Since the 90s, providing remote employees with access to IT resources has been defined by the VPN. Stacks of expensive, proprietary VPN appliances filled data centers and allowed users to tunnel into the network to access everything from email to ERP systems. These tunnels provided a simple way to give employees access to the tools they needed, but often at the cost of weak visibility and complex configuration. As applications migrated to the cloud and the number of remote users grew at an exponential rate, VPN failed to keep up with customer demands.
When it was created, VPN was an answer to the IT architectures and business challenges of the time. Centralized data centers hosting enterprise applications needed to be used by employees when they were 'off-site.' These connections needed to be encrypted and had to work over any internet connection that was available. And while they were able to handle these tasks for decades, the landscape that it serves has changed.
The fact is, VPN wasn't built to secure cloud applications. It wasn't designed to be elastically scalable. And it was never intended to give complete visibility into user activity and traffic. It was a connectivity solution, not a security solution.
Technology for modern times
As this year’s tidal shift to remote work swept across the globe, the cracks in the veneer of VPN became gaping holes with real productivity and security risks to the business. As these gaps were exposed, Zero Trust Network Access (ZTNA) emerged as the best way to provide the same functionality of VPN but with a greatly improved security posture that can be applied consistently across modern IT ecosystems.
ZTNA (also sometimes referred to as “software-defined perimeter” or “SDP”) is a networking approach that enables enterprises to provide access to all the applications and services an employee needs regardless of their physical location. It does this by providing micro-segmented network access to individual applications instead of access to the wider corporate network. ZTNA bases all connectivity on a user’s identity and the context around a user's request.
This networking approach is not concerned with whether an employee is on-premises or remote. It applies the principles of least-privileged access to all users to ensure that they get access to the applications they need, but not anything more. Unlike VPN, each time application access is attempted, the request is assumed hostile and requires authentication before the connection is made. In addition to simple password authentication through its integration with an organization’s identity provider, additional steps such as MFA are commonly required to provide an extra layer of protection.
In addition to user authentication, ZTNA also ensures that the device requesting access meets certain requirements. Policies such as time and geolocation can further restrict access and reduce the attack surface of the network.
From a visibility and control perspective, ZTNA offers a number of advantages. Because each session creates a tailored network segment, granular access logs can show user activity. This logging can be used for compliance purposes or be streamed to 3rd party security tools such as SIEM (security information and event management) solutions for additional monitoring. These session-based network segments also prevent lateral network access to minimize the blast radius of a breach should a security event occur.
With ZTNA, users get an enhanced and seamless user experience, whether they are accessing the public cloud, SSH, RDP, custom private application, or a web-based app. And administrators get enhanced control and visibility over their entire IT environment regardless of who or where a user is located.
And while its initial adoption was wildly accelerated with the events of 2020, ZTNA is not just a fad. Gartner has publicly stated that “By 2023, 60% of enterprises will phase out most of their remote access virtual private networks (VPNs) in favor of ZTNA.” As those of us who have spent a career in IT know, this type of adoption rate is reserved for technologies that show a massive improvement in outcomes.
VPN served its purpose well, but just as the cloud transformed the way that applications and services were delivered, ZTNA is now transforming the definition of remote access solutions.