Corporate VPNs are so 1990s

By Andrew Pym, Associate Partner – Head of Google Cloud

March 25th, 2020

Dealing with the COVID-19 has driven unprecedented levels of working from home. Many organisations have had to rush license and infrastructure upgrades of their VPN capabilities to try and support the move to having the vast majority of employees working remotely.

Many VPN capabilities originated back in the 90s and early 2000s as corporate networks were opened up to the internet, but needed protection through segmented subnets and secure tunnels which VPNs provide.

The response to COVID-19 has had additional complications where some companies have had to scramble to extend their networks to significantly more users as office closures are moving the workforce to remote locations. Traditional VPNs are slow to adapt, and often require more physical hardware to increase their capacity. Lead times and delays are causing large drops in productivity. A large enterprise with overseas call centres has had their business continuity challenged further, as different countries shut down just as call volumes spike.

Cloud-native companies don’t work like this.

Google’s Beyondcorp model is a zero-trust model, delivering context-aware access, where no application is trusted. Applications sit inside a secure perimeter, just as traditional applications do. However, the zero-trust or defence-in-depth approach removes the need for VPNs — with both their license and infrastructure cost.

Google Cloud has made enabling BeyondCorp capabilities available to its customers. This comprises of key tools including

  • Cloud IAM — Identity and Access Management
  • Cloud IAP — Identity Aware Proxy

These tools complement Google Cloud’s array of security capabilities including Cloud Armor, Forseti, VPC networks, firewalls, load balancers, encryption etc

Cloud IAP is the cornerstone of the capability. Taking an authenticated user and only allowing authenticated access to authorised resources, all underpinned by OAuth2.0.

Companies such as Servian and Google, whose internal applications are operating in a BeyondCorp model have had a smooth transition to the working from home norm under COVID-19 conditions.

For companies who have moved to Google Cloud, this solution can unlock a lot of value quickly. The addition of an Identity Aware Proxy to a GCP environment opens up browser based applications with very little additional effort to enable context aware, remote access, of employee applications.

If the GCP environment is connected to an on-prem environment, authenticated network traffic can then also be explicitly routed through to internally hosted apps as well. Ideally all driven through Infrastructure as Code, so the provisioning and networking is explicitly enabled.

We are aware of a couple of our customers starting to use these patterns to rapidly scale out remote access to help their employees access applications that are both in Google Cloud and on-prem.

For more on Google Cloud Identity Aware Proxy head over here.

At Servian, we are also a big fan of Buzzfeed’s open source SSO solution octoboi which acts as an OAuth2 provider for a specific email domain.

So, by now you should’ve somehow realized what you gotta do, if you would like to know more about how Servian can help you operate in Google Cloud — reach out for a copy of our Cloud Blueprint paper or to discuss moving to a BeyondCorp style model for your company.