The 4 Key Considerations for Extending Your Business Continuity Plan (BCP) to Home and Remote Workers

March 8, 2020

It’s a challenge not to think of a spreading health crisis when you’re crushed into a crowded train or bus, clutching a germ-infested pole and dodging a nearby cough. As the current crisis develops, enterprise business continuity planning and risk management will lead to millions of enterprise users working full time from home. Already we’ve seen the number of active remote or mobile users of the Cato Cloud rise 75 percent since early January, growing from about 10,000 users to 17,500 users.

In fact, as this Bloomberg article highlights, we’re probably about to embark on the largest global work-at-home experiment in history. What does that mean for your business continuity planning and remote work strategy? Consider four categories: connectivity, performance, security, and management. Here’s a summary of each.

Connectivity and Architecture

IT has been supporting remote and mobile users for years, but a sudden spike in staff working from home full time is a whole new ballgame. Most won’t be connecting occasionally to check email or do some quick catchup at the airport, between meetings or after hours at the hotel. They’ll be on the network every workday for hours accessing enterprise applications, files, and data. Your current remote access infrastructure was likely never sized to cope with such a large, constant load, which means you’ll probably have to add or upgrade remote concentrators. In the best of times, this can take days or weeks, but hundreds or thousands of companies will also need similar upgrades.

Aside from the corporate datacenter, most enterprise users will be accessing infrastructure and applications in cloud datacenters, which adds connectivity complexity, as we discuss in this eBook, Mobile Access Optimization and Security for the Cloud Era, and below. For security reasons, most organizations choose to route cloud traffic through datacenter security infrastructure first, then out to cloud datacenters many miles away, which adds latency to the home user’s cloud user experience.

Datacenter network congestion is also an issue, one that Adroll, a company offering a marketing platform for personalized advertising campaigns, had to grapple with. Not only did backhauling remote user cloud traffic add latency to Adroll’s cloud user experience, but it also saturated the San Francisco Internet connection and created availability problems, as the San Francisco firewall had no geo-redundancy. “It puts a lot of stuff in one basket,” says Adroll’s Global Director of IT, Adrian Dunne. “Once the VPN on our primary firewall rebooted. Suddenly 100 engineers couldn’t work anymore.”

Performance and User Experience

Mobile and home VPN users often complain about remote access performance even when infrastructure is sized appropriately, thanks to the unpredictability, latency and packet loss inherent in the public Internet core. When accessing the cloud, the mobile experience can get so sluggish that users often abandon the corporate backhauling solution to access the cloud directly, opening significant security gaps. Many newer users also find themselves struggling with unfamiliar VPN client software, passwords, and connections to multiple cloud services.

To make working at home a success, IT will have to find ways to simplify and speed up the user experience so it’s more like working at the office. This may mean considering alternatives to backhauling and running traditional VPN’s, which we discuss below.

Security

As more and more users work from home, security risks are bound to increase. More remote users mean more opportunities for threat actors to penetrate security defenses. Unfortunately, traditional VPN’s authenticate remote users to the entire enterprise network, allowing them to PING or “see” all network resources. Hackers have been known to exploit this opportunity, as they did with the infamous Home Depot and Target breaches of a few years ago, which took advantage of stolen VPN credentials. Once inside the network, a hacker is only one administrator password away from access to sensitive applications and data. That’s a big reason why IT security has been moving away from network-centric security towards software defined Zero Trust Network Access, which grants users access only to what they need when they need it.

Enforcing security policies for many more remote users can also add latency and slow down performance. The alternative is to let mobile users connect directly to the cloud and deploy new cloud-based security solutions, such as secure Web gateways or secure access security brokers (CASB), that intercept connections before they reach the cloud. Users will still be contending with public Internet performance, however.

Management

Deploying client VPN software on thousands of new home users’ systems can take considerable resources and time that organizations may not have during a crisis.

