Published: September 10, 2020

Introduction

The impact of coronavirus will be felt longer after the crisis has passed. The pandemic, the closures of offices for non-essential workers and the ensuing work-from-home strategies have certainly been disruptive, but there is a silver lining. Companies were forced to support remote employees with little notice and largely succeeded. According to 451 Research's Voice of the Enterprise: Digital Pulse, Coronavirus Flash Survey June 2020 - Advisory Report, the authors note that in the same survey from March 2020, "8% of organizations had already experienced a disruption [meaning inability to meet debt obligations or deliver an agreed-upon service, or the loss of a major client] with 5% expecting [a major disruption] within a month, and another 26% expecting it within three months. Three months later, that disruption has mostly failed to materialize. Currently, 13% of organizations say they have experienced a major disruption, an increase of only five percentage points versus March." Equally important, a large minority of respondents in March, 40%, were experiencing issues with employee productivity, while in June that number dropped to 28%, with 12% reporting resolving their productivity issues.

The 451 Take

Organizations have several options to choose from for secure remote access including self-hosted, a fully managed service or a cloud managed service. The vendors with the competitive edge are those that operate their own global network backbones and have direct connections to cloud services, offer additional security services that can be acquired as a bundle or a la carte and most important, are easy to acquire and scale as demand changes while also being easy to manage for a large number of users. Meeting those goals is a tall order and there are a number of cloud managed services that fit the bill. We don't see this as a stand-alone segment; rather, a component, available as stand-alone or as part of a bundle, of self-service cloud managed services like SASE, zero-trust networking, SD-WAN and software-defined perimeters.
 

Context

Most organizations have a secure remote access strategy in place for those workers that travel outside the office or for IT support people to access IT systems from home when they are on call. VPN capabilities have been available on firewalls, routers and gateways for decades; however, when countries enacted shelter-in-place and social-distancing polices aimed to stopping the spread of the virus, office workers suddenly working from home needed secure remote access. Organizations that had VPN gateways had few options other than buying more hardware and more licenses, which is expensive and that the time, the duration of working from home was thought to be short and the cost for the VPNs wouldn't be a wasted expense. The increased use of VPNs led to more WAN traffic, especially as video conferencing took hold and enterprise IT responded by asking users to disconnect from the VPN when connecting to video conferencing, which naturally affected users having to disconnect and reconnect from the VPN as the situation required.

During this time, VPN services, security services, MSPs and cloud services responded with secure remote access services that were cloud managed and off-loaded the remote connectivity from the enterprise WAN. In many cases, the secure remote access services also provided high-speed access to cloud services like Salesforce, AWS and Azure. These services also included value-added features like security and performance optimizations for applications. The primary benefit of cloud managed secure remote access for vendors, resellers and enterprises is the ability to quickly scale up or down when needed while still managing costs. Enterprises using a cloud managed service were able to support all their users on day one, minimizing one aspect of operational disruption.

Where companies see success and benefits of work-from-home policies, they plan to continue them. According to 451 Research's Voice of the Enterprise: Digital Pulse, Coronavirus Flash Survey June 2020 - Advisory Report, 67% of organizations expect to continue work-from-home policies with the result that 47% of organizations expect to reduce their physical office footprint. More than 20% expect to reduce it by more than 25%.


Technology

Many cloud managed secure remote access vendors present themselves as a VPN killer as if they must compare their products to something inferior, but that's not really the case. Services in this segment use VPN technologies and architectures to form the basis of their services, but additional security and performance optimizations along with workflows designed to ease managing users at scale take cloud-managed secure remote access services to the next level beyond VPN gateways.

However, there are increased risks with remote workers, which we discuss at length in our report Will the work-from-home explosion revolutionize enterprise security architecture? Many of these products and services can also be classified as zero trust networks (ZTN), software-defined perimeters (SDP) and secure access service edge (SASE), which layers security and security management features for connected users whether they are on-premises or remote. Enterprises can use these services with or without using the advanced security capabilities and many of these services offer flexible plans for a la carte enablement to all or a subset of users.

Nearly all the secure remote access services support a variety of authentication systems and services commonly used by enterprises, as well as multi-factor authentication for secure tokens, reducing the operational overhead of managing users. Group and roles assigned in the directory where users authenticate, like Microsoft's Active Directory, can be used to assign policies defined in the service or elsewhere, further easing management.

