With hybrid and remote work being normal practice today, securing access to organizational resources via remote is one of the biggest challenges in the digital world today. VPNs have been used by organizations to allow remote workers to connect into an organization’s network for many years. However, with increasingly advanced cyber threats that require increasingly fine-grained levels of access control, ZTNA has emerged as a very viable option. This paper examines the key differences between ZTNA vs. VPN solutions; to determine which provides superior network security and access in today’s typical IT environment.
Shifting Security Paradigms: The Evolution from VPN to ZTNA
Traditional VPNs have been a trusted method for providing remote access by establishing an encrypted “tunnel” from the user to the organization’s internal network. However, this model of VPN is built upon the idea of a secure perimeter where once you successfully authenticate to the VPN, you usually receive full access to all aspects of your internal network. Therefore, when a user’s credentials are compromised, there are substantial risks associated with that compromise.
ZTNA was developed under the assumption that we should never implicitly trust someone or something based solely upon its’ physical or virtual location; instead ZTNA will continue to authenticate and authorize each user and/or device seeking access to whatever resource(s) it may be trying to use at any given time, regardless of that user/device’s physical or virtual location. As such, ZTNA provides the ability to address many of the shortcomings of perimeter based security models, while supporting today’s growing need for a distributed workforce, and organizations moving toward cloud-first models.
Core Principles: How ZTNA and VPNs Operate
It would be helpful to make an actual comparison of ZTNA vs. VPN if we could get into the fundamentals of how each functions.
VPN creates a secure tunnel that directs all internet traffic from the end-user through a single “central” gateway; therefore, their IP address remains masked from both the outside world as well as the end-user appears as another endpoint on the local network when the connection has been made.
ZTNA provides for a completely different type of functionality than what a VPN does; it is based upon a “zero trust” model. Therefore, users will only have permission to access certain applications or services only after the authentication of both the user and the posture of the device is completed. Also, because ZTNA is application-aware — users can only view and interact with those resources they are specifically allowed to access.
ZTNA vs. VPN: Security Considerations
When examining ZTNA vs. VPN from a security standpoint, several critical differences emerge:
Degree of Access
The general nature of the access provided through VPN’s are Network-level. After an individual has been verified, he/she will have access to all resources available over the network. Many times, these resources are not related to his/her job function. This creates an unwarranted risk to sensitive data.
ZTNA is a completely different story. ZTNA offers Least Privilege access. Each time a user requests access to something, their role determines what they get access to. In addition to determining what access is granted; ZTNA verifies each request in real-time. These two features of ZTNA make it very difficult for malicious actors to use compromised credentials or escalate privileges.
Potential For Lateral Movement
Another long-standing concern with VPN’s is the potential for lateral movement within your network. If you’ve got a device connected to your network via VPN, if that device gets compromised, the actor could potentially move laterally across your network and get to some very important assets.
In comparison, ZTNA uses an Application-Centric Architecture to prevent lateral movement from occurring. Users do not connect to anything except the specific application(s) you want them to. They also cannot see/ping any other resource on your network. As such, lateral movement becomes much less likely to occur, reducing the overall damage that can be done due to a breach.
Authenticating Devices/Users
Typically, VPN authenticates using the User’s Credentials; MFA is sometimes used in conjunction with User Credentials. While providing Multi-Factor Authentication adds additional security layers, VPN’s typically don’t perform Real-Time Checks on a Device’s Posture.
On the other hand, ZTNA solutions continually evaluate both a User’s Identity and the Health of a Device. Evaluations include Signals like: Compliance/Non-Compliance Status of the Device, Location of the Device, Behavioral Analysis, etc… Adaptive Authentication allows for continuous evaluation of whether a User should be allowed onto the Network on a Secure Device.
Visibility/Monitoring
ZTNA provides Logging and Visibility into who has accessed which Applications at what Time. The Level of Monitoring Provided helps Organizations comply with regulations and helps Organizations quickly respond to Incidents.
VPNs Provide Basic Connection Logs, however do not usually provide Granular Visibility into Application-Level Access and/or User Behavior.
Performance and User Experience
Network performance and customer experience are key factors when deciding whether to use ZTNA versus VPN.
