Learn more about the latest ThousandEyes innovations at Cisco Live! | June 2-6, 2024


Architecting Remote Access Without Sacrificing Security

By Mike Hicks
| | 11 min read


IT must move security closer to remote workers or the network's edge without compromising digital experience. Here are four best practices on how.

A few "short" years ago in 2020, working from home was seen as a temporary situation. Today, as the world continues to cope with the ongoing pandemic, we're now witnessing the remote workforce model morph rapidly into a hybrid work environment, where users are accessing business-critical apps from their homes and offices—and from anywhere they choose to work for that matter. In many ways, the Internet has become the new network backbone and SaaS has become the new app stack, and so enterprises today must reconsider how their security practices may need to adapt in this new environment to provide the optimal experience for their hybrid workforce.

Addressing Security and Performance

Before the pandemic (if you can remember that far back) remote working was more of an exception or something of a temporary requirement. Then, when governments issued shelter-in-place orders, a seismic shift occurred as entire workforces quickly scrambled to set up home offices. With everyone connecting from disparate locations, placing greater demand on an organization’s remote connectivity infrastructure, the tug-of-war between security and performance became a challenge. VPN controllers could be oversubscribed, and unfamiliar processes sometimes meant that users perceived that connecting was complex and slow. This dynamic led some to attempt to improve performance independently, which they could have avoided if IT had visibility into their remote digital experience.

Read the VPN Monitoring White Paper

From the get-go, enterprise IT quickly scaled and updated VPN access to cope with the increased concurrent remote use. The trouble is enterprises' existing approaches to security weren't optimized for the highly distributed workforce’s new mix of architectures, requirements, and modern applications served from the cloud. As a result, the digital experiences that employees had come to expect often suffered.

Now, enterprises are realizing that and beginning to make adjustments. They’re talking to vendors and evolving their architectures as they pursue remote working solutions that meet their new requirements and are more permanent. They can see the writing on the wall. According to Cisco’s Hybrid Work Index, 81% of employees prefer working three days or more a week from home when it's possible to return to the office.

In technical terms, this means transitioning from a centralized data center architecture, in which IT controls the networks and applications, to a more decentralized architecture in which IT can no longer control every component in the service delivery chain. Also, to provide the best digital experience for the users while satisfying security and applications requirements, IT must move security closer to remote workers or out to the network’s edge. Most importantly, it means having visibility into the gateways, the content delivery networks, the ISPs, the user devices, and everything else beyond the company’s traditional boundaries and control. Without this visibility, IT will be unable to isolate productivity-impacting performance issues to the specific domain that is responsible. 

Best Practices for Architecting Secure Remote Access

The Internet, it seems, is our new corporate WAN. So, as employees become decentralized and work-from-anywhere models proliferate, I’d like to share four best practices from ThousandEyes to architect a secure remote access solution that aims to uphold performance. These best practices will essentially allow you to gain performance insight within a pilot environment before your full-scale rollout. So, when you do deploy, you’ll have a level of certainty about achieving the performance levels you expect. Here, in brief, are the four best practices:

First, establish a performance baseline for the network serving your remote workforce. By creating a baseline, you can assess your current performance, test the availability and responsiveness of your connections, learn where existing bottlenecks are, and determine the most appropriate architecture and approach for your needs. The baseline will also give you an idea about the improvements you could make and the parts of the service delivery model that investment will be the most beneficial. It’s rare, but you could discover that the best solution is to do nothing. You might already be meeting both your security and your performance requirements. But you won’t know until you have a baseline.

Read the See Before You SASE eBook

The next step is to pilot the improvements you have in mind. Following the baseline you establish, you can determine which architecture will best suit your end users’ requirements. Then you use synthetic transactions to test that new architecture, understand its workflow, and see how it executes the functions and processes involved with connecting to, and executing, specific transactions. By doing this, you can observe what performance will be like for your end users. You’ll also be able to discover if performance is improving or declining and if there are opportunities for continuous improvement.

After evaluating your solution’s improvements, it’s time to identify new performance bottlenecks in your remote access environment. Once you pinpoint the parts of your end-to-end service delivery chain that adversely impact employee productivity, you can begin remediation activities. You can also establish KPIs that affect your business—such as authentication and loading times for applications—which will assist in assessing tangible and ongoing improvements. You’ll learn about each network component, its performance characteristics, and the cause of any bottlenecks. Then you can determine the best way to achieve peak performance, identify areas that can be optimized, and pave the way for continuous business improvement. As you’ve probably guessed, this capability is equally valuable during the “try-before-you-buy” phase as well as after your deployment.

Our final best practice is to monitor both the overlay and the underlay. IT generally has visibility only into the network overlay—the connection from the user to service. With ThousandEyes, you gain visibility into the underlay path, including every gateway, node, and connection. For example, you can automatically detect and visualize the SD-WAN underlay and overlay paths to identify performance bottlenecks during production. You can proactively monitor your remediated remote access environment as well. Most importantly, you’ll finally be able to roll out your solution to full deployment with greater confidence.

Capitalizing on Multiple Vantage Points

So, how does ThousandEyes provide the visibility necessary to make all this possible?

Monitoring from distributed vantage points is the short answer. A more thorough explanation is that, by leveraging multiple globally distributed vantage points, you can view situations from every possible perspective so that you can more easily and more confidently architect your remote access solution. That includes taking both an "outside-in" view of an application’s performance as well as gaining an "inside-out," real-time view of each end user’s experience. 

View the Remote Workforce VPN Monitoring Tutorial

ThousandEyes helps you do both by capitalizing on multiple vantage points to provide end-to-end network visibility. Our Enterprise Agents monitor network activity from the inside to help you better understand connectivity and traffic from the data center to the public cloud and VPN gateway. Our Cloud Agents monitor emulated transactions from outside your organization, so you can determine if performance issues originate from within your infrastructure, assets you control, or from assets beyond your control, such as SaaS applications or the Internet itself. Lastly, our Endpoint Agents, installed on employee laptops and desktops, monitor activity from the end user vantage point. That way, you can view the digital experience from their perspective.

Comprehensive Visibility

The result is a global view of performance—from your data center’s business-critical apps, across the broader Internet, and in the multitude of remote offices connected to your enterprise. This comprehensive visibility lets you see how workers log in, visualize the traffic path and connections, and ascertain your network’s tangible performance metrics.

Hybrid work may be our new normal, but it's very clear that we’re never going back to the way we were. The distributed workforce is here to stay. Implementing a modern, secure network that still delivers the experience employees expect is well within your reach. Numerous Global 2000 companies, Fortune 500 companies, and top SaaS companies are already teaming up with ThousandEyes to minimize downtime and achieve greater productivity.

The visibility you need to make the most informed decisions possible in designing your secure remote access solution is a conversation away. Request your ThousandEyes demo today.

Subscribe to the ThousandEyes Blog

Stay connected with blog updates and outage reports delivered while they're still fresh.

Upgrade your browser to view our website properly.

Please download the latest version of Chrome, Firefox or Microsoft Edge.

More detail