Ineffective. Obsolete. Unrealistic.
These are just some of the words commonly thrown around by IT admins in response to perimeter-based security approaches that incorporate VPNs.
Trending remote work policies have released an avalanche of new security concerns while highlighting the limitations of old-school network security architecture.
Traditional security approaches depend on a centralized physical infrastructure that is not well-equipped to secure emerging cloud environments. Unfortunately, hackers are always improving their tactics, requiring IT admins to counter with more up-to-date security buffers.
Two of the most frequently discussed solutions for this challenge are Zero Trust network access (ZTNA or ZTA) and virtual private networks (VPNs).
This article will dive into the differences, similarities, and benefits behind the two approaches. After reading, you will know how to best reduce the attack surfaces of private, public, and hybrid cloud environments with modern network security solutions.
Zero Trust Network Access (ZTNA) Defined
Zero Trust network access (ZTNA), also referred to as Zero Trust access (ZTA), is a security model founded on a simple premise: trust no one when it comes to network access.
Zero Trust combines a set of technologies, security policies, and best practices to verify user identities and limit access to organizational resources on an “as needed” basis.
ZTNA frameworks protect organizational applications, data, and services from discovery while restricting access to specific identities.
ZTNA in Action
Fred is the VP of Marketing for a series B-funded tech startup. Monday morning, he receives an urgent message from a colleague requesting input on some campaign metrics.
While waiting for the barista to call his name, Fred opens his laptop and signs into his organizational network from Starbucks. Undetectable to Fred, rapid communication between his device, the coffee shop network, and Fred’s startup network begins to happen.
An authentication protocol (e.g., LDAP, RADIUS, SAML) verifies Fred’s request for network access. Once the identity authority determines that Fred is actually Fred — via some form of multi-factor authentication (MFA) — pre-determined policies assess which resources he can access and which ones he cannot.
Depending on the startup’s ZTNA strategy, Fred’s authentication provider may request validation for each app, environment, or network he attempts to access. In addition, should he seek out a different department’s delegated resources, the system would block access via the ZTNA principle of least privilege (PoLP).
Of course, the easiest way to manage ZTNA is to use a cloud directory platform. Consolidated device management solutions save admins the hassle of managing disparate directories and single point tools. The JumpCloud directory allows IT managers to oversee network access, device management, single sign-on (SSO), and evolving security policies with just a few clicks in a single pane of glass.
So, how do VPNs fit into the picture? Let’s continue evaluating ZTNA vs. VPNs.
Virtual Private Network (VPN) Defined
A virtual private network (VPN) is an encrypted and private connection between two points. It allows a computer or smart device to connect to a destination network in a way that muddles the initiating device’s originating IP address and protects the communication between them.
Instead of the device revealing its true network information over the internet, it provides the VPN server’s information in exchange for network access. Basically, a VPN gives users online privacy and anonymity by turning public internet connections into private ones.
Engineers developed VPN technology over two decades ago. The driving motivator was to quite literally bring the office to the user. Not only could employees access network hard drives from their home computers, but they could also print papers in the evening to pick up the next day.
But are VPNs still an admin’s best choice for establishing secure remote access? The short answer is no.
Remote Work Has Changed the Security Landscape
Remote work has been on the rise since 2010. According to the U.S. Census Bureau, only 9.5% of Americans worked remotely at least once per week during the beginning of the 2010s.
Sources estimate the majority of Americans work remotely at least some of the time now. Of course, this shift has catalyzed more sophisticated cybercriminal attacks designed to take advantage of remote security vulnerabilities.
One popular hacking strategy involving VPNs is called vishing, or voice phishing. In this instance, hackers use Voice over Internet Protocol (VoIP) platforms to trick receivers into supplying access to their accounts. Pretty sneaky, huh?
The ploy is especially effective at targeting new hires. A cybercriminal can simply pose as IT personnel, saying they need login information because of an onboarding error. They may even go through the trouble of creating a fake VPN page and asking the employee to login. This is just one example of several security risks VPNs fail to effectively mitigate.
ZTNA vs. VPN
VPNs permit users to access entire organizational networks, thus increasing attack surfaces significantly. In addition, the technology’s clunky nature impedes the flexibility organizations need to keep remote work at the core of their operations.
Alternatively, ZTNA provides control, flexibility, and visibility into every network access request. Security teams can now leverage ZTNA tools to analyze behavior analytics in conjunction with artificial intelligence to prevent future attacks.
Here’s a more thorough assessment of the differences between ZTNA vs. VPN:
Advantages of VPNs
As previously mentioned, VPNs do a solid job securing traditional on-prem networks and user privacy. Despite the necessity for more comprehensive coverage in most modern workplace scenarios, VPNs are still appropriate in some instances. Their primary benefits include:
1. Security Through Anonymity
When using a VPN, the network information of a user and device appears as if it is coming from a different location. A VPN client protects the user’s valuable information in an encrypted tunnel and obfuscates their location, preventing access by unwanted parties. Should an attacker attempt to access this information, they get misdirected to the VPN server instead.
