Millions of people have been told to work from home (WFH) to support social distancing edicts during the pandemic. While many countries have now loosened their restrictions and allowed some workers to return to their places of employment, there are indications that WFH could be long-lasting or even permanent for some.
In a March 30 survey of 317 CFOs and business finance leaders conducted by Gartner, nearly 75 percent of those surveyed expect that at least 5 percent of their workforce who previously worked in company offices will become permanent WFH employees after the pandemic ends.
This shift to remote work has big implications for enterprise networks. Network managers who had to quickly put the resources in place to support a temporary WFH mandate will need to rethink how to sustain remote work for the long-term. There are three areas, in particular, that we believe are critically important in supporting a remote workforce: network access, security, and enterprise communications.
To accommodate the sudden surge of home-based workers, network managers might have ordered a slew of new VPN licenses, and maybe even a larger firewall or VPN appliance, to connect people to the corporate network. However, access via VPN can be notoriously slow, especially as traffic is backhauled back across the Internet to the VPN server. VPNs also can harbor significant vulnerabilities, an issue we noted in a recent post. NIST’s Vulnerability Database has published over 100 new CVEs for VPNs since last January.
For these reasons, VPNs should not be viewed as a permanent solution for remote workers. Rather, people working from home on a full-time basis need network access that is comparable to in-office workers—reliable, good performance, easy to use, and secure.
As the world’s first global Secure Access Service Edge (SASE) platform, Cato includes remote access with SD-WAN in one single platform. Enterprises can choose how to securely connect remote and mobile users to their enterprise resources and applications. Cato Client is a lightweight application that can be set up on a user’s device in minutes. It automatically connects the remote user to the Cato Cloud and from there they can access the same resources and applications they could access from any branch office. Cato’s clientless access solution allows optimized and secure access to select applications through a browser. Users navigate to an Application Portal, which is globally available from all of Cato’s 50+ PoPs, authenticate with the configured SSO, and are instantly presented with their approved applications.
With Cato’s clientless option, users are presented with a dashboard of approved applications. Clicking on an icon launches them directly into the application.
Remote work often puts the employee outside the network defense perimeter. Therefore, any WFH practices have to consider two aspects of security, those being network access control and protecting the home-based worker from cyber-attack.
A VPN establishes a secure, encrypted connection so that a remote user’s traffic can travel over a public, unsecured, unencrypted network privately and safely. Other than encrypting the traffic in transit, a VPN has little else to offer in terms of securing the user’s ability to access the enterprise network and providing functions such as threat detection and mitigation.
Security, overall, is where Cato really shines because security is inherent in the network. It begins with the user login to the enterprise network. Cato is integrated with identity providers to provide strong authentication and a single-sign-on (SSO) experience. Using authentication services, like Microsoft 365 or Azure AD, as the remote access SSO will ensure that users securely authenticate through interfaces they are already familiar with. And, enabling multi-factor authentication at the identity provider will automatically enforce it to the remote access user’s authentication, further strengthening remote access security.
The remote user’s traffic is fully inspected by Cato’s security stack, ensuring enterprise-grade protection to users everywhere. Cato’s access controls (Next Generation Firewall, Secure Web Gateway), Advanced Threat Protection (IPS, next generation anti-malware) and managed threat detection and response (MDR) capabilities are enforced globally, ensuring that remote users benefit from the same protection as office users.
Many organizations have adopted Unified Communications (UC) or UC-as-a-Service (UCaaS) to promote collaboration across the enterprise. All workers need consistent and reliable access to services such as voice, video, web conferencing, email, voice mail, messaging, screen and document sharing, and scheduled meetings. It’s critical that remote/WFH workers have these same tools to maintain virtual presence, if not physical presence, with their colleagues in the office. And while Cato doesn’t offer UCaaS as part of the Cato Cloud network, our network is optimized in several ways to support this type of service.
UCaaS quickly becomes a critical application for many organizations, which makes securing UCaaS against disruption particularly important. Cato addresses this problem by converging security services into the network. Next-generation firewall (NGFW), intrusion prevention service (IPS), advanced threat protection, and network forensics are converged into Cato Cloud, protecting UCaaS and all traffic from Internet-borne threats.
Cato minimizes packet loss and latency – the enemy of call quality – through loss correction, and by eliminating backhaul and avoiding the unpredictable public Internet. Backhaul is eliminated by sending UCaaS traffic directly across the Cato network to the Cato PoP closest to the UCaaS destination. And as Cato and UCaaS providers like RingCentral often share the same physical datacenters, public Internet latency is minimized.
Cato overcomes congestion and last-mile packet loss that often degrade UCaaS service quality. Sophisticated upstream and downstream Quality of Service (QoS) ensure UCaaS traffic receives the necessary bandwidth. Policy-based Routing (PBR) along with real-time, optimum path selection across Cato Network minimizes packet loss.
And finally, Cato overcomes last-mile availability problems by sending traffic across multiple last-mile links (active/active mode; other options, such as active/passive and active/active/passive are also available). In the event of a brownout or blackout, UCaaS sessions automatically failover to the secondary connection fast enough to preserve a call. Brownouts are also mitigated by various Packet Loss Mitigation techniques.
The coronavirus pandemic is changing business and work life in many ways. Employees who have receded to the safe recesses of their homes may never venture to the office again. Network managers need to consider how to keep WFH employees as effective and productive as if they were still in a corporate office, and this includes network access, security and collaborative communications.