ZTNA vs VPN: Secure Remote Work & Access – SASE Part 2


While VPNs served their purpose in a strictly on-prem world, the accelerated migration to the cloud has revealed its limitations and new technologies are being ushered in. Amongst those, ZTNA is largely considered the evolution of VPN remote access due to several factors:

Reducing the attack surface
VPNs extend the network fabric across multiple differently located sites, which now includes notoriously insecure home offices. This expands the organization’s attack surface by connecting secure and unsecured networks together, including home networks.

So, while a remote employee may be only accessing legitimate work apps, other users/devices could spread malware through an unsecured machine connected to the VPN. Considering that 82% of data breaches involved a human element, the more devices and users with access to an organization’s entire network, the higher the cyber risk.

On the other hand, ZTNA allows more granular control over who can access what. It operates on the principle of least privilege, thereby only establishing specific application-to-user connections—creating a more defined perimeter for the attack surface.

Furthermore, unlike a VPN, which exposes an application’s backend to the connected user, ZTNA continuously verifies the trust of users and devices, and only grants access to the web-portal frontend. Thus, even if a user is compromised, the cybercriminal won’t have access needed to leapfrog their attack across the attack surface.

Minimizes cyber risk
VPNs approach authentication as “one and done”, meaning after a user is granted access to the network, they can remain connected for a long (or indefinite) amount of time so long as your credentials are valid. In theory, someone could steal your laptop and have immediate access to the organization’s network.

ZTNA goes beyond just confirming credentials by:

  • Validating access at a point-in-time by checking that patches are installed, the app is domain-connected, etc.
  • Authenticating the user’s identity via multi-factor authentication (MFA)
  • Checking what they’re authorized to use and other user behavior markers like: what time do they usually work between, what location do they usually work from, etc.

After the connection is granted, ZTNA continuously assesses the risk by running user identity checks as well as monitoring the health of the device in line with configured security policies. For example, if a device used by an account is suddenly dumping memory files using PowerShell, the risk score will increase, and the connection will be severed. Similarly, if malware if detected and there’s a change in the device’s security posture, access will be terminated instantly.

Improved scalability
Since VPNs provide a user with access to everything, businesses needed a certain bandwidth to function without impacting workflows. Legacy VPN technology that connects traffic to an on-premises VPN firewall or concentrator aren’t equipped to scale or deliver the user experience needed in an increasingly agile business world.

With ZTNA, the specific application-to-user connection doesn’t require the bandwidth that VPNs do. It is designed for rapid scale while maintaining high-performance availability and consistent delivery needed for modern security solutions without negatively impacting user experience.

Tips for evaluating ZTNA technology

Swapping out VPN for ZTNA can seem overwhelming, especially considering the sheer number of apps, devices, and users that businesses must contend with. Here are three tips for evaluating ZTNA technology:

VPN replacement is a journey
We strongly advise against the rip-and-replace approach. Think of updating your remote access solution as a journey, like that of migrating apps from on-prem to the cloud. Start by migrating low-risk apps to the ZTNA solution to identify any issues and then ramping up (at rate your business can handle) until the VPN can be retired.

Leverage automation
Manual configuration can seem like a Herculean task for security teams of any size given each app needs to be inputted. Look for a ZTNA solution that leverages automatic app discovery, which can look at network traffic and identify where the app is hosted and how it can be accessed. It can also surface any pesky shadow IT that may have gone unnoticed while using a VPN.

Check the bottom line
Lastly, beware of “hidden” costs that can spiral out of control. Many ZTNA suppliers have adopted the same pricing model as the VPN but worse; not only do you have to pay for each user, but also for each app, and if you’re working in the cloud, you’re charged a transfer fee as well. Look for a vendor with consumption-based billing that only charges for the identity, regardless of if a user is connecting with multiple devices.

Modernizing the SOC with ZTNA

Part of SOC modernization is the ability to provide insights into what’s happening across the IT infrastructure. Since VPNs grant access to everything, the lack of context around risky user, device, and application behavior leads to poor quality, unactionable information.

A ZTNA solution can serve up more granular information because it’s directly connected to the endpoint and the app and continuously inspecting all traffic. This helps security operations teams establish a baseline for risk, further minimizing any potential damage from unauthorized access.

Next steps

Convergence is key for stronger security. While ZTNA can run independently, it’s stronger when applied to the SASE architecture. Integrating ZTNA with secure web gateways (SWG) and cloud access security brokers (CASB) leads to more streamlined, powerful security across the attack surface.

For more information on SASE and cyber risk management, check out the following resources:

Read More HERE