IT Briefcase Exclusive Interview: Rethink and Replace VPNs with Workspace-as-a-Service Solutions

Interview with Jon Senger, CTO of Vertiscale and Security Advisor to Managed Service Providers

Over the years, many MSPs have implemented VPNs for clients that need secure remote access to their applications and data. This has been particularly true when clients require remote access to legacy client/service applications and a typical setup involves running thick client software end user devices connected through the VPN to a database server.

In this interview, Jon Senger, co-founder and CTO of Vertiscale, speaks with IT Briefcase about the weaknesses of VPN-based remote access solutions and describes how new cloud-based Workspace-as-a-Service platforms support much higher levels of data security along with vastly greater convenience for end-users.

• Q. VPNs have been a standard component in IT infrastructure deployments for years. Why have they been so widely adopted?

A. VPN is such a widely adopted technology because of how easy it is to setup in the backend. Getting one running is, for most installations, as simple as checking a box on a router or installing an appliance and punching some holes in a firewall.

• Q. OK, so it’s easy for IT to configure a VPN, but what about end users?

A. It’s funny, but I’ve never met an end user who thought VPN is a good solution. The problem is that, because the range of VPN client software is so huge, user setup can be very onerous for even the most seasoned IT guy the first time around. Then duplicating the setup and helping everybody else in the office get the clients working can quickly become a support nightmare. Even if a user is setup properly, there are often performance issues, the VPN will disconnect randomly or other issues arise that frequently give users a bad experience.

• Q. VPNs are inexpensive to set up and manage, though, right? Why should a business or their MSP consider replacing them?

A. Two reasons come to mind: First, since they tend require a lot of support, the OPEX cost to maintain them is relatively high given their limited functionality. Second, the security is often very low in these implementations and VPNs can be hacked fairly easily. When people understand that, they wonder why they are paying so much for a false sense of security.

• Q. So we talked about the end user experience, but can you talk more about the security challenges with VPNs?

A. Out of the box VPN solutions often use protocols or configurations that don’t encrypt the traffic. They may also allow packet sniffing technology to snag usernames or passwords. For example, one of the most widely adopted VPN technologies is PPTP — and it is the easiest to hack; most hackers can get usernames and passwords in just a couple of minutes. That is a huge problem.

Another problem is that VPNs don’t monitor access, which creates two significant challenges: First, they are rarely tied in with AD or other centralized user directories. This means that broad spectrum password policies and user management isn’t possible. If it is done, then it is on the back of the MSP to deliver this – at their OPEX cost. The second issue is that if a user has access to the VPN, they often have unfettered access to all intranet resources. They could be moving sensitive data to personal machines, which could already be hacked.

When you allow VPN access, you really are acknowledging that the least security-minded person in your company now can control your data security. Think about that for a minute. How many links have all your users employees clicked lately? Were they all secure? Those are the questions you need to ask and when you look at it thoughtfully, you’ll see that VPN isn’t worth the risk.

• Q. What are some of the major trends in the industry that are driving MSPs to consider replacing VPNs?

A. In addition to the poor user experience, difficult management, and poor security model, VPNs don’t address mobility very efficiently. Have you tried connecting to a VPN on your tablet or phone? Sure, it’s possible, but it’s not pretty.

People want and expect a seamless experience these days, including BYOD, regardless of which device they happen to be using. They don’t want to deal with fiddly or unreliable client applications. These trends create huge security, supportability, and user acceptance headaches if a VPN is part of your infrastructure.

• Q. What are the major options available to MSPs for replacing VPNs?

A. Workspace-as-a-Service (WaaS) solutions are the best options for VPN replacement. These give end users that seamless experience they’re looking for, support much better security for the organization, and provide MSPs with a simple implementation process that works with their centralized management systems.

With end users loving their user experience and MSPs lowering their operating costs while increasing their margins, it’s no surprise to see the rapid rise in adoption of this technology over the past 18 months. I think it will be continuing the northern trajectory over the next several years.

• Q. What other components, in addition to VPNs, can MSPs replace using these new systems?

A. The great thing about Workspace-as-a-Service is that many offerings come with technology that will replace distributed encryption software, bring in BYOD and mobility support, and introduce thin clients as an option. All this saves money for everyone, making it an easy sale for the MSP, and fosters fast adoption. The centralized management functions of a WaaS platform also simplify and streamline support.

• Q. How is Workspace-as-a-Service different from Desktop-as-a-Service, VDI, or Virtual Desktops?

A. When we talk about VDI or DaaS we think desktops. This means that end users are accessing a full blown desktop or a session on a desktop to get to their applications or data. That strategy has proven expensive and can be very difficult to maintain. It also doesn’t always answer the need of the end users. They just want to be productive – and productivity means bringing them as close to their application or data as possible without extra clicking around or authentication methods. As long as they can do that securely, then they will be happy.

Workspace-as-a-Service provides a full productivity solution that gives end users remote access to their applications and data without having to jump through a bunch of hoops – and without having to pay the high fees usually required for VDI and DaaS. MSPs also gain here because they don’t have to manage expensive infrastructure.

• Q. What kind of cost savings can an MSP expect to see if they switch to an infrastructure based on Workspace-as-a-Service from a traditional architecture utilizing VPNs, MDM, and so on?

A. They’ll see OPEX savings from centralized management as well as CAPEX savings from being able to deploy in cloud environments or on existing machines. They’ll also see huge gains in efficiency due to the automation components of a good WaaS platform.

Put that together with the savings that client organizations see by not having to support a distributed device strategy, and you get a picture of the significant savings available to everyone involved.

Workspace-as-a-Service is not only the best alternative to using VPNs to provide remote access, it offers improved security, a simplified user experience, greater convenience, and enables MSPs and their customers to use a streamlined infrastructure — and save money at the same time.

Jon Senger is a tech industry veteran with a passion for creating and driving strategy in new and emerging technologies. As CTO of Vertiscale, developer of the leading Workspace-as-a-Service solution for managed service providers, he empowers MSPs to grow their business with technology that adds substantial value to their clients’ operations easily, economically and securely. Jon resides in Austin, Texas and has previously held technology positions with Dell, JP Morgan Chase, and Qwest.