Bob from accounting; because you stop infections spreading by stopping the vectors for transmission, and that works from both ends.
There is a distinction of trusted and untrusted, but I wasn't implying a trust by default method because that's not good either. I also wasn't trying to imply that a vetted device is necessarily a trusted device. For example, we allow Blackberry, Apple and Android devices on our network as "officially supported" mobile devices. We don't trust them but we know if something goes wrong we can issue a single command and wipe the device which effectively ends all access that device had/has to our network resources.
The point is, and you hit on it, that you have to prevent intrusion, compromise or infection from all places and allowing people to work on their own hardware or without a VPN means that job becomes exponentially more difficult.
I'm curious about the part about no one liking dealing with VPNs. I have only used an OpenVPN network for my private use, not any entreprise-class system, but I don't have much to complain about. Once I got how it worked, it was pretty painless to use.
Is it due to the policies and the way they are applied in big companies ? The tools ?
Enterprise-class systems are far worse. If you know what you're doing, you can tune any IP tunneling solution into something the coexists nicely with your native network. That's not how any corporate VPN that I've seen works. They all hijack your box, sending all traffic down the pipe to the company firewalls and killing latency. Sometimes it's worse: they try to be smart, and send local traffic locally, but they still try to use their own DNS servers, thus breaking local addresses from e.g. the DHCP server at your local coffee house.
It's just a disaster. And the problem that it's intended to solve isn't actually solved by pretending that data "inside" the corporate network is safe. Sane IT strategies always need authentication and encryption inside the wall too. So why bother with the VPN?
This doesn't strike me as very realistic. Aside from the issue of token-based security vs. other auth mechanisms, how else are you going to establish a secure connection to a private network aside from a VPN-like tunnel?
The point seems to be that if you move most of your IT onto the public Internet aka cloud (with SSL + passwords) then employees don't need to access any secure network.
This article really comes off as a prima donna developer, who may understand how infrastructure works, but not why strategic decisions are made.
Security is the primary driver for VPNs, and a significant driver for IT-controlled devices. Maintainability of the infrastructure is another large drivers for devices. And finally, cost control of your support organization is easier when they have a limited scope to what devices and configurations they will support.
It isn't that his points are incorrect -- They are just pretty minor compared to the actual business drivers of Enterprise IT.
VPNs these days are one-click to establish and can be setup to use the same credentials as a work machine's login. You can often have them remember your credentials too so that there's no extra work involved, though this should be limited to situations where employees encrypt their file systems a la FileVault or BitLocker.
I agree that it's becoming less necessary as more and more services use strong, end-to-end encryption. However, using a VPN reduces the attack surface area of a network. SSL guarantees that nobody can eavesdrop on the communication but it doesn't guarantee who you're communicating with. Restricting access to the VPN and internal networks means that any 0-day bugs have little impact on your security as less services need to be public-facing.
The biggest threat with telecommuters is that you leave security up to them and who knows what trojans/rootkits lurk undetected on their machine to your antivirus/antimalware software.
DirectAccess is a zero click connection where the company network and resources are available any time you want it. I tried it for a few months and it works like a magic.
For things like security and data protection, you always have bitlocker
If BYOD and telecommuting was just held up by "security" it would've been steamrolled a long time ago. Very few organizations take security that seriously. Articles like these frame IT strategy about as accurately as a courtroom drama depicts the legal process.
100% of IT decisions you'd probably disagree with are driven by responsibility and/or costs.
A fairly narrow set of applications listed on the 2nd page of the article. I think an important reason promoting the use of VPN services is not that you are protecting yourself from your users, you are protecting yourself against poorly written 3rd-party or in-house applications.
There are a lot of companies that are forced to use really large, complex applications that combine a myriad of different technologies. It's one thing to patch servers, it's another task altogether to try and maintain and update applications that stretch across mainframes, various database and mid-tier applications, with mixed-web/thick client access. The dependencies alone are a nightmare to try and manage.
To me, this is the most important reason for securing remote users. I want to protect them, and the company, from the medusas.
It's undeniable that people are moving to Bring Your Own Device for mobile, and that with third-party hosted cloud apps, VPNs are less meaningful. However, in a lot of cases, you have SOME applications which aren't secure enough to put on the Internet bare, and also having a central point for compliance makes a lot of sense.
While it would be nice to think phones/tablets are more secure due to having passcodes, unfortunately, Apple and Android don't actually have reasonable device security to protect from brute force against a password. You can easily image even a LOCKED device, then brute force it offline). Only blackberry seems to have hardware security in place to protect against this.
The author complains that VPN connections choke the user's bandwidth, but I am not sure I know many examples of this. Typically through a VPN connection I will see higher latency to external internet point if the company does not allow split-tunnel routing. However, decreases in the user's bandwidth only occur if the company does not have the appropriate bandwidth available for the number of VPN users logged in. Perhaps I am just lucky, but I've never had this problem.
Regarding the pain of logging in, Cisco's new Cisco AnyConnect VPN automatically re-authenticates you to the VPN session so you don't need to keep signing in as you shift locations. Microsoft's DirectAccess allows you to have a VPN session automatically established with no additional authentication necessary whenever it finds a network connection available.
The author proposes cloud services? Those don't work too well for large companies in my opinion. In fact, I don't think they work well for small companies yet either. Google Docs just doesn't have the functionality required and STILL lacks the idea of having centralized repositories of information. If you want to share a document with your entire Google Apps organization, you can "share it" but the people in your organization must know to search for it in order to discover it. There is no way to browse "All Documents in My Company" which creates a huge pain.
Most companies and their employees, especially Fortune 100 companies, utilize "Network Volumes". Go into one of these company's and talk to the employees. "Oh, that is on my U drive, and the other documents, those are in the company wide public share on my P drive". They browse to these files seamlessly over the VPN, edit them, and they are updated on the remote server.
VPNs also HELP ensure compliance (though they definitely don't guarantee it). You no longer need to worry whether every single cloud service you are using has the proper security configuration. There may be some wiggle room here, but I know that with Active Directory Group Policies, I can really lock things down on users through one centralized management interface. If I have 10 cloud services, I have 10 different things I need to worry about locking down.