For nearly three decades, the world of secure remote access has been dominated by the remote access VPN. But, with applications migrating to cloud and the number of remote users growing exponentially, the VPN has lost its footing. The VPN simply wasn’t built for the security, scalability, or visibility needs of today. A new approach is displacing the VPN. Defined by Gartner as zero trust network access (ZTNA) and also known as the software-defined perimeter (SDP), it enables enterprises to extend nimble, secure, precision access—access that’s just what users need, just when they need it, nothing more.
ZTNA is quickly becoming the choice of enterprises looking to switch from legacy solutions and decouple network access from private applications, like SAP or Oracle, running in hybrid and multi-cloud environments. To understand why these software-defined solutions continue to increase in popularity, let’s explore what makes ZTNA so different from the traditional VPN.
1. User experience
With the IT world moving to cloud, users have been conditioned to expect a cloud-like connectivity experience when accessing internal apps. Remote access VPNs are inconvenient to use, requiring users to log in and out repeatedly, and they’re slow. User traffic is backhauled to data centers that are often hundreds of miles away—or more—creating latency and increased user frustration.
ZTNA technology was built for the age of cloud for an enhanced user experience. Whether your users are in the office, at Starbucks, or flying cross-country, their access to your private apps is always simple and secure, and they’re empowered to access apps from the device or location of their choosing. Users no longer have to deal with the constant disruption of entering their VPN credentials or having to think about whether the app is located in the data center or the cloud. And with ZTNA and SDP solutions, users are no longer bogged down with latency—faster connections mean happier users.
ZTNA allows organizations to shift away from a network-centric approach to security and move to a user- and app-centric security strategy. By decoupling application access from network access, users are no longer placed on the network (no FW policies or ACLs!). The internet can become the new secure network via encrypted tunnels that keep private apps private—without a VPN.
ZTNA technologies can actually make private applications invisible by using inside-out connections, so IPs are never exposed to the internet—and there’s no VPN concentrator sitting at the edge of your network listening for inbound pings. Since they use a micro-segmentation strategy, not network segmentation, ZTNA creates a secure segment of one between an authorized user and a named application, minus the overhead of managing network segments.
A good way to think of this is that VPNs are like a castle-and-moat approach to network security, creating a (not so) tough perimeter on the outside but leaving the interior vulnerable to anyone within the castle. That makes it difficult to minimize security risk. ZTNA and SDPs create a secure, isolated environment around each private application, and provide least-privilege access only to specific authorized users.
3. Visibility and control
With the increase in mobility, IT requires a higher level of visibility and control over networks, applications, and users. Security teams need to have the ability to easily monitor, identify, and diagnose any security threats that are aimed at the enterprise.
With a VPN, information accessible to security teams is limited to a device’s IP address, port data, and protocols. So, you can see who has logged in and from what IP address, but you don’t have visibility into what the user was actually doing while on the network.
ZTNA solutions empower administrators with comprehensive information about all activity between users and apps. Not only is each transaction tracked in real time, but beyond just listing the IP and port data, ZTNA-based solutions capture data around the user identity, named application, latency, locations, and more. So, it’s easy for admins to consume and analyze the information. The data can then be automatically streamed to a SIEM provider in real time.
Some solutions can also discover previously unknown private applications running in the environment, display them in the GUI, and allow security teams to enforce granular controls.
That’s three reasons to adopt ZTNA. There are more.
Gartner points out although virtual private network replacement is a common driver for the adoption of ZTNA, it also offers more flexible and secure ways to connect and collaborate with partners, suppliers, contractors, retail locations, and others—without a VPN or DMZ. You can extend access to an acquired organization without having to configure site-to-site VPN and firewall rules. You can authenticate users on personal devices, which simplifies BYOD.
You’ve probably been reading a lot about the software-defined perimeter, which is a security model based on the idea that application access should be decoupled from network access. Instead of a static perimeter at the edge of a network boundary, a software-defined perimeter is a dynamic boundary that applies a context-based assessment to the user and device. Zero trust network access is the same concept with a different name.
No matter what you call it—or whether you’re exploring it for VPN replacement or to enable an M&A—the technology provides seamless, flexible, secure user access to applications. So you and your users can get back to business.
Read how software-defined technology is redefining secure remote access: Definitive Guide to Secure Remote Access.