Between a mass migration to cloud computing environments in recent years, as well as the prolific and growing use of mobile and IoT devices, modern IT ecosystems are becoming increasingly different from traditional network setups. Subsequently, securing your company’s network perimeter is no longer sufficient for protecting your sensitive data and assets.
Additionally, although a shift to people working at home more frequently was inevitable, the process was rapidly accelerated by the COVID-19 pandemic – which forced organisations to quickly accommodate their remote workforce – or potentially go out of business altogether. As a result, organisations worldwide have distributed workforces that no longer sit behind conventional cybersecurity defences.
In light of this, organisations must consider alternative ways to maximise their network security while providing secure remote access to offsite employees. Two of the main methods that companies have for achieving this are zero trust network access (ZTNA) and virtual private networks (VPNs) to provide secure remote access to distributed workforces.
With all this in mind, let’s compare ZTNA vs VPN, how they differ from each other, and how each contributes to improving your company’s network security.
ZTNA vs VPNs: how do they differ?
Zero trust is a cybersecurity strategy, or collection of technologies, that provides secure, remote access to applications and services. It’s named as such because it eliminates the traditional idea of “trust” to secure a company’s network assets and data, whereby all users and devices within the network can be trusted and granted access to resources. Conversely, threat actors must be outside the network, so security personnel simply need to focus their efforts on preventing them from gaining access.
In light of the challenges of keeping a cloud environment secure, as well as emerging and constantly evolving cyber threats, ZTNA avoids these assumptions and assumes each user is a potential threat until proven otherwise.
Three key principles of zero trust are:
- Assume breach: while traditional network security measures assume that cybercriminals are outside the network perimeter, zero trust, in contrast, assumes they’re already within an organisation’s IT infrastructure and protects assets accordingly.
- Never trust, always verify: ZTNA doesn’t grant access privileges based on a user’s location, i.e., inside or outside the network, but rather on whether they can be verified; in other words – verification = trust. Subsequently, devices aren’t only verified when a user logs in but throughout their session as they attempt to access network resources.
- Least privilege: the principle of least privilege (PoLP) is the practice of giving users the least amount of access rights possible for them to perform their jobs. This is in contrast to providing access rights ‘just in case’ a user requires them (saving IT personnel from having to grant further access privileges down the line) – which can lead to said privileges being abused.
ZTNA has become increasingly prevalent as greater numbers of organisations began migrating to the cloud, and, in light of becoming more aware of the level of cyber risk they’re exposed to, were forced to examine their cybersecurity strategies.
Conversely, a virtual private network (VPN) is a technology that provides a secure connection between remote users and a private network, i.e., an organisation’s employees and the company’s network. Employees will log into the VPN, which provides an encrypted “tunnel” through which data is transmitted, allowing them to access company resources and data as normal – as if they were in their work premises. Subsequently, the VPN hides the user’s IP address, location, and other data from public view, which conceals it and helps prevent hackers from intercepting it.
Consequently, with respect to how they function, ZTNA takes the opposite approach to a VPN. On one hand, a VPN simply reroutes a remote user through a secure gateway and grants them full access rights once they’ve successfully logged into the network. If a malicious actor were to obtain a user’s login credentials, they’d be able to freely roam through the company’s network and steal, delete, alter, or otherwise compromise data and assets.
VPNs are often described as a “castle and moat” security approach, in which the castle, i.e., your IT infrastructure, is surrounded by a moat – the VPN – that’s designed to keep intruders out. However, if malicious actors can get past the moat, they can ransack the castle at will.
ZTNA, in contrast, offers far more comprehensive network security by continuously verifying each user before granting access to a requested application or resource. Just as importantly, it only gives them the minimal amount of access required to significantly reduce the potential damage a hacker could cause if they were to find their way into your network. Returning to the castle and moat analogy, zero trust is akin to each room in the castle also being surrounded by a moat.
What are the benefits of ZTNA?
Now that we’ve covered both technologies and how they differ, let’s delve into some of the benefits of zero trust over VPN.
Reduces attack surface
As companies increase their reliance on cloud technology and see more of their employees working remotely, their attack surfaces, i.e., the number of vulnerabilities that cybercriminals can exploit, are growing. ZTNA helps reduce the size of your organisation’s attack surface by requiring users to verify their identity before granting access to their requested data and resources. Additionally, because of the principle of least privilege, users are granted minimal possible access, limiting the potential damage if a security breach occurs.
Enhances visibility into the cloud environment
Implementing a zero trust architecture requires organisations to conduct a comprehensive initial inventory of their data, assets, systems, and all other network resources. This provides greater visibility into their IT ecosystem, which is especially important in a cloud environment where companies don’t have as much visibility when compared to traditional “on-premises” infrastructure. Additionally, to make accurate “trust” decisions, i.e., whether to grant a user access to a resource, companies must continuously monitor their network through the use of solutions like cloud access security brokers (CASB), cloud security information and event management tools (SIEM), and intrusion detection systems.
