Examining the differences between two models of network security at the WAN edge
As the world’s dependence on Internet-based applications continues to climb, so does the rate of cybercrime. In 2021 alone, global cybercrime damages are estimated to amount to $6 trillion per year, $500 billion per month, $115.4 billion per week, $16.4 billion per day, $684.9 million per hour, $11.4 million per minute, and $190,000 per second (Cybersecurity Ventures, 2020). With credentials and personal information being the most sought-after data in security breaches, it’s more important than ever that companies assume the presence of a threat and take the necessary steps to protect themselves from it.
Through adaptive, context-aware policies that limit access and the potential impact of compromised credentials, Zero Trust Network Access (ZTNA) is a model that provides access to private enterprise network applications in a way that is significantly more secure than a virtual private network (VPN). But there are tradeoffs in moving to ZTNA that have to be considered before moving to ZTNA.
Before we look at ZTNA vs. VPN, let’s first dive a bit deeper into definitions.
What is ZTNA?
As the name implies, ZTNA is a security concept built on the assumption that anyone attempting to access a network or application is a malicious actor whose use must be restricted through ongoing verification. To enforce its levels of security, ZTNA utilizes an adaptive verification policy on a per-session basis that can take into account a combination of the user’s identity, location, device, time and date of request, and previously observed usage patterns.
Once verified, the Zero Trust Network creates a secure tunnel from the user’s device to the requested application. This authenticated tunnel prohibits public discovery or lateral movement to other applications on the network, and ultimately decreases the likelihood of cyberattacks.
Comparing and contrasting ZTNA vs. VPN
Remote access VPNs have been the corporate security standard for decades, but their functionality has not evolved as rapidly as the cunning of modern-day hackers. Although companies may employ both security solutions, ZTNA has several advantages when compared to a VPN.
ZTNA security limits the expanse of user access
In a traditional VPN setting, network security acts like a moat surrounding a castle. Once the moat is crossed, nearly everything within its perimeter is accessible. Similarly, the most significant data breaches occur when a hacker crosses a corporate firewall through a perimeter-based VPN and is then given free rein to move throughout the company’s secure applications without much resistance. A perimeter-based security network that allows large swaths of access creates more opportunities for a breach of data and no longer fits the needs of modern enterprise businesses.
ZTNA does not consider any part of the enterprise network to be an implicit trust zone. Instead, it applies microsegmentation and prescriptive security policies to enterprise edge architecture to create tunnels for users to access specific applications and nothing else. At most, a user can only access whatever exists behind the single microsegments they have access to.
Adaptive ZTNA security policies constantly mitigate risk
While a VPN utilizes one-time authentication to give users access to an enterprise network, ZTNA uses an adaptive policy that constantly evaluates security for the duration of a user’s session. These security evaluations consider whether a user has changed locations, when they last attempted to access an application, if they’re using a new device, and if they exhibit abnormal behavior such as rapidly altering or deleting data. The security monitoring capabilities of ZTNA are not possible with VPN alone.
Direct-to-app connections create a better user experience
Zero Trust Networks eliminate the concept of a perimeter and force all user traffic to a cloud inspection point anytime information is transmitted. By moving this inspection to the cloud – particularly on a 5G network – the authentication process is completed with such low latency that it’s virtually imperceptible to the end user. A VPN, however, can be bogged down by limited bandwidth and backend performance limitations. Additionally, because ZTNA is network and location agnostic, employees can spend more time on their work and less time waiting for applications to load while working remotely.
Businesses save money with ZTNA
Deploying a corporate VPN network is cost and labor intensive. Aside from hardware purchases, including authentication tokens and software provisions on laptops, cell phones and other devices, VPN infrastructure in data centers can be cumbersome, and the dedication of IT resources to manage that infrastructure and ensure VPN policy adherence is expensive.
Alternatively, ZTNA is agile, quick to deploy and highly scalable. Without a complicated infrastructure to maintain, fewer IT resources need to be dedicated to training and security management, making ZTNA solutions more economical when compared to a VPN. Enterprise businesses may also experience hardware savings by allowing employees to use their own devices – a policy that often is incompatible with VPN.
ZTNA is becoming essential to enterprise networks
While ZTNA does offer significant advantages, it is not always the best option for all applications. Today’s network will probably include a mix of ZTNA and traditional VPNS, and understanding the tradeoffs is important.
However, as enterprise work becomes increasingly remote and workforce diversity expands to include contractors along with part-time and temporary workers, the security, flexibility and scalability of cloud-delivered Zero Trust Network Access will make it an essential part of any enterprise’s network.
Learn more about zero-trust strategies on our Software-Defined Perimeter webpage.