The secrets of VPNs for business

Mature mid-sized businesses

Larger organisations are more likely to have specialist IT staff guys who've been doing remote access since the days of the character-based terminal and noisy modem. For them, VPN is the latest faddy way to do it, and they're happy to jump aboard.

But this presents risks of its own. These guys tend to be early adopters, which might be fine for them but can create a steep learning curve for everybody else. They're also likely to want to set things up just so. This can lead to situations where changing anything at all outside the LAN, inside it, with software, hardware, supplier or anything else has unexpected consequences. A single cable popping loose might result in two routers both advertising as the single authoritative endpoint, causing security errors and leaving users locked out. Tracing the trail of cause and effect in a lovingly designed VPN can be agonising.

Let's not panic too much, though. Such situations are rare and high-end architecture can deliver legendary levels of reliability, especially when the people connecting to the VPN are doing so in consistent ways, from their branch or homes offices. It's when things are more unpredictable and chaotic that issues arise. Which brings us to the cloud.

Modern cloud-based ventures

If you've managed to cast off the traditional shackles of information technology, then good for you. But when your services and assets are all up in the cloud, the demand for secure access doesn't just evaporate: it becomes ubiquitous.

Accordingly, both Microsoft and Amazon prefer you to present your entire pool of client phones, machines and tablets in a privately connected way. This can go as far as setting up a dedicated, physical fast link between you and their nearest cloud-access point. Whether you go that far or not, both use a popular VPN technique, namely connecting over Secure Sockets Layer (SSL).

Most people are familiar with SSL in the form of HTTPS, which provides secure access to web services, but that's by no means all it can do. Transporting data through a secure pipe between your browser and a website is functionally indistinguishable from a regular VPN workload and, while many public hotspots and ISPs will block unusual connection types, they can't block SSL, as this would make most of the web inaccessible. It's no coincidence that firewall vendors charge extra for SSL connections, controlling how many VPN users you can have operating simultaneously.

If your business transacts a lot with the cloud, passing your VPN traffic over SSL out to be a no-brainer. Unfortunately, it comes with an extra level of complexity to deal with in the form of SSL certificates. These require renewing biannually, and come with their own classes of spam, phishing attack and malware. You'll even have to contend with competing certificate issuers engaging in dodgy customer-capturing strategies.

Once you're in a cloud-centric business, it's very likely all of this grief will come to visit anyway. All the same, you'll need to take a step back and evaluate how to manage the risks associated with relying on certificates. It should be fairly simple in theory, but failures can be protracted and fantastically disruptive: being cut off from your entire computing resource is something that modern cloud businesses don't fire-drill for enough.

Another potential pitfall for heavily cloud-connected businesses is not paying enough attention to local infrastructure. A typical issue that might arise is a router wanting to do its own thing with SSL packets, rather than loading up the certificate that's been issued. It may not be easy (or possible) to resolve the problem, short of replacing the router with a better-behaved, more expensive model.

VPNs and the distributed business

The stereotypical use case for a VPN involves executives travelling around the world with their laptops, but this isn't how most people work in daily life. In many cases, it's about working from home, while maintaining secure, reliable access to professional-grade resources.

This sort of environment is what the big firewall companies make small firewalls for. Rather than messing with the challenges of remote support and distributed traffic gateways, it's far easier to look at the lifecycle costs of setting up little IP subnets at each home office, each one supporting whichever devices the job requires.

Ensuring that an arrangement like this is properly fault-tolerant isn't a trivial matter. There are pressures from all sides. Plenty of ISPs will offer something like this as a turnkey solution but they'll run it over their own wires, rather than over the public internet. This means you're stuck with the provider's timetable for maintenance operations, which can be in the order of weeks rather than days, and users can't connect to their home router and go.

And what if the line goes down? You can get routers with 4G SIM cards, to keep an internet connection going if the main line is lost, but there's no way to guarantee performance. Apart from anything else, your teleworking neighbours may be in the same boat and hitting the same cell. No wonder distributed businesses are becoming increasingly interested in the new wave of collaborative productivity platforms, which can be used over any consumer-grade connection and are usually presented via web browsers.

A few final caveats: remote access can be tricky to manage if you have a high staff turnover. Very few distributed VPN services are responsive enough to disconnect a departing staff member in the time it takes them to leave the office and drive home. Another issue is whether the local council approves of turning an employee's home into their regular place of work: there have been cases of two-up two-downs being re-rated as business premises, with all the associated tax implications.