Enabling Secure Telework on Mobile Devices
In the past, laptop and desktop computers were the primary means by which people accessed the Internet. Over time, this has changed as mobile devices have become more convenient and omnipresent. In the modern world, most people are more comfortable on their mobile device than on any other Internet-connected appliance.
This is not only true of personal use of devices. Many businesses have found that employee productivity increases when workers are allowed to use the devices that they are most comfortable and familiar with for business purposes. The rise of bring your own device (BYOD) policies includes the ability to use personal smartphones for work purposes.
However, the growth of BYOD is not the only driver behind the increased use of mobile devices in the workplace. The growth of remote work, whether for corporate travel, business evolution, or in response to the COVID-19 pandemic, has driven growing use of corporate-owned or personal mobile devices for work as well. While mobile devices can make a teleworker more efficient, they are not a perfect solution. Like any other device used for telework, these devices must be secured.
However, the traditional solution for connection security, virtual private networks (VPNs), is ill-suited for use on mobile devices. Adapting to the performance and security needs of the mobile workforce requires software-defined networking (SD-WAN) and secure access service edge (SASE).
VPNs are Not Designed for Large-Scale Telework
Most organizations use VPN-based infrastructure to secure telework. However, this infrastructure is not designed or suited for remote work at scale. VPNs are designed to implement point-to-point secure connectivity, providing traffic encryption between the VPN client and the server. Most organizations use this functionality to securely connect remote workers to the enterprise network. This ensures that all business traffic passes through the business network, enabling the organization to maintain full traffic visibility and perform security scanning.
While this can be effective for security, it has a negative impact on network performance and scales poorly. As organizations increasingly adopt cloud-based infrastructure, routing all traffic through the enterprise network creates inefficiencies and increases load on the company’s VPN infrastructure.
Mobile Devices Are Poorly Suited to VPNs
VPNs are designed to provide confidentiality and security to network traffic passing between the VPN client and a VPN server. To accomplish this, VPNs encrypt all traffic at the source and decrypt it at the other end of the connection.
While this is a good solution from a security perspective, it is also extremely resource-intensive. To create a secure connection to the enterprise network, a mobile device must go through a handshake process that establishes a secure connection to the VPN server. This process must be performed every time the mobile device wishes to establish a new secure connection.
For a laptop or desktop, this resource-intensive connection setup is not a big deal. However, mobile devices have a number of different features that make this a significant problem:
- Limited Resources. While mobile devices have advanced rapidly in recent years, they are still battery-powered devices with limited computing power. Expensive operations, such as the handshake required to set up a new VPN connection, have a significant impact upon battery life and device performance.
- Short Connection Durations. Unlike laptops and desktops, mobile users typically interact with their devices in short bursts. If, between these interactions, the device goes to sleep, a new connection may need to be created each time.
- Frequent Network Changes. Mobile devices are designed to connect easily to a range of different networks. While this is an asset for network connectivity, it creates a challenge for VPNs. Each time that a mobile device connects to a new network, it must establish a new connection with the VPN endpoint.
When working from mobile devices, teleworkers are largely dependent upon mobile applications. However, many mobile applications are incapable of detecting if a smartphone is connected to a VPN. When a VPN connection fails or a mobile device must go through the handshake required to set up a new VPN connection, these applications have degraded responsiveness and user experience. As a result, the productivity of teleworkers relying upon these applications and mobile devices is degraded.
Securing the Mobile Worker
As organizations increasingly adopt telework, mobile devices, and cloud-based infrastructure, VPNs are increasingly becoming the wrong choice to securing the workforce. A VPN is well-suited to securely connecting two different sites or a teleworker to an enterprise network that contains the intended destinations of the majority of the worker’s network traffic.
With mobile devices and mobile applications, the destination of a high percentage of a teleworker’s traffic is cloud infrastructure, meaning that the use of a corporate VPN dramatically degrades network performance. Exacerbating this issue, VPN clients and mobile devices do not work together well.
In order to effectively support the modern workforce, organizations must explore alternatives to VPNs for secure connectivity for remote workers. SD-WAN and SASE provide secure network connectivity designed for the modern network.
With SD-WAN, network routing and security functionality is moved from the enterprise network to the network edge. This allows an organization to maintain network visibility and perform full security inspection without routing all traffic through the enterprise network.
SASE expands the reach and improves the efficiency of SD-WAN by moving this functionality to the cloud. Cloud-based SASE points of presence (PoPs) can be geographically close to remote workers, allowing them to connect to the secure WAN with minimal network latency. A leading SASE solution is also designed for mobile workers, ensuring that that are no longer treated as second-class citizens of the organization’s network.
