It's Not Too Late To Ditch Your VPN: Why ZPA Is The Superior Secure Access Solution - Part 2

In the previous blog, we examined the weaknesses and limitations VPNs and how Zscaler's purpose-built architecture for private access addresses them. 

In this post, we will dive deeper into how Zscaler Private Access (ZPA) aligns with the core principles of Zero Trust and walk through ZPA's key components and advantages, demonstrating why it is the industry's leading modern secure access.

The ZPA architecture is deeply rooted in the Zero Trust model, which shifts from the outdated assumption that everything inside a corporate network is inherently safe. 

Zero Trust relies on the following guiding principles:

1. Never Trust, Always Verify: Explicitly validate the security status of the user's identity, their endpoint, and the network.
2. Enforce Least Privilege Access: Grant access to applications strictly based on need-to-know basis.
3. Continuously Monitor and Validate: Users and endpoints are not permanently trusted after initial verification; as access context changes trust is reassessed.

At the most fundamental level, ZPA consists of three components:

1. Client Connector: A lightweight agent installed on the user’s device enabling secure, zero-trust access to private applications, SaaS, and the internet.

2. Service Edge: A globally distributed platform acting as a secure switchboard, ensuring connections between users and applications are processed dynamically and securely.

3. App Connector: A lightweight virtual machine or container deployed in a data center or cloud environment that securely connects users to hosted private applications.

ZPA integrates seamlessly with popular Identity Providers (IdPs), eliminating the need for ZPA to store user credentials by utilizing trusted third-party systems.

Unlike traditional VPN gateways, ZPA connections are outbound-only to the Service Edge using source NAT, eliminating the need for static exposed IP addresses. The Service Edge acts as a "switchboard" to facilitate secure and policy-based access between Client Connector (users) and their App Connectors (target applications).

This architecture simplifies operations, reduces risk, and lays the groundwork for a Zero Trust-driven network transformation.

Advantage 1: The Darkening of Data Centers

ZPA connections are inside out. ZPA does not require any incoming connections to the data center, there is no public IP with a listening port, eliminating the public attack surface commonly exploited in VPNs.  With no exposed ports, the data center is essentially darkened, making it invisible and inaccessible to attackers. Attackers cannot attack what they cannot see.

Advantage 2: Identity-Centric Zero Trust Access

Identity is the cornerstone of Zero Trust, and ZPA leverages Identity Providers (IdPs) to enforce identity-based access policies. For example, by following the "Never Trust, Always Verify" principle, ZPA evaluates aspect of an access request:

• Confirm the user's identity with strong multi-factor authentication (MFA).
• Check the device's compliance through posture assessments.
• Avoid placing trust in low-assurance factors like network location.

ZPA supports Security Assertion Markup Language (SAML), a standard for IdP authentication and authorization. ZPA also supports System for Cross-domain Identity Management (SCIM), a standard for automating the exchange of user identity information.

With ZPA, authentication is handled by IdP. When users access the ZPA service, they are redirected to the IdP for authentication and then returned to ZPA once verified. This separation of the authentication process with ZPA provides multiple advantages.

The use of IdP allows users to experience seamless and secure authentication while enabling organizations to take advantage of innovative features like strong multi-factor authentication (MFA) and protections against MFA fatigue, such as number matching and additional location context. Even if the user credentials are stolen, strong MFA would prevent threat actors from gaining access.

ZPA does not store any user credentials; instead, it relies on a trusted relationship with the IdP, which is purposely built to manage user identities and credentials. Some VPN gateways are configured with LDAP accounts, and if compromised, attackers can extract those credentials to gain access to Active Directory. This simply not possible with ZPA.

While VPNs and firewalls typically rely on traditional IP-based policies (e.g., allowing one IP address to communicate with another) which requires complex firewall rules, ZPA enables administrators to configure business policies based on user groups or attributes. For instance, only Finance group members can access finance applications, while access to engineering applications is restricted to Engineering group members. This approach facilitates Zero Trust journey. 

The IdP synchronizes the user's identity to ZPA. ZPA receives user attributes such as username, groups, and department from the IdP, which serve as key criteria for zero trust least privilege access principles. Having user attributes information synchronized with using SCIM greatly facilitates the zero trust journey based on the least privilege principle

Additionally, ZPA’s support for multiple IdPs simplifies the integration process for mergers, acquisitions, and divestitures. When organizations go through mergers, the access integration is streamlined by configuring both IdPs and deploying App Connectors on each side of the network. 

