Today, security services such as a virtual private network (VPN) can be easily outsourced to the cloud. It is important to be clear in advance about the required level of security and the requirements and deployment environments of the clients and to document this in a way that is comprehensible to the cloud VPN provider. Best practices for the selection of the provider and the course of the project help to achieve the goal quickly and as cost-effectively as possible.
Contents
How the VPN goes to the cloud
Cloud services are gaining acceptance as an equal alternative to on-premise solutions in more and more areas. The security provider Pure Storage determined in a study that companies still run an average of 41 percent of applications with traditional local IT, while the public cloud accounts for 26 percent and private cloud services for 24 percent. According to ICT market analyses by Techconsult, the market for software as a service solution (SaaS) in Germany will grow by 14 percent this year.
At 60 percent, investments in SaaS account for the largest share within cloud solutions. In all other areas of the cloud computing portfolio, such as Platform as a Service, Security as a Service, or Network as a Service, double-digit annual growth rates are also forecast by user companies until 2019.
Barracuda Networks estimates that 19 percent of IT budgets in Germany are currently spent on public cloud implementations. In the meantime, even security-relevant services such as virtual private networks can be easily outsourced to the cloud.
Numerous providers from a wide range of industries are active in the VPN market and offer a complete range of services that customers can also adapt to a large extent to their individual requirements. Outsourcing security-relevant services such as a VPN to the cloud is particularly advantageous for smaller companies.
They save on in-house expertise for a service that is not part of their core business and which, unlike Infrastructure-as-a-Service, for example, involves external network transitions anyway. But large organizations also appreciate the external service offering because it relieves the IT department and can be easily outsourced due to its position outside the perimeter.
In most cases, there are even industry-specific providers who know the special requirements in a specific environment, such as the financial industry and have integrated them into their offering.
Correct initial assumptions based on practice
Although every company and every corporate network is set up differently, some VPN service providers already have years of relevant experience through a stable user base and know how best to move a VPN to the cloud. VPN operators like Deutsche Telekom advise to first think about the dimensioning.
The number of licenses required is just as relevant as the bandwidth that remotely connected users and locations take up. According to Markus Schönel, Senior Product Manager at Business Services at Deutsche Telekom AG, the basic requirements for bandwidth and licenses are usually overestimated: “At the beginning, most customers assume that there will be significantly more users logged on simultaneously than is actually the case.
We adjust this in the first few weeks. If peak loads do occur, for example, we have a tolerance control that absorbs such short load fluctuations.” Which network connection is used does not matter to the hosters. MPLS is supported, as is accessing via IPsec. As a rule, customers who already use MPLS also use this technology for VPN access. If MPLS is not yet used, IPsec is the technology of choice.
Stefan Rech of Ratiodata GmbH, a systems house specializing in the financial sector, advises his customers to look at their clients’ deployment environments and understand the usage scenario. “It’s not just about the number of users, but also the environment in which they use their end devices,” Rech said. “What media is being used for connectivity?
Do HotSpots from a commercial provider need to be integrated, or are employees traveling internationally? If so, we also need data on the cellular providers that will be used for the data connection abroad.” Most providers have questionnaires that collect data about the decentralized infrastructure, such as the number of users and the types of end devices and operating systems in use.
Depending on the VPN solution, the operating systems and versions used must be compatible with the VPN clients. If the operating system version is not officially supported, the experts at Ratiodata advise against using it, even if it has worked so far.
Automated processing of user data
In addition, VPN service providers require information about the type of integration into the customer’s directory and meta directory structures. In the case of integration in Active Directory, it is a question of how the remote access authorizations are assigned. Do all users get access via RAS or are there groups with RAS rights to which the corresponding users are assigned?
Deutsche Telekom uses two ways to get the data from the customer. It either synchronizes with Active Directory and reads out the relevant information, or it uses a CSV list exported daily from LDAP, in which the data is listed. Both ways run automatically, so there is no significant effort or cost involved.
Ratiodata also adapts to its customers in terms of administrative processes. As a rule, the Active Directory is read out, but couplings to HR software have also been implemented. Stefan Rech knows: “We always try to solve this automatically and attach ourselves to the master database.
However you solve it technically, it has to fit into the customer environment. Smaller companies usually buy in user management, while the larger ones like to do it themselves. They often have complete departments that take care of user management.”
Customers also have several options for later changes. If the connection is automated anyway, changes are handled through it as well. If an employee leaves the company or a new one is hired, the change shows up as part of the regular synchronization.
In small installations, an e-mail to the account manager is often sufficient, or there is a standardized form in which the change request is entered. Incidentally, even a cloud VPN solution cannot do without a specific contact person at the customer. Customers have a contractual obligation to cooperate and cannot shift responsibility completely to the provider. Legally, they also remain responsible for the data, so they must ensure that personal data is handled in accordance with data protection regulations.
