Eugenio Marongiu - Fotolia
Companies have learned two important IT truths as the COVID-19 pandemic forces more employees to work remotely.
First, simply creating a video link to remote workers isn't enough to make them productive; they need full application access. Second, a VPN alone is often ineffective in providing secure, scalable application access.
Instead, companies should build cloud computing front ends to keep up with the work-from-home (WFH) rush while still avoiding exposure of core business applications and data. With a cloud front end, you don't move a critical application to the cloud, you use the cloud to mediate access in a scalable and resilient way. This makes it an important tool to protect worker productivity when the workplace itself isn't safe or accessible.
Review limitations of corporate VPNs
VPNs extend remote access to applications. Nearly all enterprises use corporate VPNs to separate their employees, applications and data from the rest of the internet. VPN clients are installed on employees' PCs to provide the same level of access they would receive at the office -- in theory.
VPNs are a proven strategy to support remote workers, but enterprises have had mixed experiences with VPN access on a total WFH-scale. For example, worker authentication mechanisms based on local office IP addresses won't always work remotely, which makes security and compliance practices ineffective. Also, most VPNs route a worker's entire traffic, including internet traffic. This creates potential network overloads and increases the risk of admitting malware onto the corporate network.
Solve remote work issues with front-end cloud computing
For years, companies have built cloud front ends into traditional IT applications. Customers, partners and some workers use the cloud for an enhanced user interface to access these core applications. The front-end component has a public URL, which is secured by enforcing some form of user identification and authentication. It's this secure and compliant access that has propelled the cloud front-end model to the forefront of enterprise public cloud adoption.
Other benefits include scalability under load and resilience in case of failures. Cloud front-end components won't overload like remote-access VPNs that rely on a server on-ramp. And with a large percentage of workers at home, companies can't afford to have anything break or slow down and reduce productivity further.
However, existing cloud front ends aren't a complete WFH fix. Remote access is usually offered through specific portals that support a limited number of applications -- a restriction that's commonplace in corporate VPNs, too.
Organizations that already utilize a cloud front end will have to evaluate whether their existing architecture should be enhanced for WFH or if they need to develop a different approach. This depends on how many applications are currently supported by the cloud front end and the flexibility of the support.
Cloud front end composition
Cloud front ends provide a "pinhole," or NAT firewall mapping, between a web address and a company VPN address. This ensures resources aren't directly exposed to the internet, which is valuable when a remote worker or role needs to access many applications.
And by utilizing static public IP addresses accessible by the internet, organizations can use sophisticated front-end features, such as address mapping, that work as a retrofit to existing front ends or as a new set. Still, it's important to follow some structural rules to maximize the utility of this set up for remote work.
A cloud front end has three main components:
- A user authentication component that verifies users as they attempt to connect to the cloud.
- A "storefront design pattern" for users to obtain role-based lists of applications they're allowed to access.
- An application-specific GUI that presents an optimized interface to those applications.
These pieces are also typically found in cloud-based portals offered to users and partners, so IT teams can often tweak the current cloud software to support the company's broader WFH mission.
For those unfamiliar with cloud computing, they'll need to adjust to the concept of role-based application access. A "role" is a broad job classification that implies the right to access information necessary to do a specific job or task. When a remote employee connects to a cloud front end, the user identity should be assigned a role, which then determines the applications the user can access. Every remote worker should have a specific role, and those roles should be defined as narrowly as possible for security and compliance reasons.
Access control via IP address, a key element of application security, is obviously not appropriate for cloud front end use. Basic password/ID mechanisms can be considered if that approach has already passed internal audit and practices are in place to secure access credentials within a home. Still, companies preparing for a large-scale WFH scenario should consider some biometric user authentication procedures. These offer more positive credentialing of employees, so they're not responsible for protecting their IDs and passwords.
An application's UI should be similar to how it looks in the office, to reduce the impact on productivity when you shift to WFH. Some adapting may be useful if there are variations in how a user interacts with an application, depending on their role. However, if a role is used to formulate an application's UI, it might be necessary to make that role a parameter in the access validation stage to avoid overcomplications with the GUI implementation. Controlling the details of the GUI based on role would create a more complicated implementation of the GUI.
Finally, cloud front ends work best for remote employees when they facilitate browser input. Nearly all WFH setups require a PC rather than a phone or tablet. That PC can also run a collaborative application if remote work is supported via browser and cloud front end. This could include video or voice call, or even a web meeting, in parallel with the applications. Application GUIs may have to be slimmed down to take less screen space to allow for screen-sharing with parallel collaborative applications.