As the number of remote workers has ballooned around the world in recent months, upgrading remote access tools has become a top priority for security professionals and IT teams alike. The venerable virtual private network (VPN) has long been the go-to solution, but there are other options out there, including cloud access security broker (CASB) tools. Both have their pros and cons, so which is right for your organization?
Since the late 1990s, enterprises have relied on remote access technologies like the VPN that allows employees to ‘tunnel’ into corporate data and applications. With companies transitioning away from on-premise data over the last decade in favor of private and/or public cloud-based applications, the traditional VPN has somewhat faded from the limelight. However, the overnight shift to a remote working environment has helped bring remote access technologies back into the spotlight within the enterprise technology stack.
Comparatively speaking, CASB tools are the new kids on the block. As mentioned in a recent blog post, these solutions have been on the market since around 2015. They are designed specifically to let IT administrators manage applications and data in the cloud. And they are especially adept at things like monitoring cloud service usage, helping IT teams set up cloud-related policy controls, and enabling threat protection and regulatory compliance for the enterprise.
In this case, CASB tools authenticate and encrypt data going to the remote worker’s endpoint devices, most commonly a laptop or smartphone. Today, it is believed that upwards of 20% of enterprises have adopted some kind of CASB solution.
Legacy VPNs aren’t the answer
Let’s take a quick look at the advantages and disadvantages of VPNs and CASB solutions.
Legacy VPNs, in particular, generally take an all-or-nothing approach to remote access. What that means is that if the VPN is turned off, there won’t be any data encryption or tunneling, and the user will be blocked from accessing corporate data and applications. When the VPN is turned on, however, users are given access to the corporate resources they need.
In years past, that wasn’t a problem. As mentioned above, most resources were contained on-premise and employees used a VPN to access them. But with the advent of applications and data being hosted in private and public clouds, the VPN actually becomes a bottleneck, effectively eating up huge amounts of network bandwidth to carry traffic that could have been sent directly to the cloud.
Long in the tooth
This is by far one of the biggest criticisms of traditional, always-on VPNs. They lack the ability to offer split tunneling, which would allow them to intelligently separate data into what can go directly to house, say for example a SaaS application running in a browser window, and other data that has to go down a tunnel to an on-premise resource. Depending on their function, many employees today primarily use Office365 and other SaaS applications that require very little tunneling.
From a usability perspective, users have long criticized VPNs for network slows down, as well as frustrating reauthentication requests whenever the connection is lost or an app crashes. This was particularly frustrating for employees at the beginning of the shelter-in-place restrictions in March, because they were not only suddenly forced to work from home, they were also experiencing less than ideal work performance, even when they had an otherwise fast home internet connection.
This brings us to the final major disadvantage of traditional VPNs – lack of rapid scalability. In the past, when a maximum of around 10% of the workforce required a VPN, balancing network needs was relatively smooth and predictable. But with the sudden jump to 90% or more requiring remote access, the scalability of hardware-based VPN solutions was greatly tested, revealing choke points caused by limitations in the physical hardware that could only be overcome by investing in the installation of even more hardware.
So, is CASB the answer?
To some extent, CASB solutions pick up where VPNs fall flat. They offer much better edge-to-edge visibility of the network, allowing IT teams to see and control much more of what’s going on – even down to individual file names and data elements.
The best way to know whether a CASB solution could be a good fit for your organization is to see where the enterprise applications and data are stored. If the enterprise runs completely on SaaS applications hosted on the public web, then a CASB may be a good choice. For the majority of companies, however, a CASB solution is far less effective if they also maintain data and applications on-premise.
The answer is… neither
In a sense, the title of this blog was a trick question, but the premise is sound. Do you need a VPN or a CASB? That will wholly depend on your organization’s needs. To help you decide, there are a couple of things that can send you down the right path.
For starters, it’s important to remember that not all VPNs are created equal. The VPN in this scenario has been the traditional, hardware-based VPN that isn’t scalable, that doesn’t offer network visibility and doesn’t have a positive user experience. That VPN wasn’t designed with a large, decentralized workforce in mind.
By the same token, a CASB alone may be good at helping to secure public cloud resources, but with 98% of companies in 2019 still operating some form of on-premise servers, the CASB is only a piecemeal solution.
As security leaders and IT teams prepare their future roadmap for remote access tools, they will see that the best option may actually be a SASE-based solution such as SDP or ZTNA. These solutions can be used together with a modern, mobile-focused VPN that provides the most secure, cost effective and user-friendly environment possible today.