Securing The Remote Worker: VPN or ZTNA?
In This Article
Organizations are dealing with a reality that users no longer live and work from the corporate office. Users are now doing their jobs from their home, local coffee shops, hotels and many other places along the way. This shift in the workplace requires a different approach to an organization's security architecture to ensure that security follows the user, the data and the application. Several organizations are currently evaluating real-estate contracts and commitments to reduce their physical footprint. Organizations are asking the question: should we keep our VPN solution in place or should we move to ZTNA for secure remote access?
Understanding the associated risk and benefits across VPN & ZTNA is a critical step in the evaluation process. VPNs have been used for many years to connect remote users to company resources from outside of the corporate network. Implementing a large scale VPN solution can provide many complexities and not address the current risk driven by cloud adoption and remote work. Trying to manage the scale of a VPN solution can be complex and cumbersome. Many organizations are evaluating VPN alternatives based on these challenges. Organizations have many elements to consider when building out a VPN architecture. Companies must address the software license levels, the concurrent user counts, the hardware selections, the security services just to name a few. There is also an ongoing demand for greater scale, better performance and a better user experience. This reality is reinforced by several companies who are seeing their annual remote access numbers grow from 20% to over 80%. This type of growth introduces new risk, more attack vectors and comes at a significant cost. Traditional VPN solutions do not provide the appropriate technical measures and architecture to protect an organization against modern cyber-attacks.
Expands the attack surface
Every VPN into the datacenter extends the scope of the corporate network and becomes another point of entry that has to be secured. Most enterprise networks are still trying to solve the segmentation problem. These networks are still flat in design with broad network ranges. This type of architecture increases the risk of attacks with broad access to resources far beyond the required access level. This level of broad trust has should be seen as a vulnerability that can be exploited by cyber criminals.
Operational and management complexity
When deploying or extending a VPN solution there are several nuances such as the number of remote users, the endpoint devices, the security policies, the management of the endpoint devices, the protocols and so on. This may result in some endpoints with fat clients while other endpoints are clientless. Engineering teams today have to write scripts, configure GPOs, deployed agents, issue certificates, secure endpoints just to extend a static network path that doesn't address the core issue of secure access.
Insufficient routing and performance
Many applications can be accessed via the cloud in a SaaS model today and does not require a next hop to the corporate datacenter. A traditional VPN architecture may require that all internet based traffic be backhauled to the datacenter. This approach can have a negative impact on the performance and user experience. For the organization who decide to offer split tunneling they must evaluate the cyber risk and cyber maturity of their users. Users can't be patched and phishing attacks remain to be a successful method to circumvent many organizations security controls.
Static vs. dynamic assessment of risk
The traditional VPN only checks user-authentication and authorization at the time of login. The risk level of a user can drastically change throughout the course of a day. A VPN provides very little value in understanding the user's identity. Insufficient monitoring can provide attackers with an easy way to harvest VPN credentials as the entry point.
Lack of context
VPN solutions don't account for a dynamic way to understand changes in user behavior or device state. Context matters in the event a device is jailbroken, or a user wants to access a privilege system. Should the users have access to this system at an odd time from an unfamiliar location is unanswered question if customers are connecting over a VPN. UBEA (User & Entity Behavior Analytics) is not a part of the VPN architecture so there is no way to understand the user's behavior. More data input sources are now required to provide organization with enough data to best evaluate risk levels.
Navigating the architectural challenges within the VPN hardware is a major constraint. VPNs are typically a challenge to architect and deploy because engineering has to forecast what they think they will need for performance, throughput, user counts for the next several years. This can create significant problems around elasticity and scale. Legacy hardware can result in protocol limitation across IPSec, SSL, IKE and TLS protocol versions, etc.
If the VPN architecture is not designed to support the required user traffic the organization may be forced to turn off critical security services to meet the performance requirements. In many of these cases there have been a number of unforeseen issues around performance so the more advance security services such as Anti-virus scanning, IPS, Content Filtering and DLP are not always turned own because the hardware is unable to meet the scale and performance demand.
VPNs typically don't provide a logical way to review which remote users have too much access or excessive privilege. Organizations must have visibility into what users have access to what systems and when that access is no longer needed. Remote access should be monitored and evaluated on a continuous basis to ensure a least privilege model.