The core Zero Trust principle of explicit verification goes beyond just confirming a user's identity using IdP. ZPA also verifies device compliance through multiple posture checks, ensuring not only that the user is legitimate but also that they are using an approved, organization-provided device.

Advantage 3: Prevent Lateral Movement with Application Segmentation

In traditional network-centric application access, the client sends a DNS request, and the DNS server responds with the application's IP address, allowing the client to establish a connection to the server. This process is identical whether the user is in the office on the corporate network, or connected over VPN from a coffee shop - the user is on the network.

ZPA's approach is fundamentally different from that of traditional VPNs. The Client Connector intercepts the client's DNS request and responds with a synthetic IP address. Users never see the actual server IP; instead, they interact with a locally unique synthetic IP address assigned, which is used to access the application. 

The Client Connector sets up a virtual interface to intercept traffic directed to synthetic IP addresses. If the application's TCP or UDP service port matches the Application Segment configuration, the traffic is sent to the ZPA Service Edge for access policy evaluation. If only the hostname matches but not the service port, the traffic is blocked at the client level.

The Client Connector on the user's device acts as a local proxy. When the user sends traffic to a server, the Client Connector extracts the TCP/UDP data payload and sends it to the ZTE through the TLS tunnel, without the original TCP/IP header. The data is then passed to the App Connector, which recreates the traffic and sends it to the server. The return traffic from the server to the client follows the same process in reverse. 

ZPA's proxy approach ensures that each session is verified against the access policy criteria and also allows the enforcement of ZPA Adaptive Access Policy which can terminate active sessions if the context such as user risk or device posture changes.

This approach using synthetic IP address provides several important advantages:

• ZPA permits application segmentation without needing network segmentation.  User’s access will be restricted only to applications that they are allowed to access. Users are no longer able to access servers directly via their real IP addresses, unless it is intentionally configured
• ZPA limits user visibility to only the applications they're authorized to access, preventing DNS reconnaissance attacks.
• ZPA connects users to the applications without bringing them onto the network, preventing lateral movement
• Enforcement of ZPA Adaptive Access Policy which can terminate active sessions when the context changes
• In the event an attacker manages to steal the user credentials and successfully manipulates the user into approving the MFA request, they will not be able execute additional tactics that after gaining access to internal network such as performing reconnaissance to map the network topology
• It greatly simplifies the migration application from on-premises data centers to cloud data centers. The client will get a locally unique synthetic IP address, regardless where the server is located, no need to worry about the complex routing and firewall change involved in the IP address change
• It greatly facilitates merge & acquisition integration process as ZPA supports overlapping IP addresses

These advantages accelerate an organization's digital transformation while enhancing security and providing flexibility.

Advantage 4: Simple and Flexible Deployment

ZPA deployment is straightforward: App Connectors are deployed where the applications are hosted, whether in on-premises or cloud data centers.

The only networking requirement is that the App Connector must be able to resolve and access the applications and establish outbound connections to the Zero Trust Exchange (ZTE).

Complexity is the enemy of security. App Connector provides access to applications without the need for complex routing or firewall configurations, thus, significantly reduces the operational complexity and infrastructure cost. 

Compared to VPN gateways which often become bottlenecks, ZPA’s flexible architecture delivers better performance. It does this by enabling the distribution of App Connectors across multiple data centers. Furthermore, meeting bandwidth demands is as simple as deploying additional App Connectors. This is a better approach than the traditional forklift replacement. Zscaler offers APIs that enable automated ZPA deployment through orchestration tools. 

Ultimately, this flexible architecture supports organizations' efforts in network transformation.

Zscaler Private Access combines security, flexibility, and performance to provide a transformative, future-ready cybersecurity solution. By darkening data centers, enforcing identity-based access, blocking lateral movement, and simplifying deployment, ZPA supports organizations in their transition towards Zero Trust.

Check out the final blog post, where we will explore the benefits of advanced capabilities, such as AI-Powered Segmentation, that establish ZPA as a true pioneer in this space. 

Ready to start a conversation with us? Schedule a demo to see how ZPA can help your organization.