AdRoll found VPN onboarding of new users a very cumbersome process, especially for contractors. “Using the Mac’s management software to push out VPN configurations to users was a pain,” says Dunne. Dunne also had to send instructions for configuring the VPN client to each user. Once these users are onboard, IT also needs appropriate tools for managing and monitoring all those remote users, much as it does for its branch offices and other sites. Shifting to cloud-based Web gateways and CASB’s has its own overhead as well.

Cato’s SASE Solution Provides Access Needed for Remote Workers

There is a solution that can solve many of these connectivity, security, performance and management issues: a cloud-native network such as the Cato Cloud. Built on the principles of Gartner’s secure access service edge (SASE), Cato connects mobile and remote workers to the same network, secured by the same security policy set, as those in the office.

Rather than connecting to the corporate datacenter, then out to cloud applications, home users connect to their nearby cloud native network point of presence (PoP). From there they become part of a virtual enterprise WAN that the datacenter and branch offices access through their local PoPs as well. Cato locates its PoP infrastructure in some of the same datacenters as major cloud providers, including AWS and Microsoft Azure, allowing for fast direct connections to cloud services.

Connectivity isn’t an issue. Cato’s cloud architecture is designed for massive scalability to support any number of new users regardless of session duration or frequency. They can work at home or in the office all day, every day and the Cato architecture will accommodate the load transparently. “Cato’s mobile VPN is my secret BCP [business continuity plan] in my back pocket,” says Stuart Gall then the infrastructure architect in the network and systems group at Paysafe. “If my global network goes down, I can be like Batman and whip this thing out.”

“If my global network goes down, I can be like Batman and whip this thing out.”

Performance improves by eliminating backhaul and inspecting traffic in the PoP rather than the datacenter. Home and mobile users bypass the unpredictable Internet middle mile and instead use the Cato backbone with its optimized routing and built-in WAN optimization to dramatically reduce latency and improve data throughput.

The user experience improves in other ways. Users connect to all their applications and resources, whether spread across multiple clouds or in the private datacenters, with a single login. Getting users connected is easy. “The cherry on top was Cato’s VPN solution,” says Don Williams, corporate IT director at Innovex Downhole Solutions. It was the coolest technology I’ve seen. In less than 10 minutes we were connected through a VPN on the device.

“The cherry on top was Cato’s VPN solution,” says Don Williams, corporate IT director at Innovex Downhole Solutions. It was the coolest technology I’ve seen. In less than 10 minutes we were connected through a VPN on the device.”

Most of the security and network management is handled by the cloud provider, rather than enterprise IT. Cato’s Security as a Service provides a fully managed suite of agile, enterprise-grade network security capabilities, built directly into the Cato Global Private Backbone, including a next-generation firewall/VPN, a Secure Web Gateway, Advanced Threat Prevention, Cloud and Mobile Access Protection, and Managed Threat Detection and Response (MDR).

Cato simplifies security management in other ways. “With firewall appliances, you install certificates from your firewall and only then you realize that when your user goes to another site, you again need to install another SSL certificate at that appliance,” says the IT manager at a leading EduTech provider, “With Cato, we were able to install a single certificate globally so we can do SSL decryption and re-encryption.”

Adding new home users to a cloud native network is a quick process that doesn’t require expensive, time consuming appliance upgrades. “With Cato, we just sent a user an invite to install the client,” says Dunne. “It’s very much like a consumer application, which makes it easy for users to install.” Adroll’s San Francisco chokepoint was eliminated, and Cato gave Dunne more granular control over permissions for mobile users.

The current crisis will likely require a lot of quick action from IT to get users connected and working from home fast and securely. A cloud-native, SASE network can make the job faster and easier while giving all those home-based-workers a satisfying user experience.

Dave Greenfield

Dave Greenfield

Dave Greenfield is a veteran of IT industry. He’s spent more than 20 years as an award-winning journalist and independent technology consultant. Today, he serves as a secure networking evangelist for Cato Networks.