VPN’s introduce latency as all traffic has to be routed through a central location (data center or gateway) which may slow down users’ experience with cloud based applications. The increased latency may also cause network congestion and result in poor application performance due to bottlenecking during high usage periods.
In general, ZTNA will enable direct connections from users to apps. The user will only connect to the app(s) that he needs to access and these are most likely cloud hosted gateways that are positioned near the end-user. As such, this type of architecture will prevent unneeded routing of data thus improving overall performance and ensuring a positive customer experience.
Scalability and Modern IT Environments
As organizations use an ever-increasing amount of cloud technology; SaaS applications and hybrid work models, scaling has become a major issue. Solutions using VPNs create an infrastructure that can very rapidly be overburdened due to increasing demands from remote workers. In addition to being expensive, scaling can also take time as it typically includes purchasing additional equipment or upgrading bandwidth.
ZTNA is more scalable than traditional VPN solutions especially if it is provided through a cloud based delivery model. ZTNA does not rely upon local appliances in order to function and therefore it may easily expand to include an increased amount of users, devices and applications. The ability to scale and accommodate changing user needs are extremely beneficial for organizations utilizing dynamic and geographically dispersed workforces.
Real-World Applications: When to Use ZTNA vs. VPN
The choice to choose between ZTNA (Zero Trust Network Access) and VPN (Virtual Private Network) should depend on your company’s needs, and the specific use case you want to implement.
A Virtual Private Network will continue to be useful for those who need complete network access (for example, an IT Administrator may need to manage servers directly), and also for companies who have older applications they cannot easily integrate into a Zero-Trust environment.
Organizations who require very fine-grained control over user access, and who want to secure their SaaS (Software as a Service) and Cloud Applications from internal threats, would benefit from using Zero-Trust Network Access. These types of solutions are also particularly well-suited for highly regulated industries like Healthcare, Finance, and Government.
Many organizations may find value in a Hybrid Approach — maintaining their current VPN Infrastructure for some uses, while beginning to move toward ZTNA for the majority of their employees’ work activities, as well as to support increased cloud-based services.
Implementation Challenges and Considerations
While ZTNA has significant benefits over VPNs, there are several issues related to implementing it. The transition from VPN to ZTNA will likely require an organizational culture shift as well as revisiting your current access policies. In addition, you will likely need to invest in a new tool or platform to implement the technology. There are many potential complexities associated with integrating ZTNA into your current IAM (identity and access management), other legacy systems, etc.
ZTNA is NOT a magic solution. It should be one piece of your overall comprehensive cybersecurity strategy which includes continued education/training for employees, robust endpoint protection and continuous review of policies.
While VPNs have been around for years and are very commonly implemented by organizations today they still require constant monitoring/management. A mis-configured VPN is a very easy attack vector for malicious actors to use; and therefore, keeping all security patches updated on VPN servers is very important.
Industry Trends and Future Outlook
ZTNA has a growing user base because of an increase in use of cloud computing, remote work and increasing sophistication of cyber threats. As stated by Gartner, by 2025; there will be at least a seventy percent (70%) usage rate for ZTNA vs. VPN’s with all new remote access implementations. This growth is due to companies moving away from traditional perimeter based security towards the use of Zero Trust Architecture and a need for increased adaptability and awareness within their Access Control Systems.
Conclusion: Making an Informed Choice
In choosing between ZTNA (Zero Trust Network Access) and VPN (Virtual Private Network), there isn’t a question of swapping out old for new. Organizations need to determine what will be right for them in terms of specific requirements, level of risk they are willing to accept, and longer-term IT plans.
While VPN’s have been around for years as an established method to provide general access into larger networks, the limited ability to fine-tune the level of access granted to users based on applications and/or services being used within the network along with the limits of VPNs in scalability, has made this type of architecture obsolete in many cases.
ZTNA offers a future-focused approach by embracing modern security best practices and the reality of cloud first and working remotely. With the application-based nature of access control along with continuous verification and user experience enhancements, ZTNA represents a solid alternative to organizations looking to improve their overall security posture. In some instances, the ultimate solution will include using both VPNs and ZTNAs together in order to leverage the strengths of each while having well-defined policies that help govern how each product will be utilized, while also ensuring continued oversight over all use. See more