2. Secure Remote Access
Since more people are working from home now than ever before, company and client information is exposed and at risk of theft. With a VPN client, employees of an organization can connect to a work computer remotely without worrying about exposing their information.
3. Cost-Effectiveness
Newer security solutions are sometimes expensive to implement. VPN clients don’t match the functionality and effectiveness of the latest software and firewalls. But they do remove the necessity of some of their features by rendering a user invisible over the network.
4. Functional for Multiple Locations
VPNs are especially useful for hospitals, financial institutions, government departments, and major retail outlets. Basically, any organization that shares data between several branches could benefit from the security provided by a VPN.
Disadvantages of VPNs
In most circumstances, the benefits of upgrading to modern network security solutions far outweigh using VPNs exclusively. But here are some reasons why organizations may want to begin thinking beyond what’s simply working “good enough”:
1. Slow Technology
VPNs have always been frustratingly slow for remote workers. Transmitting data through a VPN uses up precious bandwidth, and because it routes traffic in and out of the network to which the VPN connects, the additional hops can really slow down what may normally be a high speed connection. The result?
Poor video call quality, long loading times, and lost productivity are common complaints. In addition, should a remote worker’s internet connection fail, they can say goodbye to whatever files they were working on. Yet another reason why even legacy companies are transitioning to cloud-based software applications like Google Workspace.
2. Poor Identity Access Management (IAM)
Another downfall of VPNs is they aren’t conducive to securing bring your own device (BYOD) workforces, especially smartphones and tablets.
VPNs are also vulnerable to brute force attacks and compromised accounts could have access to much more than they should. While configured and maintained VPNs protect against malware, phishing, and other attacks, they are…
3. Tough to Set Up and Enforce Compliance
For time-strapped IT departments, configuring a VPN for numerous end users isn’t easy. IT support must make a trip to the remote workers’ home to reconfigure their workstation.
Skipping this essential step could cause network collisions, which would greatly inconvenience workers and pose security threats down the line. Furthermore, their routine maintenance often necessitates end user hand-holding. Of course, admins with remote access to organizational devices can avoid having to talk users through what to type into fields during reconfigurations. With that said, the VPNs ultimate effectiveness depends on proper use from workers.
4. Inconvenient Code Sharing
Another shortcoming of VPNs? They require the use of SSL certificates. Users must maintain a login, password, and shared secret code to maintain network access.
That means every time someone leaves the organization, the IT admin must reconfigure every team member’s device to a new secret code. Of course, continuing to use the old code would pose a security vulnerability. But talk about an inconvenience!
For the aforementioned reasons, IT experts now recommend supplementing VPNs with secondary security mechanisms to reduce east-to-west attack surfaces. Of course, this is where ZTNA comes into play.
Advantages of ZTNA
Zero Trust is now a necessity for guaranteeing user and organizational security across both on-premises and cloud environments.
Case in point: the U.S. government recently announced an executive order for major agencies to implement Zero Trust security models! The numerous benefits of ZTNA include:
1. Granular Access
Zero Trust is based on advanced user authentication. As mentioned above, it also operates on the concept of least privilege access. Therefore, a user only accesses applications, networks, and data that they require to accomplish specific tasks. Microsegmentation is another part of the Zero Trust security framework that further minimizes the risk of damage from unauthorized access.
2. Cloud Migration
As organizations migrate from the data center to the cloud, ZTNA accelerates the shift and minimizes user impact. It allows IT teams to streamline security policies in line with business policies. Users can work without being concerned about where an application is hosted, how to connect to it, or whether it needs a VPN.
3. Compliance
Traditionally, organizations have relied on VPNs to meet some compliance standards through encryption. However, ZTNA addresses numerous compliance standards with a simple, streamlined user experience, faster onboarding, more thorough offboarding, and the enforcement of application-specific policies.
4. End-User Experience
Unlike VPN, ZTNA doesn’t require complicated configuration and management to offer wider network-level access to a variety of resources. Since Zero Trust automatically creates secure connections on demand behind the scenes, users don’t even have to know that a ZTNA solution is protecting their information.
Disadvantages of Zero Trust Network Access
Quite frankly, there are no major disadvantages to implementing a Zero Trust security model other than the perceived challenges that may coincide with a new technology approach. With that said, generating a solid migration plan for making the switch is imperative for success. It also necessitates an ongoing commitment to policy review from IT leadership.
In addition, access controls must stay updated to ensure the correct users can access the specific information they need from approved devices. For example, if an employee leaves an organization with access credentials intact, they pose a security threat.
ZTNA vs. VPN: Final Thoughts
Neither remote work nor data breach attempts show any signs of slowing down in the near future. IT and security teams must prioritize the replacement or augmentation of their existing network security architectures in response to modern cloud-based demands.
ZTNA provides a comprehensive security solution for both cloud and on-prem security challenges. Management can integrate ZTNA principles like MFA, microsegmentation, SSO, and more with existing infrastructure slowly over time.
The best place to start? Consolidate your tools with the JumpCloud Cloud Directory. Our centralized platform allows IT admins to secure user access to devices, applications, files, networks, and other resources from a single cloud directory platform.
Learn more about how to implement JumpCloud’s ZTNA solution with a free demo.