Auto-scalability
Because zero trust is cloud-native technology, it can draw on scalable cloud resources to scale automatically as a company’s user base grows or more employees work remotely. This is in contrast to VPNs, which are typically hosted in a data centre and are often costly and complex to scale in line with an organisation’s growing requirements.
Greater flexibility
A key aspect of any zero trust deployment is network segmentation, or microsegmentation, which sees organisations divide their infrastructure into smaller segments. Security teams can then apply granular access control options to grant precise access privileges to staff. Better still, this prevents lateral movement within the network, so malicious actors’ actions are restricted if they manage to get past your cybersecurity defences, as well as curbing the spread of malware infections to critical systems and sensitive data.
Why aren’t VPNs sustainable?
Let’s continue our comparison of ZTNA vs VPN by examining why virtual private networks aren’t as viable a solution for providing secure remote access as they used to be.
Limited scope
Especially when compared to zero trust, VPNs offer limited functionality and, subsequently, provide insufficient network security. VPNs essentially divide users into two groups: those with access credentials and those without, and assume those who can successfully log into the company’s network can be trusted. However, if a malicious actor obtains login credentials, from phishing, for example, the company’s network will be compromised until their presence is detected (if at all). Conversely, zero trust constantly reverifies users with each access request and requires a network to be divided into segments – both of which make it more secure than a VPN.
Slow performance
VPN solutions originally intended to connect a small proportion of an organisation’s staff to its network while working offsite for short periods. They were never intended to support entire workforces, as required through the pandemic, or the large and unprecedented shift to remote and hybrid working conditions. Consequently, because a VPN works by rerouting all traffic through a data centre, the bandwidth required to accommodate large numbers of employees can cause it to lag – increasing latency and decreasing system performance. Because zero trust is primarily cloud-based, however, and security controls are applied inline and in real-time, traffic doesn’t have to be backhauled to a data centre, which makes it more performant and efficient. This is especially important as companies increase their usage of real-time applications like Zoom and those that rely on data from IoT devices.
Additionally, VPNs can cause latency issues because they depend on a device’s processing power to encrypt and redirect data through remote servers. Subsequently, some devices, like lower-spec laptops and mobile devices, aren’t particularly compatible with a VPN.
They can be inefficient
In addition to it often being resource-intensive to successfully connect to a remote network with a VPN, maintaining a virtual private network, including keeping them updated, can be costly in terms of both manpower and budget. Worse, if attempting to scale their VPN setup, companies may deploy additional infrastructure, such as VPN concentrators, which only increases the complexity and resulting costs. ZTNA, in comparison, allows companies to scale easily and automatically, based on their requirements in real-time, without the need for any changes to the underlying network architecture.
What is an SDP?
Our comparison of ZTNA vs VPN wouldn’t be complete without briefly covering software-defined perimeters (SDP).
An SDP is a type of private overlay network, i.e., a virtual layer that sits on top of your existing network topology and protects it from unauthorised access. Like zero trust and VPN, an SDP is designed to connect remote users and devices over the internet to an organisation’s network. By assigning each user a private IP address and concealing their true location, a software-defined perimeter essentially functions as an invisibility cloak that hides network resources from public view and reduces a company’s attack surface and exposure to cyber risk.
Let’s briefly look at how SDPs compare to both zero trust and VPNs.
SDP vs ZTNA
Noe, as touched upon earlier, zero trust isn’t a specific type of technology but rather a collection of technologies – or an overarching cybersecurity methodology – that adheres to certain principles to improve network security. Subsequently, as opposed to being an alternative to ZTNA, like a VPN, an SDP is actually a method of implementing a zero trust architecture.
As with ZTNA, SDP assumes all users are untrusted by default until their identity can be authenticated. However, SDP places emphasis on the security posture of the user’s device, including:
- Whether it can detect malware on the device
- If it contains apps with known vulnerabilities (and whether said software has been updated recently
- If it has particular software installed, such as an anti-malware solution.
SDP vs VPN
Because an SDP falls under the zero trust umbrella, comparing SDP vs VPN is similar to weighing up ZTNA vs VPN. As with ZTNA, when a user and device are verified, they’ll only granted the minimum amount of resources necessary – as opposed to VPNs that provide unrestricted network access as long as a user has valid login credentials. Much like ZTNA, SDP sits on the opposite end of the cybersecurity spectrum to VPN, which makes it a more secure, performant, and scalable alternative to corporate virtual private networks.
Strengthen your organisation’s network security posture with RiskXchange
We’ll help you weigh up the pros and cons of ZTNA vs VPN for providing your staff with secure and performant remote access. We can also help you navigate the oft-complicated journey of deploying a zero trust architecture, including implementing the right tools and solutions to maximise visibility throughout your cloud environment.
Contact us to get the ball rolling with a free trial of our award-winning platform.