Remote access technologies that enable employees to work from home have been around for decades but have taken on great importance as organizations shift employees to remote work as part of their COVID-19 response. But work from home is likely the new normal, even after employees can safely return to their offices.

This shift gives businesses an opportunity to redefine themselves, promote flexible workstyles, and emphasize skills-based hiring. Leaders can make bold choices that support a great employee experience and productivity, without compromising security or performance, and organizations that are strategic about remote work now will be the most successful in reaping benefits in the long term.

The zero trust security model has been at the focus of conversation in response to myriad global phishing attacks, hacking attempts, data theft, and denial-of-service attacks. There is a pressing need to evolve the approach to remote app and data access and replace legacy security architectures that had VPN at their core. But as businesses have rushed to enable remote work quickly in response to COVID-19, many have responded tactically rather than strategically, expecting work from home to be a temporary situation and overlooking the security concerns around VPN.

This tactical approach to enabling remote access has led to the resurgence of VPN, which was rightly nearing its demise in the enterprise world. But a one-size-fits-all, VPN approach is not a panacea, in the short term or the long term. As anyone in the IT security space knows, the larger the attack surface, the higher the risk compromise. In this post, I’ll focus on what you should consider before expanding your use of VPN and on helping you to get closer to a zero trust security model.

Considerations Before Choosing VPN

Citrix provides remote access for businesses by defining a secure digital perimeter around company apps and data. Citrix Virtual Apps and Desktops can offer the appropriate remote access solution based on user segmentation and workload type. Citrix ADC provides conditional access control with nFactor authentication, while offering a consistent user experience, even if VPN is appropriate for a small subset of users. This decision tree can help you make the right choice for enabling remote access based on user segmentation and workload analysis.

Most Citrix customers are familiar with our various delivery methods, and the decision tree can help fine-tune based on organization-specific requirements and user segmentation. You don’t need a dedicated VPN solution if you follow this decision tree because Citrix ADC can conditionally verify users’ and devices’ security postures before automatically creating an SSL VPN tunnel with strong ciphers and nFactor authentication. Let’s look at conditions you’ll need to verify before choosing VPN as a remote access solution for small segments of your users (and only after trust has been verified).


Clipboard and Peripheral Blocking: If clipboard and peripheral blocking aren’t enforced, users can easily copy/paste data into the local device when a VPN tunnel is established. If you need to prevent users from printing or taking data off the device with a USB drive, for example, VPN is not a secure remote access strategy for you.

Managed Device with Remote Wipe: If important company data is stored on the local device where the VPN tunnel was established, you need this capability to wipe the device clean and ensure company data doesn’t fall into the wrong hands if the device is lost or stolen.

Up-to-Date Endpoint Protection: A device can get infected from a variety of sources, even when split tunneling is disabled within a VPN tunnel. It’s important to make sure endpoint protection software is installed and kept updated so there isn’t any cross contamination that may have an impact on company networks and data. When the VPN tunnel is established, an infection can make its way into a company’s network and potentially result in data theft/corruption, so it’s critical to protect the device from infection.

HDD Encryption: With hard disk drive (HDD) encryption, data stored on the hard drive is converted into a secure, unreadable, coded form. Drive-encrypting software makes it difficult for any unauthorized entity to access encrypted data without the right password. This is a security best practice and should be verified using an EPA scan before establishing a VPN tunnel.

Trusted Group Membership Verification: VPN access should be restricted to users who belong to a trusted group to ensure access to resources can be limited based on group membership (and after identity verification). It’s important to determine which IP address to assign to the device connecting to the VPN tunnel to restrict admittance to only the resources the users are trusted to access.

Secure Network Definition with ACLs: When a VPN connection is established, the device receives an IP address that belongs to the company network and allows access. The IP address should belong to a network unique to the user group so access is restricted to the apps and data they need. If proper routes and ACLs aren’t defined, users may get unauthorized access to company resources. If you have users who require SaaS access, you may have to adjust your split tunneling configuration and create whitelisting of apps to avoid hair pinning traffic back to the data center.

Network Sizing Appropriate to Workloads: When VPN use is scaled up to a larger group of users, firewalls, routers, NAT devices, VPN concentrators, bandwidth, and more must be appropriately sized based on the workloads accessible to the end users. There’s a high interdependency on performance when multiple users are connected simultaneously to the same network equipment (it results in bandwidth and resource contention of the hardware delivering remote access, all the way to the infrastructure hosting the company resources). Consider a network sized to provide 1 Gbps throughput over VPN. If 5 percent of users download large files over the VPN tunnel, they will have a negative impact on the other 95 percent of users. Some VPN solutions allow rate limiting to prevent this performance deterioration, but the network should be sized in advance to handle this overhead capacity based on the workloads accessible to the end users. Only then is VPN a viable solution for a small subset of end users. It’s also important that the network is sized appropriately when software updates and patches need to be pushed out on devices. If it isn’t, deteriorated performance during the update will have a negative impact on user experience and productivity.

KMS Allowed via VPN: Most Enterprise customers have a password expiration policy. If KMS is not allowed within a VPN tunnel, expect a higher volume of help desk calls when users’ passwords expire. Even if KMS is allowed, old passwords may still be acceptable on the domain joined device if AlwaysOn VPN is not enforced. Why? They’re cached locally, and new passwords would only work after the VPN tunnel is established. Users may have to manually update their passwords on the device after the domain password has expired.

Remote Control and Help Desk: When users are working from home, expect that they’ll need more assistance than usual if they’re using VPN because there will be inconsistencies in terms of software updates and patches pushed out by IT across devices. This makes it difficult for IT to troubleshoot issues on user devices without remote control and remote assistance tools.


The Challenges and Risks of VPN

VPN might seem easy to deploy, but as you can see from the points above, there’s a lot to consider before you scale it out enable remote access. Yes, it’s simple and you can deploy it quickly if your only concern is adding licenses and scaling up your VPN concentrator. But there’s significant operational overhead (software updates, patching, secure network definition, route changes, ACLs, firewall changes, helpdesk, remote control, and more) that often gets overlooked.

It is also important to consider the cost of enabling VPN broadly, considering the layers of solutions (MDM, Endpoint Protection, HDD encryption, network resizing, and more) required to ensure sure security isn’t compromised when it’s rolled out.

With VPN, IT relinquishes control over many factors that can have a negative impact on your end users’ remote access experience. You must consider these before deploying VPN at scale within your organization. For example, VPN performance has high variance based on changing network conditions (bandwidth, latency, packet loss, etc.), and most VPN solutions have no ability to report on the impact bad network conditions have on the user experience.

By comparison, Citrix Virtual Apps and Desktops solutions delivered with Citrix ADC use significantly less bandwidth, auto-adjust to changes in network conditions, provide continuous feedback to the end user when network conditions deteriorate, and report to IT on client network conditions that have an impact on performance.

Don’t overlook security and performance as you scale up remote access. And remember the considerations (and compromises) you’ll have to make and the risks you’ll have to take when you choose VPN. They’ll affect your organization’s security and your users’ experience, not just in the short term.

Citrix can help you replace your legacy security architecture with a zero trust security model. Learn more about zero trust, the Citrix way and zero trust security and Citrix Workspace. Thanks for reading, and I hope this post and the decision tree will help to guide you in your journey toward choosing a long-term remote access strategy.