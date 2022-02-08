The recent increase in remote working has cast a spotlight on the limitations of ageing VPN technology. While some organisations continue to extract every bit of mileage they can from VPN, many are looking for a better alternative – something that addresses the challenges with remote access VPN.

Several organisations have already started to fully embrace the next generation of remote access technology: ZTNA or zero trust network access. ZTNA offers better security, more granular control, increased visibility, and a transparent user experience compared to traditional remote access VPN.

Challenges with remote access VPN

Remote access VPN has been a staple of most networks for decades, providing a secure method to remotely access systems and resources on the network. However, it was developed during an era when the corporate network resembled a medieval fortification – the proverbial castle wall and moat that formed a secure perimeter around network resources within. VPN provided the equivalent of a secure gatehouse for authorised users to enter the safe perimeter, but once they were in, they had full access to everything within the perimeter.

Figure 1. Traditional remote access VPN.

Of course, networks have evolved substantially, being more distributed than ever. Applications and data now live in the cloud, users are working remotely, and networks are under siege by attackers and hackers looking for any weakness to exploit.

“Administering a remote access solution based on traditional VPN (IPSec/SSL) in any kind of modern environment can be extremely painful. You have to contend with IP management, traffic flows and routing, firewall access rules, as well as client and certificate deployment and configuration. Anything beyond a handful of nodes and a few dozen users turns this into an unnecessary full-time job – just to keep this running. If that wasn't enough, security becomes an absolute nightmare to monitor and control,” says Ross Anderson, Sophos Product Development Manager at Duxbury Networking.

In summary, traditional remote-access VPN has a number of unnecessary limitations and challenges:

Implicit trust Potential threat vector Inefficient backhauling Lack of visibility User experience Administration, deployment and enrolment

What is ZTNA and how it works

ZTNA or zero trust network access has been designed from the start to address the challenges and limitations with remote access VPN, offering a better solution for users anywhere to connect securely to the applications and data they need to do their jobs, but nothing more. There are a few fundamental differences that set ZTNA apart from remote access VPN.

Zero trust essentially eliminates the concept of the old castle wall and moat perimeter in favour of making every user, every device and every networked application their own perimeter and only interconnecting them after validating credentials, verifying device health and checking access policy. This dramatically improves security, segmentation and control.

Another key difference in how ZTNA works is that users are not just dropped on the network with complete freedom of movement. Instead, individual tunnels are established between the user and the specific gateway for the application they are authorised to access, and nothing more – providing a much more secure level of micro-segmentation. This has a number of benefits for security, control, visibility, efficiency and performance. For example, remote access VPN provides zero insights into which applications users are accessing, while ZTNA can provide real-time status and activity for all your applications proving invaluable in identifying potential issues and performing licensing audits.

The added micro-segmentation that ZTNA provides ensures there is no lateral movement of device or user access between resources on the network. Each user, device and application or resource is literally its own secure perimeter and there is no longer any concept of implicit trust.

Figure 2. Zero trust network access.

“ZTNA is also inherently more dynamic and transparent by nature, working in the background without requiring interaction from the user beyond the initial identity validation. This experience can be so smooth and frictionless that users won’t even realise they are connecting to applications via secure encrypted tunnels,” says Anderson.

Advantages of ZTNA

Zero trust network access offers enormous benefits in many ways but is primarily being adopted for one or more of these reasons:

Working from home: ZTNA solutions are a much easier solution for managing remote access for staff working from home. They make deployment and enrolment easier and more flexible, turning what may have been a full-time job with VPN into something much less resource intensive. It's also more transparent and simpler for your staff working remotely.

ZTNA solutions are a much easier solution for managing remote access for staff working from home. They make deployment and enrolment easier and more flexible, turning what may have been a full-time job with VPN into something much less resource intensive. It's also more transparent and simpler for your staff working remotely. Application micro-segmentation: ZTNA solutions provide much better application security with micro-segmentation, the integration of device health into access policies, continuous authentication verification and just the elimination of implicit trust and the lateral movement that comes along with VPN.

ZTNA solutions provide much better application security with micro-segmentation, the integration of device health into access policies, continuous authentication verification and just the elimination of implicit trust and the lateral movement that comes along with VPN. Stopping ransomware: ZTNA solutions eliminate a common vector of attack for ransomware and other network infiltration attacks. Since ZTNA users are no longer ‘on the network’, threats that might otherwise get a foothold through VPN have nowhere to go with ZTNA.

ZTNA solutions eliminate a common vector of attack for ransomware and other network infiltration attacks. Since ZTNA users are no longer ‘on the network’, threats that might otherwise get a foothold through VPN have nowhere to go with ZTNA. Onboard new applications and users quickly: ZTNA enables better security and more agility in quickly changing environments with users coming and going. Stand-up new applications quickly and securely, easily enrol or decommission users and devices, and get insights into application status and usage.

In summary, the advantages of ZTNA over traditional remote-access VPN solutions include:

Zero trust – ZTNA is founded on the principle of zero trust or ‘trust nothing, verify everything’. This provides significantly better security and micro-segmentation by effectively treating each user and device like their own perimeter and constantly assessing and verifying identity and health to obtain access to corporate applications and data. Users only have access to applications and data defined explicitly by their policies, reducing lateral movement and the risks that come with it. Device health – ZTNA integrates device compliance and health into access policies, giving users the option to exclude non-compliant, infected or compromised systems from accessing corporate applications and data and eliminating an important threat vector and reducing risk of data theft or leakage. Works anywhere – ZTNA is network-agnostic, able to function equally well and securely from any network, be it home, hotel, café or office. Connection management is secure and transparent regardless of where the user and device are located, making it a seamless experience no matter where the user is working. More transparent – ZTNA provides a frictionless, seamless end-user experience by automatically establishing secure connections on demand behind the scenes as they are needed. Most users will not even be aware of the ZTNA solution that is helping protect their data. Better visibility – ZTNA can offer increased visibility into application activity that can be important for monitoring application status, capacity planning and licensing management and auditing. Easier administration – ZTNA solutions are often much leaner, cleaner and therefore easier to deploy and manage. They can also be more agile in quickly changing environments with users coming and going – making day-to-day administration a quick and painless task and not a full-time job.

What to look for in a ZTNA solution

While looking at the obvious checklist of supported platforms for clients, gateways and identity providers, be sure to consider these important capabilities when comparing ZTNA solutions from different vendors:

Cloud-delivered, cloud-managed;

Integration with your other cyber security solutions; and

User and management experience.

“Sophos ZTNA has been designed to make zero trust network access easy, integrated and secure. Sophos ZTNA is cloud-delivered and cloud-managed, integrated into Sophos Central, the world’s most trusted cyber security cloud management and reporting platform. From Sophos Central, you can not only manage ZTNA, but also your Sophos Firewalls, endpoints, server protection, mobile devices, cloud security, e-mail protection and so much more,” says Anderson.

