Virtual Private Networks for the Enterprise
Enterprises with a large remote user community and/or plans for significant Web-based trading partner/customer services will experience significant benefits if they deploy a Virtual Private Network (VPN). VPNs allow companies to securely share sensitive information. Dedicated and leased-line WAN expenses can be sharply reduced. Further, Web commerce will grow even faster once users and corporate security officers perceive Internet security to be adequate.
Traditional VPNs provide wide-area, server-to-server encryption over TCP/IP networks (be that over the Internet, leased or dedicated lines). However, the need for privacy is not limited to server-to-server. VPNs should ensure private communication between fixed points defined by business conditions, including the user desktop, firewalls, Web servers and VPN servers.
A VPN service that pays for itself is more than encryption. It should include certificate-based user authentication at remote access and Web servers, digital signature and user-specific managed/controlled access to internal applications, services and sensitive data.
In addition, when the user community reaches large numbers, the VPN system must include low-cost administrative support. A common user profile should support remote access, Web-based services and internal security privileges.
Secure Remote Connectivity
VPN benefits come from two primary sources, reduced wide-area communication expenses and improved security that enables Internet commerce. In the short term, WAN costs can be reduced by 60 to 90 percent. Consider the fact that dedicated lines cost $2,000 per month. While an "800 service" with its per minute charge looks appealing, many people create and hold a connection all day: Fortune 500 enterprises frequently spend more than $100,000 per month for secure, WAN-user connectivity alone. Control Data found that its average cost per remote user exceeded $3,000.
In the longer term, VPNs will enable Internet commerce. The Internet offers businesses and consumers unique capabilities to transact business and share information. The Internet is suitable for mass marketing and retail sales to the public.
However, product catalogs and buying systems typically do not involve highly sensitive personal data or large per-buy financial liabilities. In short, the Web alone does not secure the dissemination of high-value, sensitive or personal data, or access to internal production applications by remote employees, customers and partners.
Governments around the world have mandated regulations pertaining to data privacy. For instance, the U.S. Government’s Healthcare Financing Administration, which sets regulations for the healthcare industry, imposes stringent requirements for user authentication, encryption and system access management. Specifically, personal healthcare information cannot be shared over public networks.
Business Scenario Descriptions
VPNs are designed to support secure business communication. Every enterprise shares a variety of information with a unique mix of customers, trading partners and remote and/or distributed employees. The sensitivity of exchanged information, the geographic dispersion of users and the informational interests of the users bound the VPN service design. Based upon Control Data Systems’ clients, six fundamentally different business scenarios have emerged. These "business scenarios" and "typical examples" of each are summarized in Table 1.
Table 1 breaks the VPN need into three categories based upon the user community or "clientele" involved. Each clientele has unique "information exchanged." First, "internal" scenarios are represented by large, geographically distributed businesses sharing production system updates, reports and extracts, and decision support information. Much of that information may be sensitive and must be secured between the firewalls of the various divisions and between remote, or traveling, employees and their business center or headquarters.
Second, "business-to-business" scenarios support communities of interest in which peer companies share information among themselves in the delivery of a combined service. For example, all companies involved in a manufacture, distribution and product delivery supply chain represent a community of interest, as do all service providers in a national healthcare industry, be they providers, facilities, insurance clearinghouses or government agencies. Much of the information shared represents high transaction value and legal liabilities in which selected persons from each peer company act as an agent of their firm.
In contrast, a single company interacting with its trading partners is another business-to-business scenario in which a single business may establish strategic relationships with hundreds of partners on which it depends for defined services. For example, a health insurance carrier will have thousands of physicians and medical facilities in its service network. That is, the business acts as the hub and each partner is a spoke. Despite the data exchanged between a hub and its spokes being primarily informational in nature, its authenticity, privacy and timeliness must be ensured.
Third, "business-to-customer" scenarios support the interaction between a business (or government unit) and its customers (or citizens). The information exchanged varies significantly with whether there is an established and recurring relationship. Web-based retail sales offer Internet shoppers access to low-cost, mass-market buying services.
With the exception of credit card data, the information exchange in a retail sale is not inherently sensitive. A financial services provider has an established and recurring clientele for whom they provide investment, banking or insurance services. Personal financial queries and data are perceived by all of us to be extremely sensitive and private. Similarly, government bodies regard data about citizens to be very sensitive; its exchange must be protected.
Incentives for Investment
Employees, consumers and trading partners are demanding transaction confidentiality and integrity. While the benefits of electronic information exchange has been recognized, the perception (and reality) that the public Internet is insecure has led businesses to high-cost, dedicated communication network services.
