ZTNA vs VPN: secure work and remote access

ZTNA versus VPN

While VPNs have served their purpose in a strictly on-premises world, the accelerated migration to the cloud has revealed its limitations and new technologies are being introduced. Of these, ZTNA is widely regarded as the evolution of VPN remote access due to several factors:

Reduce the attack surface
VPNs extend the network structure across multiple sites located differently, which now includes notoriously insecure home offices. This expands the organization’s attack surface by connecting unsecured networks togetherincluding home networks.

So while a remote employee is only accessing legitimate work apps, other users/devices can spread malware through an unsecured machine connected to the VPN. Given that 82% of data breaches involved a human element, the more devices and users with access to an organization’s entire network, the greater the cyber risk.

On the other hand, ZTNA allows more granular control over who can access what. It operates on the principle of least privilege, thus establishing only specific connections between the application and the user, thus creating a more defined perimeter for the attack surface.

Also, unlike a VPN, which exposes the backend of an application to the logged-in user, ZTNA constantly checks the trust of users and devices, and only grants access to the frontend of the web portal. Thus, even if a user is compromised, the cybercriminal will not have the necessary access to skip their attack on the attack surface.

Minimizes cyber risk
VPNs approach authentication as “one and done”, which means that once a user has gained access to the network, they can stay connected for a long time (or indefinitely) as long as your credentials. identification are valid. In theory, someone could steal your laptop and gain immediate access to the organization’s network.

ZTNA goes beyond just confirming credentials by:

  • Validation of access at a given time by verifying that patches are installed, that the application is connected to the domain, etc.
  • User identity authentication via Multi-Factor Authentication (MFA)
  • Check what they are allowed to use and other markers of user behavior like: what time do they usually work, where do they usually work from, etc.

Once login is granted, ZTNA continuously assesses risk by running user identity checks and monitoring device health in accordance with configured security policies. For example, if a device used by an account suddenly dumps memory files using PowerShell, the risk score will increase and the connection will be terminated. Likewise, if malware is detected and there is a change in the security posture of the device, access will be terminated instantly.

Improved scalability
Since VPNs allow a user to access everything, businesses needed a certain amount of bandwidth to operate without affecting workflows. Legacy VPN technology that connects traffic to an on-premises firewall or VPN concentrator is not equipped to scale or provide the user experience needed in an increasingly agile business world.

With ZTNA, the application-specific connection to the user does not require the bandwidth of VPNs. It is designed for rapid scaling while maintaining the high performance availability and consistent delivery needed for modern security solutions without negatively impacting user experience.

Tips for Evaluating ZTNA Technology

Swapping a VPN for ZTNA can seem overwhelming, especially given the sheer number of apps, devices, and users businesses have to deal with. Here are three tips for evaluating ZTNA technology:

VPN replacement is a journey
We strongly advise against the rip-and-replace approach. Think of updating your remote access solution as a journey, like migrating from on-premises applications to the cloud. Start by migrating low-risk applications to the ZTNA solution to identify issues, then accelerate (at the pace your business can manage) until the VPN can be retired.

Take advantage of automation
Manual configuration can seem like a Herculean task for security teams of any size given that every app needs to be entered. Look for a ZTNA solution that leverages automatic application discovery, which can examine network traffic and identify where the application is hosted and how it is accessed. It can also surface phantom computing which may have gone unnoticed when using a VPN.

Check the bottom line
Finally, beware of “hidden” costs that can spiral out of control. Many ZTNA providers have adopted the same VPN pricing model only worse; not only do you have to pay for each user, but also for each application, and if you work in the cloud, you are also charged transfer fees. Look for a provider with consumption-based billing that only charges for identity whether or not a user signs in to multiple devices.

Modernizing the SOC with ZTNA

Part of modernizing the SOC is the ability to provide insight into what is happening in the IT infrastructure. Since VPNs provide access to everything, the lack of context around risky user, device, and app behavior leads to shoddy and unusable information.

A ZTNA solution can provide more granular insights because it is directly connected to the endpoint and the application and continuously inspects all traffic. This helps security operations teams establish a baseline for risk, further minimizing any potential harm from unauthorized access.

Next steps

Convergence is the key to stronger security. Although ZTNA can work independently, it is more powerful when applied to the SASE architecture. ZTNA’s integration with Secure Web Gateways (SWGs) and Cloud Access Security Brokers (CASBs) leads to more streamlined and powerful security across the entire attack surface.

For more information about SASE and cyber risk management, see the following resources:

Comments are closed.