Do-it-yourself approach slows deployment of IP VPN

In the late 1990s, IP-based VPN technology seemed poised to take the world by storm. Here in 2003, however, it is evident that the VPN storm is more like a steady sprinkle – and outsourcing vendors are partly to blame.

VPNs, which allow enterprises to carve secure and reliable “networks” out of the public Internet infrastructure, are increasingly becoming a part of every corporation’s strategic IT plan. But considering the maturity of the technology and the relatively low cost of services, IP VPN deployment is still disappointingly slow. If IP VPNs can help enterprises expand the reach of their networks in a secure and cost-effective manner, why aren’t they more pervasive?

One answer to this question was revealed last week, when industry research firm In-Stat/MDR published the results of its study of the IP VPN market. In a survey of 200 enterprises using IP-based VPNs, In-Stat/MDR found that a surprising 91% were built and operated by internal IT organizations, not outsourcers or third party service providers.

Given the plethora of VPN services available on the market today, the dominance of the “build” over the “buy” model is remarkable. Clearly, the vast majority of enterprise IT managers are uncomfortable with the IP VPN services available so far, and therefore have chosen to roll their own.

In-Stat/MDR postulates that many IT organizations are wary of the security risks associated with third-party VPN services, and there is strong evidence to support this assertion. Enterprises want to set and monitor their own security systems and policies, and historically have been reluctant to turn over those functions to an outsourcer.

These concerns, though completely understandable, prove that IP VPN service providers have not done an effective job of outlining their capabilities. The fact is that most IP VPN services are highly secure, perhaps even more so than their enterprise counterparts because service providers tend to invest more heavily in security infrastructure. And in many cases, providers of external VPN services do enable their users to set and monitor their own security parameters.

On a broader level, the security question points to a simple fact about outsourced VPN services: most IT executives don’t know enough about them. The capabilities of such services, their costs, and the benefits of using them have not been clearly articulated, and therefore most enterprises are choosing to do VPNs themselves.

While the do-it-yourself approach is a viable, occasionally superior alternative, it also is a slow and costly one. Building a VPN internally means acquiring knowledge, technology and services that most enterprises do not have in house, and forces IT shops to invent solutions for problems that many VPN service providers solved years ago. By insisting on building VPNs in-house, enterprises have slowed the overall deployment of VPN technology.

But the market is changing. According to the In-Stat/MDR survey, 21% of enterprises planning an IP VPN in the next two years expect to use an outsourced VPN service. As service providers enhance their VPN services – and as enterprises seek additional ways to cut costs and reduce demands on internal staff – there is a new interest in outsourcing. In many cases, the enterprises that take the time to evaluate these third-party services will discover that they can achieve significant cost and resource savings through a third-party service, and the security risks are minimal.

For IP VPN service providers, however, much remains to be done. A clearer discussion of the “build vs. buy” decision must be painted, and the financial and technical benefits of outsourced VPNs must be more clearly articulated. If service providers don’t do a better job of outlining the benefits of IP VPN services, they should expect enterprises to continue to take the do-it-yourself approach.