Significant short-run WAN expenses can be largely eliminated with a VPN. Benefits include: communication services, such as dedicated/leased lines, VAN charges; communication hardware/software such as RAS server and modem banks; and technical support staff, including service origination support, technical operations/support.
Moreover, VPN connectivity enables significant business benefits. Business efficiencies can be segregated between internal productivity and its associated reduction in labor expenses versus the value of business activities. Productivity gains flow from:
• User administration. Replace internal staff to maintain user-specific profiles and credentials with user self-maintenance.
• Order processing. Labor cost/elapsed time to receive and enter orders.
• Self-service/general ledger. Labor and elapsed time to process business partner queries and accounting system transactions replaced with self-service.
• Customer support productivity. Labor cost to respond to customer queries performed directly by users.
Business activities that benefit from the information shared via a VPN include:
• Reduced inventory/logistics control expense. Carrying and distribution cost of product reduced with integrated systems.
• Stronger business relationships. Sales volume and/or volume discounting enhanced with a robust and recurring business partnership.
• Extended market reach. Sales volume associated with potential worldwide, Web-based customers drives more revenue.
• Customer retention. Sales volume associated with customers retained by easy access to secure electronic services of interest to them.
• Customer penetration. Sales volume associated with cross-selling additional products and services to existing customers whose needs and interests are known.
The ability to convert savings varies with business scenario as described in Table 2. Note that the "benefit drivers" vary significantly with the "Business Scenario."
Managing the Process
Use of VPNs by employees, customers or partners leads to user-specific authentication, encryption and access management. Once a user has linked their physical identity to electronic credentials, rights to internal corporate data, applications and services are first approved, then enforced, during use.
The process occurs in three time slices:
• Subscribe – register for access to internal systems; maintain/revise user profile.
• Administer – define and enforce security policy by approving (or denying) user identity and system access rights; monitor security data quality.
• Use – invoke VPN or Web-user sessions based upon strong authentication (password protected certificate) and access based upon credentials.
This process flow addresses the integration of the VPN administration along with other Web-based applications. Note that the entire process is subject to corporate security policy. Each process activity requires a companion policy and/or practice statement.
The heart of the process is "approve/ deny." Every process activity interacts with it and a common user profile supports both VPN and Web sessions.
Ideally, the process flow for subscription, administration and use should be designed for all user-centric access management. The range of process support could span remote Web access, intranet Web applications, VPN access, single sign on and other enterprise solutions that require user-specific secure and managed access.
Target VPN Architecture
The business scenarios and processes converge on three "technical architec-ture options" as defined in Table 3 (on page 40). The technical differences between the three options are driven by the technology required.
Consider that the firewall-to-firewall (FW-to-FW) provides encryption services between firewalls via Internet gateways. Shared secrets or X.509 certificates are maintained at each FW server.
WWW-to-Web server provides encryption over the Internet between the user’s desktop and the corporate Web server using session-generated or browser-selected third party certificates.
Managed tunnels (ISP-to-VPN server) enable any remote user with TCP/IP access (such as the public Internet) to not only establish an encrypted link based upon user-specific X.509 certificates, but use strong authentication to confirm identity and manage control to internal production applications as well. COIN networks rely upon the same technical design but require third party impartiality to certify the "bind" between the user and certificate.
Corresponding Administrative Design
Just as the technology designs differ, so do the administrative designs. The relatively low number of firewall servers participating in an IPSec network allows a more casual administrative environment. Each server must be knowledgeable of the encryption mechanism used by all firewalls it communicates with. As the number of networked services increases, the administrative support increases geometrically. Certainly, when the number of networked services grows to 10 or more, a systemic solution to manage certificates is required.
Browser companies retain third parties to provide the certificates that form the backbone of Web credibility. Users place their trust in the certificate providers whenever they accept the browser notice that the messages will be encrypted. Generally, users are not aware of the quality of transaction security. For low-liability transactions, current Web shoppers deem SSL security adequate.
The remote user VPN architecture must enable businesses to externalize the huge cost of administration as the volume of remote users grows. Once the customer base of a Fortune 500 company becomes electronically engaged, the volume of potential users grows from a few thousand to millions. Each user will require a user-specific profile and certificate linked to that profile. Otherwise, personal identity, privacy and access rights cannot be individually managed. Self-maintenance is a prerequisite.
