ZTNA vs. VPN: Examining the differences between two models of network security at the WAN edge
By John Hopping, Sales Engineering Manager Asia Pacific, Cradlepoint
Saturday, 01 October, 2022
As the world’s dependence on Internet-based applications continues to climb, so does the rate of cybercrime. Cybersecurity Ventures expects global cybercrime costs to reach $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015 (Cybersecurity Ventures, 2020). In Australia during Financial Year 2020, over $81 million AUD was lost due to business email compromise alone (ACSC Annual Cyber Threat Report 2020-21). With credentials and personal information being the most sought-after data in security breaches, it’s more important than ever that companies assume the presence of a threat and take the necessary steps to protect themselves from it.
For decades, most enterprises have been using virtual private networks (VPN’s). When defining a traditional virtual private network (VPN) setting, we often use the analogy that network security acts like a moat surrounding a castle. Once the moat is crossed, nearly everything within its perimeter is accessible. Outside of network security, some of the earliest evidence of moats has been uncovered around ancient Egyptian castles. While a fantastic innovation for its time, today, countries use more advanced technologies to protect areas, such as aerial drones and satellite monitoring. By the same token, enterprises looking to truly secure their network in today’s distributed working environment should consider additional options.
Through adaptive, context-aware policies that limit access and the potential impact of compromised credentials, Zero Trust Network Access (ZTNA) is a model that provides access to private enterprise network applications in a way that is significantly more secure than a VPN. But there are trade-offs in moving to ZTNA that have to be considered.
Before we look at ZTNA vs. VPN, let’s first dive a bit deeper into definitions.
What is ZTNA?
As the name implies, ZTNA is a security concept built on the assumption that anyone attempting to access a network or application is a malicious actor whose use must be restricted through ongoing verification. To enforce its levels of security, ZTNA utilises an adaptive verification policy on a per-session basis that can take into account a combination of the user’s identity, location, device, time and date of request, and previously observed usage patterns.
Once verified, the Zero Trust Network creates a secure tunnel from the user’s device to the requested application. This authenticated tunnel prohibits public discovery or lateral movement to other applications on the network, and ultimately decreases the likelihood of cyberattacks.
Comparing and contrasting ZTNA vs. VPN
Remote access VPNs have been the corporate security standard for decades, but their functionality has not evolved as rapidly as the cunning of modern-day hackers. Although companies may employ both security solutions, ZTNA has several advantages when compared to a VPN.
ZTNA security limits the expanse of user access
Back to our earlier moat analogy, the most significant castle damage occurs when a perpetrator crosses that moat, or in the case of network security, data breaches occur when a hacker crosses a corporate firewall through a perimeter-based VPN and is then given free rein to move throughout the company’s secure applications without much resistance. A perimeter-based security network that allows large swaths of access creates more opportunities for a breach of data and no longer fits the needs of modern enterprise businesses.
ZTNA does not consider any part of the enterprise network to be an implicit trust zone. Instead, it applies microsegmentation and prescriptive security policies to enterprise edge architecture to create tunnels for users to access specific applications and nothing else. At most, a user can only access whatever exists behind the single microsegments they have access to.
Adaptive ZTNA security policies constantly mitigate risk
While a VPN utilises one-time authentication to give users access to an enterprise network, ZTNA uses an adaptive policy that constantly evaluates security for the duration of a user’s session. These security evaluations consider whether a user has changed locations, when they last attempted to access an application, if they’re using a new device, and if they exhibit abnormal behaviour such as rapidly altering or deleting data. The security monitoring capabilities of ZTNA are not possible with VPN alone.
Direct-to-app connections create a better user experience
Zero Trust Networks eliminate the concept of a perimeter and force all user traffic to a cloud inspection point anytime information is transmitted. By moving this inspection to the cloud — particularly on a 5G network — the authentication process is completed with such low latency that it’s virtually imperceptible to the end user. A VPN, however, can be bogged down by limited bandwidth and backend performance limitations. Additionally, because ZTNA is network and location agnostic, employees can spend more time on their work and less time waiting for applications to load while working remotely.
Businesses save money with ZTNA
Deploying a corporate VPN network is cost and labour intensive. Aside from hardware purchases, including authentication tokens and software provisions on laptops, cell phones and other devices, VPN infrastructure in data centres can be cumbersome, and the dedication of IT resources to manage that infrastructure and ensure VPN policy adherence is expensive.
Alternatively, ZTNA is agile, quick to deploy and highly scalable. Without a complicated infrastructure to maintain, fewer IT resources need to be dedicated to training and security management, making ZTNA solutions more economical when compared to a VPN. Enterprise businesses may also experience hardware savings by allowing employees to use their own devices — a policy that often is incompatible with VPN.
ZTNA is becoming essential to enterprise networks
While ZTNA does offer significant advantages, it is not always the best option for all applications. Today’s network will probably include a mix of ZTNA and traditional VPN, and understanding the trade-offs is important.
However, as enterprise work becomes increasingly remote and workforce diversity expands to include contractors along with part-time and temporary workers, the security, flexibility and scalability of cloud-delivered ZTNA will make it an essential part of any enterprise’s network.
For more information, visit: www.cradlepoint.com/au.
Combining 5G connectivity with SASE: A simplified solution to optimise networking and increase security
A comprehensive network approach that combines 5G and SASE will provide efficiency and security...
Appian completes IRAP assessment
Appian has completed the IRAP, enabling it to give government agencies increased control over...
DigiCert Trust Lifecycle Manager sets new bar
DigiCert Trust Lifecycle Manager is a comprehensive solution unifying CA-agnostic certificate...