Zero Trust Network Access: The Evolution of VPN
The recent rise in remote working has put a spotlight on the limitations of virtual private networks (VPNs). For years, VPNs have been the de facto method of accessing corporate networks, but they have some drawbacks in light of today’s more complex ecosystems.
The biggest issue for complex network deployments is that a VPN takes a perimeter-based approach to security. Users connect through the VPN client, but once they’re inside the perimeter, and in the absence of other security solutions in place, they could potentially have broad access to the network, which exposes it to threats. Every time a device or user is automatically trusted in this way, it places an organization’s data, applications, and intellectual property at risk.
VPNs have no insight into the content they are delivering. Because most home offices are connected to largely unsecured home networks, they have become a primary target for cybercriminals who are looking for an easily exploited point of access into the network. Part of the challenge is that these remote users often are not subject to the same application access controls that would be in place if they were connecting from the corporate network. In addition, because they are no longer sequestered behind enterprise-grade security solutions, they also become easier targets for social engineering tactics and malware. They are increasingly subject to older exploits that target unpatched devices, which are commonly attached to home networks, such as gaming, entertainment, or home security systems.
Another challenge is the result of networks being highly distributed. Critical resources and applications are now spread across datacenters, distributed branch and home offices, and multi-cloud environments. Many VPN solutions weren’t designed to manage this level of complexity and a single VPN connection can struggle to provide access to everything a remote worker might need. Additionally, backhauling all of the traffic through a central concentrator for inspection is resource-intensive and complicated. And split tunneling creates its own set of challenges as traffic can be directed straight to the cloud without going through a firewall.
Even if you manage to set up separate VPN concentrators and perform security inspections at every possible connection point, the next challenge is consistency. Ensuring that every VPN connection provides the exact same access controls, including device and user validation, and enforces the same policy used elsewhere is challenging.
Because networks now have many edges, it’s difficult to create a single defensible boundary. Secure access and consistent policy enforcement are essential for today’s digital organizations. However, because the traditional network perimeter is dissolving, it is now far more difficult to tell who and what can be trusted, especially based on location. Because so many people are now accessing critical resources and applications from outside the network perimeter, security experts have been promoting the need to shift away from the paradigm of an open network built around inherent trust to a zero-trust model.
Unlike a traditional VPN-based approach, which assumes that anyone or anything that passes network perimeter controls can be trusted, the zero-trust model takes the opposite approach: no user or device can be trusted to access anything until proven otherwise.
Even if a user has been permitted to access one area of the network or an application, it doesn’t assume the user is trusted in other areas. This concept is easier said than done, however. To implement a comprehensive zero-trust strategy in a highly distributed environment, network admins need to control who can access which applications no matter where those users or applications may be located. This “least privilege” approach requires rigorous access controls that span the distributed network so devices, users, endpoint, cloud, SaaS, and the infrastructure are all protected.
Fortunately, solutions exist that allow organizations to implement an effective zero-trust strategy without extensive retooling of the network. A zero-trust network access (ZTNA) solution allows organizations to extend the zero-trust model beyond the network. Unlike a VPN, which focuses exclusively on the network, ZTNA goes up a layer, effectively providing application security that is independent of the network.
It is also seamless, which can significantly improve the user experience. For many people, the experience of using a VPN isn’t always great. To set up a VPN tunnel they need to launch their VPN client, select a location to connect to, and wait. As a result, using a VPN can be slow, and depending on the type of connection, the added overhead can affect productivity.
ZTNA improves the user experience because it works transparently in the background. You click on the app you want to access and behind the scenes the client does all the heavy lifting. Secure connections are made and security protocols and inspection are applied to ensure an optimal experience. Users don’t have to worry about setting up a connection or where an application is located.
On the IT security side, each user and device is verified and validated before it’s given access to an app or resource. This process includes a posture check that verifies that the endpoint is running the right firmware and an endpoint protection program to verify it is safe to connect to the application. The verification is granular, per session, using the same access policy whether a user is accessing resources that are on premises, in a virtual cloud, or public cloud. The same policy also controls who can access that app based on the profile of the authenticating user and device.
Because ZTNA focuses on application access, it also doesn’t matter what network the user is on. It simply delivers automatic secure connections to applications no matter where the user may be located by verifying the user and device posture for every application session, even when users are in the office.
ZTNA also reduces the attack surface by hiding business-critical applications from the internet. And unlike the multi-step process of a VPN, connecting securely is seamless. You click the application and immediately get a secure connection without having to have the application link publicly exposed.
Even after the pandemic ends, CISOs are going to need a strategy for supporting telework because it’s likely that many employees will continue to work remotely at least part of the time. In fact, 54% of employed adults with job responsibilities that can mostly be done from home say that they want to work from home all or most of the time once the coronavirus outbreak is over. And they are likely to get their wish, as about two-thirds of businesses that have adopted remote work policies as a result of COVID-19 plan to keep at least some of those policies in place long-term or permanently.
Although traditional VPNs have been a mainstay for decades, many organizations are now looking for alternatives that better meet their plans and objectives. With better security, more granular control, and a better user experience, ZTNA can be a smarter choice for securely connecting your remote workforce.
Learn more about Zero Trust solutions from Fortinet that enable organizations to see and control all devices, users, and applications across the entire network.
Copyright © 2021 IDG Communications, Inc.