Over the years there have been a number of CVEs exploiting various VPN vulnerabilities to allow unauthorized access to restricted data. In some cases there are patches available for distribution. In other cases the industry has experienced a number of Zero Day vulnerabilities. These types of systems now are being utilized more to support a large number of remote workers.
Traditional VPN solutions can be a challenge to many employees who are not technically savvy which can result in a lack of adoption, drop in productivity and an increase in help desk support calls. VPNs require a lot more interaction from the user. From the login process to the user being authenticated VPNs require more steps when compared to ZTNA. The user experience can make a difference in adoption and security in the end.
Several organizations are replacing their traditional VPN solutions with ZTNA solutions because of some immediate benefits. Most of the ZTNA solution providers are cloud-based meaning they have built their solutions on top of existing cloud services provider networks such as AWS or GCP. Others have taken a similar approach where the ZTNA providers are investing in their own cloud architecture with various Points of Presence (PoPs) across the globe. These environments have several Points of Presences to ensure the best performance and compliance. ZTNA takes a much different approach on how to secure remote access. Most ZTNA providers are focused on removing the network as a requirement to access a resource such as an application. From a Zero Trust perspective the ZTNA cloud handles all the routing, security and the binding of remote users to corporate applications. Listed below are some of the major use benefits of moving to ZTNA solutions vs. a legacy VPN solution.
Reduce the attack surface
The traditional VPN focus more on remote connectivity of a user to the internal network. This means the user is still within the network perimeter. VPN architectures provides a virtual connection to onboard users to specific remote network (i.e. 192.168.x.x/24). Zero Trust is focused on abstracting the network as a requirement and trust factor. ZTNA is less focused on the network the users is coming from because the Zero Trust Cloud becomes that PEP (Policy Enforcement Point). The PEP is focused on building a comprehensive view of the session to better understand things like user identity, device identity, device state, location, end to end encryption, etc.
Addresses scale and performance
All legacy VPN solutions require some level of scoping to ensure the physical and virtual appliances can account for the number of concurrent users. ZTNA gives organizations the benefit of cloud elasticity providing a much better way to address immediate scale needs for a large number of users. If the organization acquires another company access can be turned on much faster with ZTNA based on the premium networks and PoPs in place.
Engineers have done performance testing for years with various protocol stacks and traffic types to validate VPN architectures. Even with all the performance testing security still falls short within the VPN architecture. As a result many organizations may have an inconsistent approach to security depending on where the VPN terminates. ZTNA takes a different approach. The ZTNA cloud manages the security services centrally to ensure that every transaction that is put on the wire is encrypted and inspected using advanced security services such as advanced DLP, IPS, AV and UBEA.
Knowing the identity of the user, the device or the service is a critical capability of ZTNA. Zero Trust uses the concept of a Trust Database or Trust Algorithm. Identity is part of that database to provide administrators with a higher level of confidence about the session. ZTNA solution providers focuses on building an open architecture with open APIs to integrate with key system like an IDP. Identity is used a data input source just like the end user device. Traditional VPNs are not as open so the focus is more around MFA versus creating a trust database.
Least privilege access and segmentation are a native component of Zero Trust. A ZTNA configuration will take an identity based approach. These users are granted access to applications and not networks. This approach is starkly different than how VPN access is configured. This technical function can significantly lower an organization risk and exposure based on the difference in architecture.
Visibility and analytics
Every organization is trying to solve the visibility problem. Trying get insight into VPN traffic and who has access to what applications is difficult because the architecture was not built to connect applications to users. The architecture was built to extend private network access to a remote user. Many of the ZTNA solutions provide visibility into things like failed login attempts, bulk downloads, location variance to administrators within the click of a button. ZTNA will utilize automation in the more mature implementation so visibility will be required to operate this modern architecture.
Many organizations are evaluating the risk and benefits of the status quo. WWT has a unique vantage point that spans many industries and many technology providers. The Security Practice has dedicated resources who take a consultative approach to help our client understands the benefits of modernizing their security architecture. More information on Zero Trust solutions can be found on the WWT Zero Trust compare page.