What is secure remote access?
Secure remote access describes the ability to securely access networks, devices, and applications from a “remote” location, which means “off the network.”
There was a time when all of a company’s employees were on the company’s network and all applications resided in the company’s data center connected by that same network. Gradually, employees began to work remotely—at home or traveling. To provide those users with access to internal applications, IT professionals have been relying on virtual private networks (VPNs) to deliver secure remote access, which, in essence, extends the network to the remote user.
This is the way that secure remote access has been handled for nearly 30 years—even as more and more users have begun working off the network, and more applications and infrastructure have moved to the cloud.
This changing environment raises a question: With so many users off the network and so many applications in the cloud, does it even make sense to connect remote users to the internal network?
In fact, tethering security to the network is the crux of the myriad problems surrounding the old model for remote access. In addition to latency, resulting in a poor experience for VPN users, enterprises relying on legacy VPN technology face increased risk in two key areas:
1. Trust is inherent and often excessive for those inside the network
2. There is a increased risk of external access to the network
Unlike a zero trust approach, the past's castle-and-moat architectures, which relied heavily on VPN, often delivered excessive trust. This flawed philosophy essentially depends on IP-addresses, endpoint-based controls, and other factors to determine trust and accessibility within a corporate network. Known as a “flat” network, once a user was in, that user would be able to move around the entire corporate network.
VPNs work by extending the internal network to external users so they can access resources on the network. Opening the network in this way enables it to be “found” by your remote users, but it also means it can be found by adversaries. They can (and do) exploit the VPN attack surface to infiltrate the network, deliver malware such as ransomware, launch denial-of-service attacks, and exfiltrate critical business data.
In contrast, the zero trust approach treats all traffic, including traffic already inside the perimeter, as hostile. Unless workloads have been identified by a set of attributes—a workload fingerprint or identity—they are untrusted and blocked from communicating.
As we explore below, secure remote access has evolved to meet today’s cloud-first world's demands.
72% of organizations are looking to adopt or already are adopting zero trust.
Redefining secure remote access with zero trust network access
In response to today’s needs, IT teams leverage zero trust network access (ZTNA) as a new framework for enabling secure remote access to off-network users. ZTNA is a term defined by Gartner, and the technology is also known as a software-defined perimeter (SDP). ZTNA provides secure access to your private enterprise applications, whether they’re hosted in public clouds, private clouds, or the data center, without the need for a VPN. ZTNA is based on an adaptive trust model, where trust is never implicit, and access is granted on a “need-to-know,” least-privileged basis defined by granular policies. Because it’s 100 percent software-defined, ZTNA solutions require no physical appliances but can be deployed in any environment to support all REST-API applications.
To actually be considered zero trust network access, a solution must adhere to these four tenets:
ZTNA completely isolates the act of providing application access from network access. This isolation reduces risks to your network, such as infection by compromised devices, and only grants application access for authorized users.
Inside-out connections from app to user ensure that both network and application infrastructure are made invisible to unauthorized users. IPs are never exposed to the internet, creating a “darknet” and making the network impossible to find.
Apps segmentation ensures that once users are authorized, application access is granted on a one-to-one basis so that authorized users have access only to specific applications rather than full access to the network.
ZTNA takes a user-to-application approach rather than a network-centric approach to security. The network becomes deemphasized, and the internet becomes the new corporate network, leveraging end-to-end encrypted TLS micro-tunnels instead of MPLS.
Why a ZTNA approach to secure remote access is more effective than VPN
When it comes to secure remote access, digital transformation has changed everything. As noted above, VPNs are no longer adequate for keeping up with today’s advanced threats and the volume of users connecting to private applications off-network. This can lead to some serious headaches when it comes to user experiences, connectivity, security, and management.
I remember I was sitting at home when WannaCry hit. Everything went down, computers were encrypted and the network was breached. At that time, I was connecting to internal applications with SDP when a thought hit me: if I was using my VPN and someone at the office had the malware, I too would be at risk of infection. However, with SDP I was still able to securely access my internal applications because I never was connected to the network. I was safer at home on my home network than I would have been at the office; that’s when I realized we have been doing private application access all wrong.
In contrast, zero trust network access improves user experiences, connectivity, and management. Here’s how:
ZTNA delivers a better experience for remote users. There’s no need to log into a cumbersome VPN. Instead, access is continuous regardless of changes to network connectivity. Moreover, ZTNA reduces access latency for faster experiences—regardless of location.
When it comes to connectivity, Inside-out connectivity keeps the location of the network secret while enabling application access to individual applications within the network. This approach optimizes connectivity and minimizes latency. In contrast, with a VPN, connections are inbound from VPN client > to VPN concentrator > and directly onto the network. Additionally, ZTNA optimizes the traffic path from each user to each application using micro-tunnels. These tunnels are created on a per-session, on-demand basis. If a user is looking to access another private application simultaneously or even from another device, ZTNA spins up different microtunnels. VPNs use a single tunnel per user through which all apps run.
ZTNA improves your security posture by drastically reducing your attack surface. Application access is decoupled from network access. ZTNA moves away from network-centric security and instead focuses on securing the connection between user and application. Access is granted on a one-to-one basis, allowing only authorized users to access specific applications. Lateral movement is impossible, and the attack surface is reduced. Network and applications are cloaked to unauthorized users, and IPs are never exposed, reducing the threat of internet-based attacks.
Unlike VPN, ZTNA tools are effortless to manage. ZTNA is 100% software-based and easy to deploy. There’s no need to install, configure, and manage appliances. ZTNA is not IP address centric, so there’s no need to manage ACLs, firewall policies, or translations. Moreover, granular policies can be applied at the application and user level, enabling hyper-focused security to applications, and least-privileged access to users.
Choosing a secure remote access service for today’s needs
Although ZTNA solutions are all based on the idea of adaptive trust, ZTNA is available in two forms: ZTNA as a stand-alone-offering and ZTNA as a service.
ZTNA as a standalone offering requires customers to deploy and manage all elements of the product. In addition, several IaaS cloud providers offer ZTNA capabilities for their customers. The ZTNA sits at the edge of your environment, whether that’s in the data center or cloud, and brokers a secure connection between user and application.
- The customer has direct control and management of their ZTNA infrastructure, which can be required for compliance needs
- IoT services that are hosted on-premises can benefit from optimized speeds
- Performance speeds can increase if local users do not have to connect out to the internet to access apps that are hosted on-premises
The other option is ZTNA as a service, such as Zscaler Private Access. This is a cloud-hosted service, where customers leverage a vendor’s cloud infrastructure for policy enforcement. The enterprise simply purchases user licenses and deploys lightweight connectors that front-end applications in all environments; the vendor delivers the connectivity, capacity, and infrastructure needs. Access is established through brokered inside-out connections between user and application, effectively decoupling application access from network access while never exposing IPs to the internet.
- Easier deployment since there is no need to deploy ZTNA gateways
- Simplified management since services are not hosted on-premises
- Optimal pathway always selected for global coverage for all remote and local users
Why ZPA is a perfect fit for today’s secure remote access challenges
Looking more closely, Zscaler Private Access (ZPA) service provides secure remote access to internal applications in the cloud without placing users on the corporate network. The cloud service requires no complex remote access VPN gateway appliances and uses cloud-hosted policies to authenticate access and route user traffic to the closest application location to them. ZPA is a true software-defined solution that can work in conjunction with direct access technology. It directly connects customer data centers with cloud service provider data centers.