A critical factor for enterprise IT to evaluate – and a significant differentiator for vendors – with these services is determining the types of applications that will need to be supported. Web applications are easily supported by all the managed services either using a proxy architecture or intelligent routing. Non-web applications like direct database access, fat email clients, voice, and file sharing usually require an installed or downloadable client component to create a VPN. Not all the services support non-web applications and for some of them, doing so is complex and is reserved for internal IT use.

Some SD-WAN vendors like Big Leaf, Simplewan and VMware use low-cost hardware appliances for home use. The benefit is that the appliance completely isolates the user's laptop from a home network and is easy for the employee to deploy. However, hardware appliances for remote employees are expensive, might be difficult to manage and can make support and troubleshooting difficult. It's a piece of hardware employees have to install and power. It may not work well with their home networking set-up or that of their broadband ISP and the appliances are not portable when employees want to work out of the home and office.

The final critical component is licensing. One of the benefits of enterprises using a cloud managed remote access service is that they were able to rapidly scale up their client licensing to support the sudden increase in usage. Enterprises with on-premises VPN products had to acquire new hardware, licenses or both to meet demand and still they place limits on VPN usage. Enterprises using cloud services have come to expect flexible licensing schemes that can scale as needed with shorter fixed terms.

Innovation and roadmap

For cloud managed networking services like branch and campus networking, SD-WAN, NaaS and virtual WAN, the support of secure remote access should be a natural progression in services. It's not enough to simply have regional points of presence for remote users to connect to; the secure remote access service should also support interconnection to cloud services and on-premises datacenters and use geolocation to find the nearest connection point. Operating a private backbone between POPs for global transport is a value-added capability to improve application performance compared with the Internet-as-backbone. Acquiring or partnering with one or more NaaS and virtual WAN vendors, which we discuss in NaaS and virtual WAN services are viable cloud networking alternatives to dedicated circuits, would provide a quick entry into a global connectivity offering.

Value-added services such as security and application optimizations provide incremental revenue opportunities and can differentiate services. For example, Akamai, Cato Networks, Cloudflare and zScaler provide remote connectivity along with intrusion detection and prevention, reputation scoring, anti-malware and other capabilities. However, weak or poorly implemented security features are worse than having none because poorly implemented capabilities can erode customer trust. Where services providers want to add security capabilities quickly, partnering with established security vendors and services lends credence to the security functions and can reduce time to market. For example, Microsoft is pursuing a partnership model with third-party security and networking companies with its Virtual WAN service that is seeing some success.

Network equipment vendors like Arista, Aruba, Cisco, Extreme and Juniper are enhancing their cloud managed networking services that started with cloud management of wireless access points and switches for small offices and have added or are adding more networking functions like location services, firewall, VPN and SD-WAN as well as expanding their products under management to include larger offices, campuses, datacenters and clouds. With their emphasis on cloud-delivered features, we'd expect them to add or enhance their remote user access capabilities as well as add their own backbones between POPs, putting them on a competitive footing with the likes of Aryaka, Cato and Microsoft. Not doing so would be a mistake because their current and prospective customers will want robust, scalable remote user support.

Competitors

The table below is a representative list of vendors that offer secure remote access capability by itself or in concert with other capabilities. A comprehensive list would include remote access offerings from service providers and managed service providers as well as VARs and integrators that offer secure remote access. In addition, these services also compete with on-premises hardware and software VPN products that are self-managed by the enterprise and can offer many, but not all, the capabilities that cloud managed services offer such as a global network backbone and direct access to cloud services.


Mike Fratto
Senior Research Analyst

Mike Fratto is a Senior Research Analyst on the Applied Infrastructure & DevOps team at 451 Research, a part of S&P Global Market Intelligence. He covers enterprise networking, including campus and datacenter networking, SDN, SD-WAN, SD-Branch, cloud networking, container networking, networking as a service, network performance monitoring, and network automation and orchestration. He has extensive experience reviewing and writing about enterprise remote access, security and network infrastructure products, as well as consulting with enterprise IT, equipment and software vendors, and service providers.

Christopher Rogers
Panjiva Research

Eric Oak
Panjiva Research

Want to read more? Request a trial now.