Across the globe, organizations are facing immediate challenges to efficiently shift their workforce to a remote working environment. Companies large and small have faced scaling the at-home infrastructure needed to carry on performing business as usual. Typically, organizations’ virtual private networks (VPN) are set up to serve only the 5%-10% of employees working remotely.

As we all know, the number of employees working from home has flipped quickly due to the social distancing efforts to curb the spread of the coronavirus pandemic. And many organizations designed VPNs assuming that most resources an employee would access were in a few georedundant data centers. The migration of email, video conferencing and many other services to cloud providers has dramatically shifted the final destination of a user’s traffic.

This left organizations with corporate networks no longer fit for the purpose. Even organizations that had considered this shift in remote working hadn’t suitably tested the use case within their business continuity planning.

Fortunately, organizations can use split tunneling to minimize network congestion, avoid network bottlenecks and keep information secure while more effectively engaging the at-home workforce. Additionally, cloud providers can enable quick scaling of VPN infrastructure to help remove the burden on corporate VPN capabilities.

Split Tunneling Distributes the Workload

With intelligent decisions on how to route traffic, an organization’s systems can distribute the workload globally.

A VPN serves as a secure tunnel for the passing of all traffic and data between an employee’s computer and the organization’s data center and allows secure access to organizational hosted network resources. The standard approach has been to funnel all global traffic into a handful of georedundant data centers, keeping assets and information secure and providing employees access to critical information systems. This architecture wasn’t an issue when the majority of employees were in the office.

Today, with many high-bandwidth applications in the cloud and using the internet as the transport medium, the VPN is sending application-encrypted traffic into the data center to then be turned around and sent right back out to the internet. Meanwhile the security provided as it passed this security check point is minimal because it was encrypted.
As a result, in the current environment, some companies are limiting or even preventing resources such as video conferences as a way to conserve bandwidth — which not only inhibits productivity, but also limits personal connection at a time when we need it more than ever.

Maintaining Security

However, there is a better way: Move the same security functions that are needed from the corporate data center to the endpoint and use split tunneling in the VPN client. Internet-destined traffic does not have to go through an organization’s owned data center. Instead, it can route directly to the internet or through a cloud provider’s VPN. This effectively speeds up the network connection to the cloud to be equivalent to the biggest bottleneck in the network, which is usually the employees’ home internet connection.

Instituting a policy in an organization to use split tunneling allows the conservation of data center bandwidth and enables continued use of bandwidth-intensive applications, such as video collaboration. Explicitly selecting corporate traffic to route through an organization’s data center leaves internet traffic on the internet, and bandwidth bottlenecks are alleviated.

This method also improves employee experience for those who may not have high-speed broadband at home, by sending the traffic in the most direct path possible, minimizing the distance traversed across the internet. Organizations should evaluate risk-based methods when determining what internet traffic is safe to split tunnel.

Other features normally received from the data center security — like content filtering and protection from malware-infected websites — can be deployed through a proxy or computer devices-based technologies.
In the end the same security can be maintained by simply moving the location of where the protection is implemented.

A New Approach

Using a cloud-based VPN provides a secure and globally accessible connection to the company’s resources, both for a remote and geographically diverse workforce and for internet traffic that doesn’t need to go through the corporate systems. This means that no matter where a company’s resources are accessed, it will be secure even if using a provider’s data center.

In an organization with a global workforce, the employee base no longer matches the location of the data center at a headquarters location. A cloud-based VPN can be scaled regionally to provide the security and access to be closer to where employees are working, whether at home or a global office, and provide the security IT professionals expect and the user experience employees expect.

Amid unprecedented challenges, time is of the essence to maintain employee productivity and enable a remote working environment using technology tools that reliably protect and deliver necessary data. With a minimum amount of infrastructure investment, an organization can implement a split tunneling approach.

 

Implementing this approach at the onset of the pandemic allowed the Burns & McDonnell workforce to transition to a work-from-home delivery without impacting clients.

Learn More

by
Jeff Casey, MIET, is a networks, integration and automation strategy and consulting manager at Burns & McDonnell. With more than a decade of experience in the transmission and distribution industry, Casey’s diverse background in substation networks, IEC 61850, distribution substation automation, program management and cybersecurity standards has helped him deliver energy projects for clients worldwide. He leads the development and growth of new and emerging market opportunities within the firm’s Networks, Integration & Automation Group, currently focusing on the private LTE broadband and the fiber-to-the-premise rural broadband business lines.