We live in a world where remote and hybrid work has become normalized within the last couple of years. The move to remote and cloud applications has spurred a shift in how employees connect to their corporate environments, with Virtual Private Networks (VPNs) being the def-factor standard for secure remote connections. The ability to securely connect over an encrypted tunnel has served companies well for many years. However, the rising popularity of Zero Trust Network Architecture (ZTNA) is now changing the mindset of many companies who are re-evaluating their reliance on VPNs. This article reviews why VPNs are slowly being replaced with ZTNA solutions and their pros and cons.
Why Traditional VPNs are no longer enough
VPNs have served as a secure way of connecting to the corporate environment for decades now; however, at the same time, they come with certain limitations which limit the effectiveness of modern networks. This effectively turns them into bottlenecks for modern security controls. Let us take a look at a few of the key issues with VPNs:
- Perimeter Approach: VPNs rely on user authentication to grant them access to a network, and this is typically done with a password and a multi-factor authentication mechanism. However, once the user has been granted access, it is not re-evaluated based on their requirements. A user can have full access to the network and laterally move to other resources within the network, compromising the least privilege and allowing attackers free access if they compromise the account.
- Complexity: VPNs can be quite complex to maintain, requiring an investment in infrastructure and expertise to support a corporate environment. With a surge in remote working, companies can struggle to scale the VPN infrastructure to accommodate an increasingly remote workforce.
- Performance: VPNs encrypt and decrypt data over a tunnel which can result in performance impact and reduced productivity. Users can struggle with reduced productivity and poor performance of their applications due to the overhead introduced by VPNs.
The Rise of Zero Trust Networks
Zero Trust Network Architecture (ZTNA) has grown in popularity within the last few years. It is a new security and network architecture approach that replaces the “Trust but Verify” principle with “Never trust, always verify.” In a ZTNA network, no implicit trust is assumed, and every user request is authenticated regardless of whether it originates from a remote or a local user. Some of the key features of a ZTNA are:
- Focus on Identity: Instead of focusing on the network location, ZTNA focuses on the user’s identity to assess if they should or should not be allowed access. This is not a one-time activity but a continuous one considering multiple contextual factors. In a ZTNA environment, lateral movement is much more complex, even if a user is compromised due to continual assessment.
- Micro-segmentation approach: ZTNA focuses on a micro-segmentation approach to network security which applies the least privilege principle to network architecture. Instead of placing sensitive workloads in their subnet, microsegmentation can secure separate workloads with intelligent and dynamic policies that can change at runtime. This means the network architecture can change dynamically in response to a security breach.
- Access from anywhere approach: In a ZTNA approach, there is no need for a VPN infrastructure for remote connection. The “never trust, always verify’’ approach means that users apply the same level of security regardless of where they connect. This has led to many companies like Google completely removing the need for VPNs for their employees and moving to a ZTNA approach.
Adopting Zero Trust brings numerous benefits, such as:
- Improved security as the ZTNA environment continually assesses the security posture of requests instead of relying on the perimeter approach. This is done by evaluating multiple contextual factors like users’ risk level and device posture.
- Improved support for Cloud: If the company plans to adopt a cloud methodology, then movement to Zero Trust makes a lot of sense due to how well these two approaches align. ZTNA was designed to accommodate cloud approaches as it does not rely on a user or device’s location for assessing security.
- Future-proofing the network: Zero Trust is the approach for future proofing your environment against new and upcoming threats. This can be seen in the Executive Order issued by the US Government that has directed federal agencies to adopt a ZTNA approach for their security.
How to move to a Zero Trust Network approach
Adopting a Zero Trust model does not mean implementing a product or applying for a certification, rather it is a change in mindset that takes time to implement. Zero Trust has certain principles that must be used in an environment and treated as a proper project with its resources and timelines. Not all network components will comply with a ZTNA approach, and most companies will adopt a hybrid system that will transition to a fully ZTNA-compliant environment over time. Proper training, change management, and a phase-wise strategy are essential to adopting Zero Trust.
Gartner has predicted that at least 70% of new remote access deployments will rely on a ZTNA approach instead of VPNs by 2025. While companies will continue to use VPNs, their effectiveness as a security control has diminished recently with the rise of remote working and cloud-first approaches. A move towards Zero Trust is inevitable for modern enterprises due to its increased security and flexibility. Companies should strategically adopt Zero Trust and start working on their roadmaps to move away from VPNs.
Frequently Asked Questions
What are the limitations of traditional VPNs?
Traditional VPNs have certain limitations, such as a perimeter approach that grants users access to the entire network without re-evaluation. This compromises the principle of least privilege and allows lateral movement within the network if user accounts are compromised. VPNs can also be complex to maintain, leading to reduced performance and productivity due to encryption and decryption overhead.
What is Zero Trust Network Architecture (ZTNA)?
Zero Trust Network Architecture is a security and network approach that replaces the traditional “Trust but Verify” principle with “Never trust, always verify.” ZTNA focuses on continuous user authentication and identity-based access control, regardless of the user’s location. It employs micro-segmentation and dynamic policies to enhance security and supports access from anywhere without relying on VPN infrastructure.
What are the benefits of adopting a Zero Trust approach?
Adopting Zero Trust brings numerous benefits, including improved security by continually assessing the security posture of user requests. It also aligns well with cloud methodologies, supports future-proofing the network against new threats, and offers enhanced flexibility in remote work environments. The US Government has even directed federal agencies to adopt a Zero Trust approach for their security.
How can an organization transition to a Zero Trust Network approach?
Transitioning to a Zero Trust model requires a change in mindset and should be treated as a proper project with its resources and timelines. It involves applying Zero Trust principles, proper training, change management, and a phased approach to make the network fully compliant with ZTNA gradually. Most organizations adopt a hybrid approach initially before fully transitioning to Zero Trust.