With 69% of office workers reportedly using their personal laptops for work and experts’ projection that 50-80 million in-office jobs will be performed remotely by 2030, securing remote access for organizations’ resources has become essential. Remote employees often access company resources from public networks or use devices that possibly include malware, contributing to 81% of businesses suffering endpoint attacks due to a form of malware, such as data breaches and sensitive data leaks.
Two of the most common secure access approaches are VPN (virtual private network) and ZTNA (zero trust network access). VPN is a centralized approach that authenticates users before transferring data through a central server into the network. ZTNA provides direct, secure access to specific resources within the network a user is authorized to access.
What is a VPN?
A VPN is a technology designed to create a secure, encrypted connection over the internet between a user’s device and a network. VPN data security is based on creating encrypted tunnels for the data being transferred across devices and networks.
Originally, VPNs were developed in the 1990s by Microsoft when it introduced PPTP (Point-to-Point Tunneling Protocol). With the evolution of the internet and the increased sophistication of cyberattacks, the use of VPNs has increased among organizations and individuals alike. It is an integral solution in various corporate applications, including granting secure remote access to internal resources, connecting branch offices to headquarters, and enhancing privacy during business travel.
How Does a VPN Work?
VPNs start by authenticating users to verify their identity, typically using a password or two-factor authentication. Then, the VPN client and the server perform a handshake, a process that confirms the data encryption and decryption method, using a VPN protocol like L2TP, IKEv2, or OpenVPN. During the session, the data packets are encapsulated and securely transferred across potentially insecure networks.
There are two main types of VPNs, remote-access and site-to-site. Remote-access networks are used by individuals to connect to remote networks. Site-to-site networks are used to connect entire networks together by creating a secure, encrypted connection between multiple locations.
VPNs grant network-wide access to authenticated users. This approach has its drawbacks since it increases the attack surface for threat actors to exploit, which has led many organizations to seek a more restrictive solution to provide secure access to their networks.
What is ZTNA?
ZTNA is a modern solution to secure network access based on the principle of zero trust. In a ZTNA network, a connected device isn’t trusted by default. It can’t be aware of other resources, such as applications and servers, except those it is authorized to connect to. User access in ZTNA is granted after assessing the security status of each device based on identity, device posture, and compliance.
With its increasing popularity, ZTNA has been adopted by organizations as a robust solution for managing secure access in cloud-based environments. Its conditional access that doesn’t route data through a central network has made it a favorable solution for organizations with distributed teams.
How Does ZTNA Work?
The security model of ZTNA is built on assuming no trust within or outside the network perimeter. It verifies each user and device individually before allowing access to specific resources. This process involves authenticating the user's identity and assessing the device’s security posture to ensure granting access to only compliant and authorized devices.
ZTNA constantly applies contextual security checks with each access, such as assessing location, device health, and other risk indicators. User verification utilizes multiple technologies, including MFA (multi-factor authentication) and IAM (identity and access management). It further assesses device security through various methods, such as checking for malware, confirming recent security updates, and ensuring that endpoint protection is active.
By employing the principle of least privilege, ZTNA grants access only to the resources necessary for each session. This contrasts with VPNs that grant access to entire network segments, potentially exposing non-essential applications and data to users.
Advantages of ZTNA Solutions
Security Benefits
ZTNA reduces the attack surface by granting access only to the necessary resources. In case of a security breach, its policies limit the lateral movement an adversary can have.
Improved User Experience
Users access applications securely over ZTNA from their own devices with minimal configurations and without the need to rely on specific software. Besides the security advantages of ZTNA’s contextual security checks, it doesn’t require users to re-authenticate each application individually.
Scalability
ZTNA is designed to be well-suited for cloud and hybrid environments, making it easier for admins to add or remove applications and modify users’ access privileges.
Performance
Users connect to applications directly without routing to a central server, resulting in lower latency and better performance. This approach avoids bottlenecks that occasionally happen with VPN solutions with high network traffic.
Enhanced Control
The granular access control over each user’s connections guarantees which resources each user can access.
ZTNA vs VPN: Comparison
Security Model
- VPN: Users are authenticated only once, then a network-wide trust is established.
- ZTNA: Each session requires verification, focusing on continuous, contextual authentication of users and devices.
Granular Access Control
- VPN: Connection grants access to the entire network after authenticating users, increasing the attack surface and the risk of data breaches.
- ZTNA: Provides granular access to specific applications or resources based on contextual security policies.
Performance and Scalability
- VPN: Users may experience slower performance at times of large data transfers and increased simultaneously connected users. It routes data through multiple servers to a central point in a data center, making it harder to scale with cloud environments.
- ZTNA: Its direct-to-application approach eliminates the need for a centralized connection and offers better performance, making it a more suitable solution to scale in cloud environments.
User Experience
- VPN: Requires the end users to install client software on their local machines. Installing and configuring VPN clients can be challenging for many users. Also, slower connection speeds during high network traffic times can lead to frustration and lower productivity.
- ZTNA: Most of its complexity is related to the initial setup, which is handled by IT and cloud professionals. On the user level, the connection becomes a smooth experience once the end user is authenticated, providing faster and seamless access to the necessary applications.
Remote Workforce Adaptability
- VPN: The broad access to the company resources may not be suitable for a dynamic, expandable remote workforce that connects to the company’s networks from multiple locations.
- ZTNA: Suitable to secure remote employees' access with no need to install client applications and only enables access to the necessary resources.
Key Considerations for Businesses
Scalability
Business environments with a constant need for scalability, such as SaaS, Fintech, and AI services, may find ZTNA more suitable due to its ability to scale with cloud environments. VPNs can add challenges to these environments since they require continuous maintenance and availability of experts with diverse skill sets to manage.
Security
Since ZTNA minimizes lateral movement within a network, it is the preferred solution to strengthen BYOD policies and for systems that enable third-party access. However, due to the novelty of ZTNA solutions, they might lack support for legacy systems. In such cases, VPNs are more beneficial to secure access to legacy applications.
Performance
ZTNA can be a favorable solution for organizations with distributed teams over various geographical locations. When it comes to Zero Trust Network Access vs VPN, its decentralized direct access model results in lower latency and no bottlenecks.
Existing Infrastructure
Some organizations invest heavily in on-premises infrastructure, due to specific compliance requirements or their business model. Such investment makes adopting a VPN solution easier since the infrastructure required to operate and maintain a VPN will be present and internally controlled by the organization.
Conclusion
The rapid increase of the remote workforce and distributed teams has led organizations to consider improving their remote access security. ZTNA (zero-trust network access) and VPNs are the two most popular remote secure access solutions. By knowing your organization’s needs and how each solution works, you can make an informed decision on which to incorporate within your organization.
MetaDefender IT Access™ is the Secure Access module of the MetaDefender® Access Platform that ensures access security from any device to both cloud and legacy applications. With Secure Cloud Access with SAML IdP Integration and Software Defined Perimeter (SDP), your network can adhere to regulatory compliance, leverage the least privileged model, and decrease the network attack surface. Find out how MetaDefender IT Access can enhance visibility and prevent unauthorized network access.