In addition, the remote user VPN architecture must be flexible with respect to PKI administration. PKI product and services will be driven by business need. A flexible and scalable architecture will support four PKI scenarios: 1) near zero per user cost to internally generate certificates for captive users; 2) very low per user cost to integrate certificates provided by external users for which they remain responsible for the authenticity and validity of the certificates; 3) higher per user cost to provide cross-certified third-party certificates; and 4) high per user cost to internally generate certificates capable of being integrated into a cross-certified PKI network.
Cash Flow Differences
Table 3 also summarizes "Key factors" that drive the scale of the investment and recurring cost. For inter-firewall services, the investment will be driven by the selection of products that have adopted the IPSec "standard" in a compatible manner. As the size of the network grows, the administrative and policy maintenance complexity expands geometrically. Lastly, the selection of the WAN backbone (be it the public Internet or dedicated TCP/IP network) may be the single most significant recurring cost factor.
Web/SSL-based services require a relatively low-cost investment for integrating security services. However, there can be a significant maintenance activity associated with service descriptions and/or electronic catalogs.
VPN services trade off an initial investment in a suite of technical capabilities in order to minimize the recurring cost of user administration, security policy/PKI administration, offering maintenance, help desk services and WAN costs. Such capabilities require tools for certificate generation, protection and cross-certification. COIN networks may dictate client tools (smart cards and readers) that significantly change the investment dynamics as the number of potential users increases. If the investment is large and/or the rate of growth of subscription of new users is uncertain, many businesses will find outsourcing an attractive alternative to ownership. Again, the selection of the WAN backbone may be the single most significant recurring factor.
Integrated Target WAN Architecture
The technical and administrative differences, plus investment and recurring cost drivers, lead to an integrated target WAN architecture. The common thread shared by all Table 3 architectural alternatives is the use of the TCP/IP connectivity (via public Internet or telecommunication services) as the WAN backbone. Most remote users connect via their own ISP as individual users, each having their own user profile that they maintain.
However, when business relationships dictate, dedicated lines could be employed to ensure quality of service. Encrypted tunnels would be drilled between the user desktop and the VPN server with strong authentication and access management managed by the VPN server. Multiple businesses could be networked together by providing VPN connectivity between individual employees and the VPN servers controlled by the businesses with which they need access.
Lastly, associating a user profile with each device can enable communication among internal firewalls and simplify internal maintenance and administration functions.
Minimum VPN Functionality, Investment and Recurring Costs
Table 4 summarizes components and functionality required for remote connectivity by the functional "Layer of the Target VPN Architecture." In the "System Components/Cost Factors" portion of Table 4, items in normal text are VPN requirements (note that some components already exist). Items in bold italics are components whose costs and functionality are largely eliminated with a VPN. Note that communication and administration costs can be greatly reduced as well.
Implementing a Security Policy
Security policy requirements or needs are of immediate interest to the design of a VPN service and its directory support. The process "Create Policy" is integral to process success. Policy and associated practice requirements follow the process lifecycle for user and related credentials; that is, there is a need for policies dealing with subscription, with administration and with use.
The nine security policy areas and associated practices may be embodied in one policy or separate policies. Regardless, the policy/practice requirements do not change. The life cycle policy objectives and coverage include:
• Service Offerings. Bundling of services by user type (user, security officer, administrator, employee, contractor, partner, customer) for simplified administration.
• Credentialing. Generation of unique, user-specific data for use in identification and access management to internal services; to include protection of credentials and their use by user type.
• Subscription/Revision. Request for access to internal services; business/information requirements to describe a unique user profile including user type.
• Activation. Certification requirements for proof of identity by user type.
• Service Authorization. Parties who can grant access rights to internal services and to what degree; may include auto-authorization.
• Monitor. Continual review of completeness and currency of profiles and credentials.
• Use. Application of security credentials and access rights; and cross-certification if required.
• Help Desk. End user support services.
• Archive. Retention and disposal of out-of-date credentials.
The policy must clarify the directory information requirement summarized in Table 5.
For businesses with large WAN budgets or aggressive e-commerce plans, the business case for deploying a VPN is compelling. Not only can communication costs be reduced significantly, the security of WAN communications can be strengthened.
Further, the service can be deployed with minimal additional administrative burden despite adding potentially large numbers of users. If user perceptions of Internet security or lack thereof are real, and surveys still suggest they are, then a VPN service can be a critical component in a larger e-business strategy.
About the Authors: Mark E. Becker is Vice President of Consulting Services at Control Data Systems Inc. (Arden Hills, Minn.). He can be reached at Mark.E.Becker@cdc.com.
Gregory L. Machler is a Management Consultant at Control Data Systems Inc. He can be reached via e-mail at Gregory.L.Machler@cdc.com