Multiple options for client roll-out
In the initial phase, the distribution of client software is still a significant task. Here, too, two variants are conceivable. If the customer has a software distribution solution, the VPN client can be rolled out via it. Large companies require this approach because it is integrated into their reporting and ticketing system. As an alternative, some VPN solutions offer their own distribution mechanism.
Both Deutsche Telekom and Ratiodata use the NCP Secure Enterprise VPN Server (Gateway), where distribution is part of the NCP Secure Enterprise Management (SEM) management platform. Based on experience, Stefan Rech from Ratiodata prefers the distribution option via SEM because it is more stable.
Then it is simply defined which group receives the update and the client is downloaded and installed the next time the user logs on via a sufficiently fast network connection. However, the VPN solution also works with any other distribution solution.
VPN service providers have numerous products and implementation options open to them to offer such a service. In any case, it is important that the solution used is multi-client capable. This means that different customers can be served completely separately via a physical or virtual system. Due to the high load requirements that can arise when hosting many thousands of VPN tunnels, the gateways should support load sharing and be scalable.
A common management console that can handle multiple gateways, as well as separate clients, supports hoster operations and customer security needs alike. Whether customers accept a shared VPN gateway or demand a separate solution is determined by their security approach. VPN cloud providers can usually meet both requests.
Redundant gateway and network access designs are ultimately also up to the customer’s requirements profile. However, certain industries are restricted in their freedom of choice due to their compliance requirements. Ratiodata, with a very large number of customers in the financial sector, generally recommends redundant connections.
Stefan Rech explains: “Among other things, we are certified according to ISO 27001 and host our solution via two redundantly connected data centers. This also benefits customers who would actually have lower availability requirements.” The VPN gateways are also redundant and connected via a high-availability protocol, so they support load sharing.
Security requirements determine the price
Customers who are thinking about outsourcing their VPN services to the cloud must determine their protection requirements in advance and query the solutions offered in this regard. This starts with the physical security measures of the hoster.
Depending on the risk profile, highly qualified data centers with camera surveillance, separation locks, dual control and disaster recovery mirroring may be necessary. However, such measures drive up the price, so customers with lower requirements may choose a less secure environment. The same applies if the hoster must have certain certifications such as IT-Grundschutz, ISO 27001, or PCI DSS. Corresponding offers exist but are not necessary for every customer.
On the other hand, customers should not take any risks with authentication. Today, user names and passwords are no longer sufficient; a second factor is absolutely essential for external access to the network. Two-factor authentication is part of some VPN solutions, and many additional offerings cover every use case. For example, a certificate stored on a smart card can be conveniently used as a second factor.
In this case, it is important that the hoster also offers certificate management as a complete package, so that punctual renewal of the certificates is ensured or they are withdrawn on the due date. Under certain circumstances, it should also be possible to use more extensive authentication mechanisms, for example, if remote access is used to process classified material.
Even in the case of VS-NFD (classified information – for official use only), the German Federal Office for Information Security (BSI) requires the use of a specially approved solution that imposes additional requirements for authentication and tunnel inaccessibility.
The time required depends primarily on administrative processes
Implementing a security solution in the company usually involves considerable time. Hosted VPNs in the cloud can shorten the path to the goal quite a bit because customers already have access to a fully functional and optimally set-up solution. Often, administrative rather than technical processes determine the timeline. “As a rule, about two to three months pass between the initial discussions and implementation,” says Markus Schönel from Deutsche Telekom.
“Delays are usually caused by MPLS, when it first has to be applied for and set up.” Stefan Rech has had similar experiences, even though at Ratiodata some customers could be connected within three weeks. “It is difficult to give an exact time span,” says Rech. “Usually, after all, a few pilot computers are included first and not all clients at once. Then, after the release, it takes again until all end devices have downloaded the client. Sometimes employees are online-only very rarely, so the final implementation can be spread over several months.”
Today, outsourcing a VPN solution to the cloud is no longer a pioneering effort. Numerous providers have industry-specific offerings in their programs. Because the technical implementation and administration of the running solution are placed completely in the hands of the provider, organizations can very quickly achieve a functioning security solution that meets the highest standards. It is important to be clear in advance about the required level of security and the requirements and operating environments of the clients and to document this in a way that is comprehensible to the cloud VPN provider.
Information Security Asia is the go-to website for the latest cybersecurity and tech news in various sectors. Our expert writers provide insights and analysis that you can trust, so you can stay ahead of the curve and protect your business. Whether you are a small business, an enterprise or even a government agency, we have the latest updates and advice for all aspects of cybersecurity.
