Lisa Phifer

Today, many enterprises offer remote access to corporate resources to increase business productivity for workers on-the-go. However, as the workforce expands and needs become more diverse, administrative complexity and cost grow. To drive down costs while making access more readily available, a growing number of enterprises are now turning to browser-based managed services.

Evolution of enterprise remote access
Emerging network technologies and business dynamics continue to change the remote access landscape. Enterprise globalization, growth in high-speed Internet access, and the rise of teleworking are all building demand for anytime/anywhere access to company networks. However, to realize business benefits like increased availability and productivity, companies must also address security and cost concerns.

Early enterprise remote access was limited to private dialup by business travelers. This was workable when sessions were short and users were few, but it didn't take long for telecommunication costs to become prohibitive. By the late '90s, many companies started leveraging the public Internet to eliminate 800 number and long distance toll charges. All-you-can-eat Internet dialup accounts had become ubiquitous and inexpensive, so it made economic sense to shift remote access onto the Internet.

Transporting private data over a public network introduced security concerns. To ensure the privacy and integrity of business data, virtual private networks (VPNs) based on PPTP and IPsec were deployed. VPN clients were installed on company-owned laptops, tunneling data to VPN gateways installed at the edge of the company network. VPNs quickly gained favor because they reduced costs associated with traveler remote access. However, as the workforce continued to grow, so did VPN administration costs.

With the advent of residential broadband, the number of workers requiring remote access grew significantly. By the end of 2003, 27% of U.S. workers telecommuted at least one day per week. Many more work occasionally from home at nights and on weekends. For most companies, issuing a laptop with VPN software to every single employee is simply untenable. Some have tried administering VPN clients on personal home PCs with less-than-spectacular success, due to concerns about both security and cost.

Complicating matters, many mobile professionals have started using public PCs with high-speed Internet access, readily available today in many airports and cafes. But installing a VPN client on a public PC is not an option, and public PCs do not warrant the same level trust and network access as a company-administered laptop.

Over time, it has become increasingly clear that these user communities have distinct requirements for remote access:

• Full-time teleworkers require the same computing environment, whether working at the office or from home; anything less reduces business efficiency.
• Many day extender needs can be satisfied through secure remote access to business applications and files from the worker's own home PC.
• Travelers require dependable access from anywhere -- hospitality LANs, wireless hotspots, and business partner networks -- unimpeded by network topology.
• Mobile professional needs vary by job function and platform, but can range from high-speed public PCs to low-bandwidth, handheld wireless devices.

To satisfy this increasingly large and diverse workforce, a one-size-fits-all approach to remote access may not be sufficient or cost-effective.

Meeting needs while cutting costs
To better satisfy business needs, many companies are seeking innovative solutions that support a wider variety of remote access environments while reducing total cost.

Browser-based remote access services offer both cost and ease-of-use advantages. Web browsers are already present on nearly every computing device, public or private, large or small. Web-based solutions use this browser and dynamically downloaded code to avoid installing and configuring VPN client software on the worker's device. This approach facilitates remote access from just about anywhere and can significantly reduce per-user VPN administration costs. Savings are even greater for companies that eliminate corporate laptops by leveraging existing desktops for Web-based remote access.

Managed services are attractive because they free up capital, reduce ongoing operational costs, and decrease the need for security expertise. In-house VPNs require capital investment in customer premises equipment and lengthy setup, but network-based managed services do not. These savings continue after installation because in-house administration is usually more expensive than monthly managed service fees. Providers can offer managed services at lower cost by realizing economies of scale, and customers can leverage the provider's infrastructure and staff to offload most administrative tasks.

Alternative secure access methods can often meet workforce needs without the complexity of traditional VPNs. For example, day extenders that need only infrequent access to corporate e-mail may be satisfied with an SSL-based Web interface like Microsoft Outlook Web Access. Teleworkers that require convenient full-time access to the business applications and files already on their own office PC should consider a secure desktop remote access service like GoToMyPC Corporate. When traditional VPNs offer broader network access than workers actually need, alternative methods can often leverage existing IT assets to deliver a simpler, more cost-effective solution.

