Published: September 10, 2020
The 451 Take
During this time, VPN services, security services, MSPs and cloud services responded with secure remote access services that were cloud managed and off-loaded the remote connectivity from the enterprise WAN. In many cases, the secure remote access services also provided high-speed access to cloud services like Salesforce, AWS and Azure. These services also included value-added features like security and performance optimizations for applications. The primary benefit of cloud managed secure remote access for vendors, resellers and enterprises is the ability to quickly scale up or down when needed while still managing costs. Enterprises using a cloud managed service were able to support all their users on day one, minimizing one aspect of operational disruption.
Where companies see success and benefits of work-from-home policies, they plan to continue them. According to 451 Research's Voice of the Enterprise: Digital Pulse, Coronavirus Flash Survey June 2020 - Advisory Report, 67% of organizations expect to continue work-from-home policies with the result that 47% of organizations expect to reduce their physical office footprint. More than 20% expect to reduce it by more than 25%.
Many cloud managed secure remote access vendors present themselves as a VPN killer as if they must compare their products to something inferior, but that's not really the case. Services in this segment use VPN technologies and architectures to form the basis of their services, but additional security and performance optimizations along with workflows designed to ease managing users at scale take cloud-managed secure remote access services to the next level beyond VPN gateways.
However, there are increased risks with remote workers, which we discuss at length in our report Will the work-from-home explosion revolutionize enterprise security architecture? Many of these products and services can also be classified as zero trust networks (ZTN), software-defined perimeters (SDP) and secure access service edge (SASE), which layers security and security management features for connected users whether they are on-premises or remote. Enterprises can use these services with or without using the advanced security capabilities and many of these services offer flexible plans for a la carte enablement to all or a subset of users.
Nearly all the secure remote access services support a variety of authentication systems and services commonly used by enterprises, as well as multi-factor authentication for secure tokens, reducing the operational overhead of managing users. Group and roles assigned in the directory where users authenticate, like Microsoft's Active Directory, can be used to assign policies defined in the service or elsewhere, further easing management.
A critical factor for enterprise IT to evaluate – and a significant differentiator for vendors – with these services is determining the types of applications that will need to be supported. Web applications are easily supported by all the managed services either using a proxy architecture or intelligent routing. Non-web applications like direct database access, fat email clients, voice, and file sharing usually require an installed or downloadable client component to create a VPN. Not all the services support non-web applications and for some of them, doing so is complex and is reserved for internal IT use.
Some SD-WAN vendors like Big Leaf, Simplewan and VMware use low-cost hardware appliances for home use. The benefit is that the appliance completely isolates the user's laptop from a home network and is easy for the employee to deploy. However, hardware appliances for remote employees are expensive, might be difficult to manage and can make support and troubleshooting difficult. It's a piece of hardware employees have to install and power. It may not work well with their home networking set-up or that of their broadband ISP and the appliances are not portable when employees want to work out of the home and office.
The final critical component is licensing. One of the benefits of enterprises using a cloud managed remote access service is that they were able to rapidly scale up their client licensing to support the sudden increase in usage. Enterprises with on-premises VPN products had to acquire new hardware, licenses or both to meet demand and still they place limits on VPN usage. Enterprises using cloud services have come to expect flexible licensing schemes that can scale as needed with shorter fixed terms.
Innovation and roadmap
For cloud managed networking services like branch and campus networking, SD-WAN, NaaS and virtual WAN, the support of secure remote access should be a natural progression in services. It's not enough to simply have regional points of presence for remote users to connect to; the secure remote access service should also support interconnection to cloud services and on-premises datacenters and use geolocation to find the nearest connection point. Operating a private backbone between POPs for global transport is a value-added capability to improve application performance compared with the Internet-as-backbone. Acquiring or partnering with one or more NaaS and virtual WAN vendors, which we discuss in NaaS and virtual WAN services are viable cloud networking alternatives to dedicated circuits, would provide a quick entry into a global connectivity offering.
Value-added services such as security and application optimizations provide incremental revenue opportunities and can differentiate services. For example, Akamai, Cato Networks, Cloudflare and zScaler provide remote connectivity along with intrusion detection and prevention, reputation scoring, anti-malware and other capabilities. However, weak or poorly implemented security features are worse than having none because poorly implemented capabilities can erode customer trust. Where services providers want to add security capabilities quickly, partnering with established security vendors and services lends credence to the security functions and can reduce time to market. For example, Microsoft is pursuing a partnership model with third-party security and networking companies with its Virtual WAN service that is seeing some success.
Network equipment vendors like Arista, Aruba, Cisco, Extreme and Juniper are enhancing their cloud managed networking services that started with cloud management of wireless access points and switches for small offices and have added or are adding more networking functions like location services, firewall, VPN and SD-WAN as well as expanding their products under management to include larger offices, campuses, datacenters and clouds. With their emphasis on cloud-delivered features, we'd expect them to add or enhance their remote user access capabilities as well as add their own backbones between POPs, putting them on a competitive footing with the likes of Aryaka, Cato and Microsoft. Not doing so would be a mistake because their current and prospective customers will want robust, scalable remote user support.
The table below is a representative list of vendors that offer secure remote access capability by itself or in concert with other capabilities. A comprehensive list would include remote access offerings from service providers and managed service providers as well as VARs and integrators that offer secure remote access. In addition, these services also compete with on-premises hardware and software VPN products that are self-managed by the enterprise and can offer many, but not all, the capabilities that cloud managed services offer such as a global network backbone and direct access to cloud services.
Mike Fratto is a Senior Research Analyst on the Applied Infrastructure & DevOps team at 451 Research, a part of S&P Global Market Intelligence. He covers enterprise networking, including campus and datacenter networking, SDN, SD-WAN, SD-Branch, cloud networking, container networking, networking as a service, network performance monitoring, and network automation and orchestration. He has extensive experience reviewing and writing about enterprise remote access, security and network infrastructure products, as well as consulting with enterprise IT, equipment and software vendors, and service providers.