ZscalerZero TrustSecurity Transformation
Partner Contribution4 minute read

VPN vs ZTNA: Five Lessons Learned by Making the Switch from VPN to Zero Trust Network Access

Implementing zero trust is a continuum of paring back access over time to get to your goal of minimum trust and least-privileged access. Learn how one large healthcare company realized they needed to rethink their traditional VPN strategy.

In this article

This article was created and contributed by Zscaler.

In the late 1990s, VPN technology took the corporate world by storm. The network could be extended into every household and users could work from home as if they were in the office. But just like dial-up modems, pagers, and VCRs, corporate VPNs are a relic of another era and fail to meet the needs of today's cloud- and mobile-first world. 

One large healthcare company realized they needed to rethink their traditional VPN strategy when the pandemic hit and mass remote work became imperative overnight. Secure was no longer sufficient when it came to remote access—it needed to be secure and usable. They sought to strike a balance and they turned to zero trust network access (ZTNA). 

In a recent conversation with the company's head of information security architecture, he shared five important lessons learned from switching from legacy VPN to ZTNA.

 User satisfaction skyrocketed with ZTNA compared to VPN. 

Unlike VPN, which requires backhauling user traffic through a corporate data center and slows down internet performance, ZTNA connects users directly to private applications. The company learned that while everyone tolerated VPN, no one actually loved VPN. With ZPA, user satisfaction shot through the roof thanks to faster and easier access to their applications. Users gave rave reviews with an average rating of 4.8 out of 5.0, compared to 3.0 for VPN.

 Supporting zero trust is different than supporting traditional VPN.

With a traditional VPN, users are authenticated once then placed on the network. It's just like they're sitting in the office where they can access everything. But with zero trust, users and devices are continuously validated and only granted access to specific, authorized applications. To get to this concept of minimum necessary access, you need to build profiles for everyone so they can get to only the applications they need to do their job. That means a mobile developer is different than a web app developer, and a finance user is different than an IT user.

 How much risk are you willing to accept?

Zero trust is a balancing act between the amount of risk you are willing to accept and the effort needed to build and enforce policies. You need to ask yourselves hard questions and think deeply about the answers. 

  • How much access is sufficient?
  • What policies do you need for HR? Finance? Legal? Marketing? IT?
  • How many different policies do you need for each group's different access needs?
  • How much risk can you tolerate? How much management overhead are you willing to take on to achieve that level of risk?

 Zero trust doesn't happen overnight. It's a journey.

Implementing zero trust is a continuum of paring back access over time to get to your goal of minimum trust and least-privileged access. This company gave its first zero trust users greater access than they would have liked, but when they compared the level of risk, even then, to that of using VPN, they were still way better off. Initially, they allowed access to *.company.com, for instance. Then they used Zscaler's application analytics capabilities to see who was using which applications and which were the chattiest. With this information in hand, they then narrowed user access and continued to refine policies over time.

 Zero trust goes beyond secure remote access.

Improving the security and user experience of your remote workforce can be the driver for implementing zero trust, but, ideally, you want to instill a zero trust mindset across your entire enterprise. Remote access is an essential component of zero trust, but you should also think about what zero trust means for ALL access. What does it mean in your cloud environments? What does it mean for on-prem access? Ultimately, you want to reduce the attack surface and protect data across your entire organization and every single user, no matter where they reside.

In short, rethink the risk and reward of trying to stretch your existing network-centric controls into today's cloud and mobile use cases where they don't serve well. If you were designing an architecture from scratch to meet your needs, not just today, but in the future, would you use yesterday's technology? Like many of our customers, you're likely to find opportunities to move away from legacy controls and expand into a more modern approach that can simplify your zero trust journey.

Get hands-on access to the Zscaler Zero Trust lab in the ATC.

Technologies