Making the business case
Of course, every company and workforce is different, so the most cost-effective solution can vary. Before adopting any alternative secure remote access solution, existing and proposed costs should be analyzed to verify positive return on investment.

Like most complex equations, quantifying total cost of ownership requires breaking the problem down into individual components. By examining one-time and recurring cost factors, we can more easily see where to plug in the variables that reflect each company's needs and remote user population.

When estimating one-time remote access setup costs, consider the following factors:

• Installing Internet access can include purchasing modems or routers and broadband service activation. Although part of total setup cost, this factor can often be ignored when comparing Internet-based alternatives, since it is common to all.
• Capital equipment purchases are necessary for customer-premise IPsec and SSL VPNs, but not for network-based managed services. To estimate VPN gateway prices, consider the number of users and high-availability requirements for larger workforces.
• Software licenses can be included in the price of an IPsec VPN gateway or purchased separately. Most enterprise-class IPsec gateways include VPN client licenses, but a separate purchase may be required for small office gateways and less common client devices like PDAs.
• Managed service activation fees cover the provider's cost of installation, configuration, and (for SSL VPNs) custom application development. To estimate activation fees, consider the number of users and required business applications.
• Administrative setup costs include VPN gateway installation, configuration, and firewall/server integration. There are no comparable costs for fully-managed services, since account setup is the provider's responsibility.
• Administrator training is required for all remote access solutions, but managed services usually require less extensive training. To estimate training costs, consider the number of administrators, which in turn reflects the size of the workforce.

To estimate recurring monthly costs, consider the following factors:

• Monthly Internet access fees for dialup, DSL, cable, wireless, and global roaming play a significant role in total cost but are common across Internet-based alternatives.
• Annual hardware and software fees for in-house VPNs include maintenance contracts for patches, upgrades, tech support, and (for IPsec) VPN client upgrades. There are no comparable costs for network-based managed services.
• Annual PC leasing fees reflect the fact that companies using IPsec VPNs often lease laptops for remote users. When comparing a browser-based solution to IPsec, factor in potential savings associated with leasing desktops in lieu of laptops.
• Managed service fees are typically based on number of users or seats, with annual contracts and volume discounts. There are no managed service fees for in-house VPNs, but there may be on-going fees for custom SSL VPN "plug-ins" that may be necessary to support less common applications.
• Monthly administrative costs for in-house VPN gateways include updating firewall rules, troubleshooting problems, and monitoring VPN logs and usage reports. Companies with existing VPNs can base this on first-hand experience. Others can use vendor estimates for overall VPN administration. For example, Cisco estimates that an in-house IPsec VPN administrative runs $30 per month per user.
• New user adds can be spread over the calendar year to reflect phased roll-out. For IPsec VPNs, new user costs include client installation, configuration, and end-user training. For browser-based alternatives, there is no client to install, but new accounts must be added and users must learn how to use the service and (in some cases) webified applications.

In a recent study for Citrix Online, I developed a general-purpose calculator to compare costs associated with in-house VPNs and GoToMyPC Corporate, a browser-based managed secure remote access service. I used nearly two dozen industry analyst reports, VPN vendor research, and customer interviews to derive customizable defaults for each cost factor. Given existing and proposed user counts, this calculator can estimate initial outlay, monthly costs/savings, and potential return on investment.

Using this calculator to examine three case studies, it became easy to see that capital equipment and ongoing administration dominate in-house VPN costs. In these cases, managed service fees were consistently lower than VPNs of comparable size. Although every company is different, this same methodology can be used to estimate your own company's remote access costs.

Companies just getting started with remote access may find browser-based managed services are a convenient, cost-effective alternative to traditional VPNs. Companies with existing VPNs may still save money by selectively offloading high-cost users. So, do your homework, crunch the numbers, and see for yourself whether adopting browser-based managed services can help your company deliver more convenient and cost-effective remote access to diverse user communities.

• Lisa Phifer is a SearchMobileComputing.com Expert, answering reader questions on wireless LANs, emerging standards and more.
• View Lisa's recent webcast, Deploying Wi-Fi Protected Access.