The recent increase in remote working has cast a spotlight on the limitations of aging VPN technology. While some organisations continue to extract every bit of mileage they can from VPN, many are looking for a better alternative – something that addresses the challenges with remote access VPN.
Several organisations have already
started to fully embrace the next generation of remote access technology: ZTNA
or zero trust network access. ZTNA offers better security, more granular
control, increased visibility, and a transparent user experience compared to
traditional remote access VPN.
Challenges with remote access VPN
Remote access VPN has been a staple of most networks for decades,
providing a secure method to remotely access systems and resources on the network.
However, it was developed during an era when the corporate network resembled a
medieval fortification – the proverbial castle wall and moat that formed a
secure perimeter around network resources within. VPN provided the equivalent
of a secure gatehouse for authorised users to enter the safe perimeter, but
once they were in, they had full access to everything within the perimeter.
Figure 1. Traditional
remote access VPN
Of course, networks have evolved substantially, being more
distributed than ever. Applications and data now live in the cloud, users are
working remotely, and networks are under siege by attackers and hackers looking
for any weakness to exploit.
“Administering a remote access solution based on traditional VPN (IPSec/SSL)
in any kind of modern environment can be extremely painful. You have to contend
with IP management, traffic flows and routing, firewall access rules, as well
as client and certificate deployment and configuration. Anything beyond a
handful of nodes and a few dozen users turns this into an unnecessary full-time
job – just to keep this running. If that wasn't enough, security becomes an
absolute nightmare to monitor and control,” says Ross Anderson, Sophos Product Development Manager at Duxbury Networking.
In summary, traditional remote-access VPN has a number of
unnecessary limitations and challenges:
1.
Implicit
trust.
2.
Potential
threat vector.
3.
Inefficient
backhauling.
4.
Lack
of visibility.
5.
User
experience.
6.
Administration,
deployment and enrolment.
What is ZTNA and how it works
ZTNA or zero trust network access has been designed from the start
to address the challenges and limitations with remote access VPN, offering a
better solution for users anywhere, to connect securely to the applications and
data they need to do their jobs, but nothing more. There are a few fundamental
differences that set ZTNA apart from remote access VPN.
Zero trust essentially eliminates the concept of the old castle
wall and moat perimeter in favour of making every user, every device, and every
networked application their own perimeter and only interconnecting them after
validating credentials, verifying device health, and checking access policy.
This dramatically improves security, segmentation, and control.
Another key difference in how ZTNA works is that users are not
just dropped on the network with complete freedom of movement. Instead,
individual tunnels are established between the user and the specific gateway
for the application they are authorised to access, and nothing more – providing
a much more secure level of micro-segmentation. This has a number of benefits
for security, control, visibility, efficiency and performance. For example,
remote access VPN provides zero insights into which applications users are
accessing, while ZTNA can provide real-time status and activity for all your
applications proving invaluable in identifying potential issues and performing
licensing audits.
The added micro-segmentation that ZTNA provides ensures there is
no lateral movement of device or user access between resources on the network.
Each user, device, and application or resource is literally its own secure
perimeter and there is no longer any concept of implicit trust.
Figure 2. Zero trust
network access
“ZTNA is also inherently more dynamic and transparent by nature,
working in the background without requiring interaction from the user beyond
the initial identity validation. This experience can be so smooth and
frictionless that users won’t even realise they are connecting to applications
via secure encrypted tunnels,” says Anderson.
Advantages of ZTNA
Zero Trust Network Access offers enormous benefits in many ways
but is primarily being adopted for one or more of these reasons:
·
Working
from home: ZTNA solutions are a much easier solution for managing remote access
for staff working from home. They make deployment and enrollment easier and
more flexible, turning what may have been a full-time job with VPN into
something much less resource intensive. It's also more transparent and simpler
for your staff working remote.
·
Application
micro-segmentation: ZTNA solutions provide much better application security
with micro-segmentation, the integration of device health into access policies,
continuous authentication verification and just the elimination of implicit
trust and the lateral movement that comes along with VPN.
·
Stopping
ransomware: ZTNA solutions eliminate a common vector of attack for Ransomware
and other network infiltration attacks. Since ZTNA users are no longer ‘on the
network’, threats that might otherwise get a foothold through VPN have nowhere
to go with ZTNA.
·
On-board
new applications and users quickly: ZTNA enables better security and more
agility in quickly changing environments with users coming and going. Stand-up
new applications quickly and securely, easily enroll or decommission users and
devices, and get insights into application status and usage.
In summary, the advantages of ZTNA over traditional remote-access
VPN solutions include:
1. Zero Trust – ZTNA is founded on the principle of zero trust or
‘trust nothing, verify everything’. This provides significantly better security
and micro-segmentation by effectively treating each user and device like their
own perimeter and constantly assessing and verifying identity and health to
obtain access to corporate applications and data. Users only have access to
applications and data defined explicitly by their policies, reducing lateral
movement and the risks that come with it.
2. Device Health – ZTNA integrates device compliance and health into
access policies, giving users the option to exclude non-compliant, infected, or
compromised systems from accessing corporate applications and data and
eliminating an important threat vector and reducing risk of data theft or
leakage.
3. Works anywhere – ZTNA is network-agnostic, able to function
equally well and securely from any network be it home, hotel, café, or office.
Connection management is secure and transparent regardless of where the user
and device are located, making it a seamless experience no matter where the
user is working.
4. More transparent – ZTNA provides a frictionless, seamless end user
experience by automatically establishes secure connections on demand behind the
scenes as they are needed. Most users will not even be aware of the ZTNA
solution that is helping protect their data.
5. Better visibility – ZTNA can offer increased visibility into
application activity that can be important for monitoring application status,
capacity planning, and licensing management and auditing.
6. Easier administration – ZTNA solutions are often much leaner,
cleaner, and therefore easier to deploy and manage. They can also be more agile
in quickly changing environments with users coming and going – making
day-to-day administration a quick and painless task and not a full-time job.
What to look for in a ZTNA solution
While looking at the obvious checklist of supported platforms for
clients, gateways, and identity providers, be sure to consider these important
capabilities when comparing ZTNA solutions from different vendors:
·
Cloud-delivered, cloud-managed
·
Integration with your other
cybersecurity solutions
·
User and management experience.
“Sophos ZTNA has been designed to make zero trust network access
easy, integrated, and secure. Sophos ZTNA is cloud-delivered and cloud-managed,
integrated into Sophos Central, the world’s most trusted cybersecurity cloud
management and reporting platform. From Sophos Central, you can not only manage
ZTNA, but also your Sophos Firewalls, endpoints, server protection, mobile
devices, cloud security, email protection, and so much more,” says Anderson.