Jan 04 2024

Should Higher Education Consider Cloud-Based VPNs?

If colleges and universities want to grant remote access to campus networks, they need to be willing to hand cloud-based VPN vendors the “keys to the kingdom.”

While virtual private network technology has been around in one form or another for over a quarter century, many people’s first encounters with VPNs were during the pandemic, when the ability to remotely access secure campus networks became a necessity for people working and studying from home. Post-pandemic, the need for remote access has slowed from its frantic 2020 pace, but hasn’t stopped.

In higher education, institutions must decide whether to host and manage on-premises VPNs on their own networks or farm them out to a vendor that provides cloud-based VPN services. To make that decision, CIOs and other higher ed IT executives need to weigh the advantages and disadvantages of these implementations.

Click the banner below to learn how to optimize your connection to the hybrid cloud.

Advantages to Cloud VPNs: Scaling, Cost, Expertise, User Experience

With cloud VPNs, users log on to a third-party provider’s servers to access an enterprise’s secure cloud resources or a firewalled on-campus network. One of the biggest considerations with cloud VPNs is that cloud vendors can provide expertise that an institution’s IT department may lack, often with lower start-up costs.

“I think most of those conversations are happening for institutions that, perhaps prior to the pandemic, had no investment in a VPN solution,” says Joseph Potchanant, director of the cybersecurity and privacy program at EDUCAUSE. “It was easier for them to find a vendor to do so than it was to spin up their own because they were trying to do it rather quickly.”

According to Potchanant, the lower costs of ramping up a VPN solution without needing to build on-premises infrastructure to support it also appeal to many college and university IT executives he’s spoken to.

However, expertise and cost are just a few of the things that make cloud VPNs attractive to colleges and universities. Two factors that are of utmost importance to college administrators are the ability to scale quickly and support a user base that is geographically dispersed.

“If today I have 50,000 users, am I able to double the size of my population without my team taking four, five, six months to do it? That is the type of thing that I’m looking for,” says Marcel Mutsindashyaka, CIO of Oberlin College in Ohio and one of EdTech’s higher education IT influencers.

Those users could potentially be spread all over the United States or perhaps internationally. Because of that, there may be less of a desire from institutions to have users log in to an on-premises VPN due to their distance from the campus infrastructure.

“Applications are no longer in the data center alone. They’re in the cloud, in multiple clouds, in Software as a Service applications — they’re everywhere,” says Anand Oswal, senior vice president of network security at Palo Alto Networks. “The old construct of me taking the connectivity for my laptop, backhauling it to a central demilitarized zone and applying some processing on it leads to a very poor experience for the user.”

Marcel Mutsindashyaka
We go through a lot of due diligence to understand if this company really takes security seriously, or if they just want to make money.”

Marcel Mutsindashyaka CIO, Oberlin College

With a more decentralized infrastructure, a cloud VPN solution allows users to log in to either the application that’s being accessed or the campus network itself at an access point that’s closer to their geographic location.

But the end-user experience doesn’t stop with the need for speed. What Mutsindashyaka has found is that, for users, connecting to the VPN in three clicks or less is the usability sweet spot.

“It has also to be something that is familiar to them,” he says. “They have to use the existing single sign-on that they use. They don’t have to use different multifactor authentication — they have to use exactly the same thing they are used to.”

IT Executives Need to Scrutinize Vendors' Track Records

The biggest advantage of an on-premises VPN is that the institution owns and controls all of the equipment, and they can open up or lock down access in any way they choose. With a cloud VPN solution, however, the vendor an institution chooses must be one that can be trusted with access to the campus network.

“You’re going to have to let a third party into, essentially, the rules of your firewall,” says Potchanant. “If the idea is adding IP address space that is shared with the campus, you’re going to have to share some of the keys to the kingdom with those third-party solutions in order to get that.”

There are ways to minimize that access; for example, limiting the IP addresses given to VPN users. Still, it’s an IT executive’s job to adequately vet the vendor they work to ensure it’s serious about both security and privacy.

Click the banner below to find out how identity and access management paves the way to zero trust.

“There are a lot of things that we check,” says Mutsindashyaka. “There’s the security practice of the company itself, because you can’t expect somebody to protect you if they can’t even protect themselves. We go through a lot of due diligence to understand if this company really takes security seriously, or if they just want to make money.”

Vendors anticipate those security and privacy needs, says Oswal, who uses the layers of the Open Systems Interconnection model in describing the security Palo Alto Networks’ solutions can provide.

If I’m a research lab, I really want to have that data access very limited,” he says, adding that Palo Alto provides a Layer 7 solution to assist. Layer 7 — OSI’s application layer and the highest level of the OSI model — allows administrators to “do security constructs, threats, ransomware, tell which applications have policies on who can access data, what type of access they can have, whether read only or write, and so on,” says Oswal.

WATCH: Check out how one university transitioned its core IT functions to the cloud.

While much of that can be done by the institution on the network and application level, every little bit helps, says Mutsindashyaka.

“If the vendor is capable of containing the attack, that is wonderful because not only will it help you deal with the attack, but you will also get time to analyze and see what’s going on before it spreads,” he says.

How a vendor deals with privacy — especially regarding regulations and laws that can vary from state to state and region to region — is also an important consideration, says Potchanant.

“Are you doing institutional research on human subjects? Are there things that you’re doing where the anonymity of the student or the human subject is extremely important to protect?”

What it comes down to for IT executives is finding a vendor that can work with them to provide a solution that fits their needs, especially in an environment where people may need to access the campus network or cloud resources via mobile devices as well as laptops and desktops.

“I think the whole idea, really, is that we have to protect any user on any device when accessing any application consistently,” says Oswal, “with best in class security, best operational experience, lowering the cost of ownership for the customer. That’s where we are.”

UP NEXT: How to ensure a college’s VPN can handle a remote workload.

Chainarong Prasertthai/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.