The nature of work in the modern enterprise has become overwhelmingly mobile, fluid, and diverse. Today’s workforce is remote, mobile-first, and requires secure anytime, anywhere mobile apps, with direct connections to protected resources on any device, including managed, unmanaged, and BYOD devices. As employees increasingly turn to mobile applications to meet their everyday needs, they require access to protected resources that sit behind firewalls and gateways, but their access patterns are dynamic, ephemeral, and ever-changing. These dynamics pose significant problems for IT and Security organizations, who must figure out how to balance the dynamic access needs of the business and do so securely.
In the ‘old days’ IT organizations turned to traditional Enterprise VPNs to solve this problem. But when it comes to providing secure access via enterprise mobile applications, VPN technologies leave enterprise organizations struggling with far too many operational, technological, and usability challenges to make them viable at scale. And the dynamic nature of today’s mobile-first, ‘anywhere, anytime, any device’ world is causing many to consider that the enterprise VPN has reached the end of the road. Let’s explore some of the main factors contributing to the end of the VPN.
The Nature of Work Has Evolved
So what’s so different about the nature of work today? Work-from-home in COVID-19 is uniquely different from previous remote work use cases. Before Covid, remote work was usually a temporary or limited purpose consideration that applied to a relatively small fraction of an organization’s overall workforce. By contrast, in the Covid era and beyond, working remote is the rule, rather than the exception. In other words, it’s the primary way that works gets done. Here are some of the characteristics of the modern remote worker:
- They need continuous connections over longer periods, which expands the attack surface and makes the enterprise network more vulnerable to attack.
- They use multiple digital devices and apps simultaneously to get work done.
- Today’s remote workers constantly ‘context shift’ from one app to another, often moving between work and personal apps multiple times in the same day.
- Require access to resources, applications and systems at all times (compared to pre-Covid times where remote workers might only need access to a few applications over shorter periods (because their primary access patterns originated from the office).
Is It Time to Say Goodbye to the Mobile Enterprise VPN?
When asked about the future of the enterprise VPN in the context of technology trends in large organizations, Forrester Analyst Chase Cunningham stated, “The broader topic is the death of the VPN”, adding that $250 million worth of acquisitions in the past 12 months are intended to get rid of VPN technology as a discrete technology purchase.
Even before COVID-19, Enterprise Security, IT and DevSecOps teams were struggling to deliver remote mobile experiences that are seamless, easy, useful, and secure within their existing technology stack. Legacy mobile management, access, and security technologies are not flexible enough to meet the dynamic needs of the mobile-first organization; these systems impose one or more of the following painful trade-offs:
Mobile Applications Are Not VPN-Aware
VPNs typically require client-side software deployed on the device to connect with the backend. For mobile applications, this is especially problematic because most mobile applications are not built to be enterprise-VPN aware. This often requires the use of a separate app, management profile, or implementation of an SDK for the mobile application to connect to a backend. Each of these options imposes significant operational burdens on end-users, developers, IT, and security departments.
All-or-Nothing VPN Tradeoffs
VPN servers and client software usually impose design, operational and technology constraints on enterprises that limit their suitability for broad deployment. For example, from an access control perspective, VPNs are often constrained to course-grained ‘all or nothing’ access control policies which make it difficult for enterprises to apply least privilege access models to partners and vendors.
VPNs are based on the IPSec protocol which introduces some operational challenges for mobile applications. Now as a security practitioner, I am of course not trashing IPSec as a security technology. The problems with mobile applications lie in the implementation. Allow me to explain. IPSec operates at a lower layer in the IP stack than where mobile app communicate (Layer 3 vs the application layer) This essentially means that mobile developers would need to implement a plethora of application-layer protocols in mobile apps to achieve universal compatibility (and such a practice would be impractical for many reasons). In addition, many enterprises and UEM/MAM VPNs rely heavily on TCP, which imposes substantial overhead on mobile apps and connections. This is because TCP is a ‘connection-oriented protocol which requires a fixed and permanent connection for the duration of the session. This is especially problematic for mobile applications that have real-time components or traffic patterns (eg: VoIP, messaging, chat, streaming, which are more suitable to a ‘connectionless’ protocol like UDP).
