As per request from the CIO, Help Desk is reaching out to consolidate the feedback/comments from the various support teams who have helped end users with their VPN issues. We will also look at our support ticket volume. Branch offices support teams who have helped users with their VPN issues might not have registered them so it does not mean that in the branches they have had less issues. Device centric SSL VPN once worked very well when everyone was on Windows XP / Windows 7 and when Mac was still a minority group. When everyone upgraded to Windows 8 / migrated to Mac the usability issues started pouring in.
Device Centric SSL VPN
From a usability point of view, as I have suggested before, users who are carrying their personal devices (iOS, Android, Mac, Chromebook, so on) just need to use their day to day company apps. They don’t care how to and why their device must establish a VPN “network level” connection with the company. Connecting a personal (un-managed) device to the company VPN is a workflow intensive (hence unfriendly) and hectic experience for most of the users. Even if you get it to work this time, it may not work the next time, because something in between may have changed. We have witnessed the compatibility and supportability issues with the latest OS (Win8.1/Mavericks) and Java. Device centric SSL VPN depends on these device level components to establish a connection while these components are changing / updating every day on the device.
Apps Follow Me
Users only want their company apps, and they want these apps to follow them, onto any device they use/upgrade to, without the hassle of re-installing / re-confirming that it will work on the new/another device. Users may carry their iPad for a short trip but they may carry a full fledged PC or Mac for a longer trip. They may even borrow a laptop from their family member whilst their first laptop is under repair. They want company apps to just follow them. This is called Work Shifting. What all these mean: We need to engineer a solution which is device independent and offers seamless experience no matter what device they are using.
Admit or Not
The virtue of device centric SSL VPN is relevant only if we want to securely establish an SSL VPN tunnel between the device (talking about the OS layer) and the company’s internal network. This is a great deal if we want the device to be “wrapped” inside the company governance domain and essentially extend the company’s security perimeter into that device (Internet proxy, group policies, security patches, push notifications, etc.). Exactly we are doing this for company liable laptops which we trust and give the most access – the laptop is essentially part of the company network. We trust this laptop because we can control it with a set of defined policies which users cannot tamper with.
The Visionary Path
Any devices other than company laptop (even today, we call them “untrusted” computer) should be only given access to an Application Portal or App Center (whatever we like it called). We no longer need the SSL layer established at the device’s OS level (which is cumbersome as we know it). We just need the AES265/HTTPS transport encryption when the device connects to the VPN gateway (just like a normal secure web browser session). Applications could be Outlook, Excel, Word, or even a VDI session streamed to the device via the App Center.
A Side Note
One other concern we have seen: Device centric SSL VPN cannot recognize an Android or iOS device. It treats them as MacOS. I am not blaming it for that because device centric SSL VPN in its own rights is not an MDM platform. If the user has applied for MacUser group and now connects his Android he will get to the access level equivalent to a Mac user (whatever that is). I am not sure what the exposure is to the company if an Android device is connected at such level.
Tactically we can stay on device centric SSL VPN and continue to turn a blind eye to the vast variety of user devices which are trying to establish an SSL VPN tunnel with the company to do what they need to do (e.g. RDP, file access, Intranet browsing) without worrying about their device being detected as non-compliant (as long as the company cannot detect if they are rooted or jailbroken). Strategically we need a revolutionary upgrade of our remote access platform so that we can provide the true BYOD convenience and benefits, and seamless “My Apps Follow Me” or “My Desktop Follows Me” experience.