Zero Trust Network Access (ZTNA) vs. Virtual Private Networks (VPN)

VPNs and Traditional Remote Access Methods

Traditional VPN solutions provide users remote access to an organization's private resources over an encrypted channel. VPN’s gained popularity because they allowed employees to work from anywhere - and the flexibility that VPNs offered led to its rapid adoption. However, the increase in user devices, remote work, and cloud-hosted applications have highlighted that traditional remote access technologies are becoming difficult to manage and introduce security risks.

Risks Associated with Traditional VPNS:

Broad Access - All or nothing 

• Remote access VPNs are often configured to provide full network access to any user with valid credentials which increases the impact of unauthorized activity in the environment.

Limited Security Visibility

• There is limited visibility into user movement once they are inside the network which can make detecting unauthorized activity more of a challenge.

Ignores Device Posture

• Most solutions are not configured to validate authorized devices or confirm device health (i.e. contains malware, is running EDR).

  • This can allow for unauthorized devices to connect to the environment.

Vulnerabilities in VPN solutions 

• Unpatched VPN Solutions are targeted by attackers and used as a point of entry to carry out an attack. Because VPN devices sit on the edge of the network, vulnerabilities in these devices can lead to the total compromise of an environment.

VPNs provided organizations a remote access solution when alternatives to remote desktop was needed. Zero Trust Network Access (ZTNA) aims to build upon the foundations of remote access that VPN’s taught us. These fundamental challenges are overcome by incorporating key concepts of zero trust. 

What is Zero Trust Network Access (ZTNA)?

ZTNA is a category of security technologies that provides secure remote access to applications and services. Access is established after a user has been authenticated to the ZTNA service, which acts as an access broker. The ZTNA service then provides access to permitted applications on the user’s behalf through a secure, encrypted tunnel. Users are then only allowed access to certain applications and areas of a network that have been authorized for their user account. 

ZTNA operates under one simple principle: never trust, always verify. At a high level, the zero trust security model requires that a user should only have access and permissions to systems, applications and data required to fulfill their role. This is known as the principle of least privilege, and a ZTNA solution will automatically default access to the lowest level for all users.

Elements In a Typical ZTNA Solution:

Verify and Validate

• Strict verification of users and devices and constant examination of device posture and user behavior throughout their session.

  • Only allow the users and devices that are confirmed to be legitimate.

Least Privileged Access

• Limits the information each user and device can access based on identity and context to mitigate the risk of data exfiltration and unauthorized access.

  • Only allow approved users and devices to access applications they are approved to access.

Monitor

• Logging of user activity and authentication requests to provide deep visibility into risky user behavior.

  • Full visibility for security teams to rapidly investigate suspicious activity.

Micro-segmentation

• Isolates applications and data within the network to shrink the blast radius of any potential attacks.

Key Advantages of ZTNA over VPN

Network-level Access vs App-level Access

• VPNs permit full network access to any user with valid credentials. ZTNA restricts user access to specific apps, limiting data exposure and lateral movement of attackers.

Shrinks External Attack Surface

• Users authenticate to the ZTNA service which sits in front of resources. This shields IP addresses and removes public visibility of assets.

  • The obscurity makes it difficult for an attacker to plan their next attack and decreases your external footprint.

Deep Visibility Into User Activity

• VPNs lack app-level controls and have no visibility into user movement once inside a private network.

• ZTNAs log every user action and provide deeper visibility into user behavior and risks to enforce informed, data-centric controls for securing sensitive content within applications.

  • This also allows for quick investigations that lead to swift containment and reduces the blast radius of an attack against an organization or a compromise of a user's credentials. 

Endpoint Posture Assessment

• VPN connections don't take into account the risks posed by end-user devices. A compromised or infected device can easily connect to internal resources.

• ZTNAs perform continuous assessment of connected devices by validating their security posture and enable adaptive access to resources based on the device being used.

  • Device connections are immediately terminated when a risk is detected. ZTNAs can also be integrated with an endpoint security solution to allow adaptive access based on a continuous assessment of a device's security posture.

___________________________________________________________________

Additional Information:

• ZTNA Implementation Considerations (Corvus)

• Zero Trust Network Access (Gartner)

• Zero Trust Network (Privacy Affairs)

• How to Implement Zero Trust Security (TechTarget)