Operational Complexity
Traditional Mobile Enterprise VPNs impose operational burdens on IT and end-users, including introducing authentication friction and a cumbersome user experience. VPNs also typically require remote users to remember to turn on their VPN client to connect, and often require periodic reconnects, all of which result in a poor user experience and loss of productivity.
VPN’s do not provide any protection for mobile applications or data stored inside the mobile app. They are mainly designed to enable secure transport via an encrypted tunnel, not to secure the app or the data stored in the app. The majority of mobile hacks focus on exploiting security deficiencies in the mobile app itself (unencrypted data at rest or in memory, partially or non-obfuscated code, user data stored in clear text inside app preferences, lack of MFA, weak certificate chains, reliance on public CAs, lack of tamper-protection, lack of reverse engineering protection, etc). VPNs do not provide security in any of those areas. Hackers have exploited weak VPN protocols and non-secure internet connections to cause data breaches at major companies such as Home Depot and Target.
Lack of Flexibility, Bound to Physical Hardware and Locations
Traditional mobile enterprise VPNs typically have on-premises physical components, such as a VPN gateway or proxy that are constrained by hardware limitations. This limits flexibility and constrains the enterprise to a finite number of concurrent users. Today’s mobile-first organization is dynamic and fluid and requires access to solutions that can scale with that paradigm. Bottlenecks or productivity loss can also result if the hardware becomes overloaded or runs out of physical capacity, or if communication lines become oversubscribed due to unexpected spikes in users or usage.
Mobile Enterprise VPN Challenges with BYOD Use Cases
In today’s business ecosystem, BYOD is the predominant use case, and enterprises are often required to collaborate with external organizations that may require temporary or limited access to protected resources.
According to recent research, the average large enterprise’s network is accessed by over 80 different vendors, contractors, partners, freelancers, etc. VPNs pose significant challenges for BYOD use cases due to their reliance on fixed certificates or management profiles to be deployed on the employee’s device.
Enterprises cannot place management profiles on devices that they don’t own. This often means that BYOD devices and/or devices used by contractors or partners often cannot be granted secure remote access. And in many international jurisdictions, enterprises are bound by external regulations or privacy laws, such as GDPR, which explicitly forbid the use of management profiles on employee-owned or BYOD devices.
This often forces organizations to make risky decisions, such as allowing less stringent access and security controls, which can expose the business to significant risk and an expanded set of threats. And then there’s the cost element. Enterprise VPNs are typically licensed on a per-user basis, so licenses can get pretty pricey, especially given the fact that in COVID-19, ‘work from home’ is the de-facto mode of operation of most employees.
The Modern Remote Worker Needs a Better Way to Connect
Today’s remote worker requires anytime, anywhere access, from any device over secure mobile apps that seamlessly and securely connect to protected resources without imposing painful workflows on users. IT and Security departments need a security strategy that enables productive and friction-free mobile remote access for all users, while at the same time meeting their stringent enterprise security requirements and taking a multi-layered approach to mobile app security best practices.
IT and security teams will need to adapt to this massive shift towards work-at-home and offer more workplace apps that have consumer-like experiences. They need to plan for more agile and lightweight security models to enable a truly mobile workforce at scale – all without sacrificing security.
N0-Code Secure Mobile Remote Access for iOS and Android Apps
One way to provide secure mobile access to a protected host behind a firewall is a combination of enforcing TLS and using mobile client certificates in the app. TLS enforcement ensures that the data is encrypted while in transit. Enforcing the use of the latest version of TLS ensures that the communication session is encrypted and also ensures that the session cannot be downgraded to an earlier version of TLS or SSL that contains known security vulnerabilities (ie: it prevents TLS version attacks).
One of the primary use cases for this feature is to protect the mobile backend from compromised endpoints such as malicious bots. The client certificate includes the necessary ‘proof’ that the connection is originating from a trusted mobile application. For details on how this is achieved, read this KB article on Mobile Client Certificates. Also, check out the related KB on Certificate Pinning to protect the mobile client from connecting to an untrusted server.
How to Implement Secure Mobile Remote Access in Any iOS or Android App
Watch this video to learn how to implement secure mobile remote access into a mobile application. The app I’m using in this video is Hubspot for Android, but Appdome works with any iOS or Android app.
If you want to learn more about any of these features or see them in action, request a demo using the button below, and see how Appdome helps mobile developers automate mobile app security implementations for any app framework, and without changing source code or developer workflows.
