3 scenarios where ZTNA can replace VPN

With the proposal of the zero-trust concept, discussions on whether the ZTNA network access product can replace VPN have been ongoing.

This is an inevitable path in the process of marketization after a new technology is proposed.

ZTNA and VPN are two benchmarking technologies in the field of network security, solving problems such as remote access for enterprises and secure connections. When evaluating which is better, it is not that the more advanced technology is better. Returning to the essence, the value of technology is reflected in the actual demand scenarios and implementation processes, focusing on who can improve the current business efficiency more and reduce the implementation cost lower.

Talking about mutual replacement without considering the actual scenario has no practical significance.

About VPN

VPN was initially a tunneling technology that used public inter-networks to virtually create a point-to-point专线 technology, which met the needs of internal employees to access the internal network from outside, and was cheaper than building a physical dedicated network. In the next twenty years of development, VPN has become a common way for remote employees to access company network resources.

Among them, the tunnel protocol is one of the cores of VPN. With the continuous changes in business needs, PPTP VPN, L2TP VPN, SSH, and other types of VPN have emerged one after another. With the participation of more manufacturers, security, access control, and other management functions have also been added, and the role of VPN in network security has gradually increased.

In essence, VPN is a remote access technology. Initially, its core design was mainly to meet the needs of remote access, and there was not much attention to security. The first tunnel protocol, PPTP, has a significant advantage in connection speed, but it is also one of the industry's recognized insecure protocols.

Now with more and more manufacturers participating, VPN has more options in tunnel protocols and has also developed remote access VPN and LAN interconnection VPN according to usage scenarios.

Legacy problems of traditional technology

As mentioned above, VPN is not a purely secure solution from its design, although it can solve the needs for remote access at a low cost, but because of its own architectural design, there are many problems that need to be optimized with other technical solutions.

• Security: The security issues of VPN are reflected in many aspects. VPN undertakes the tunnel between the internal network and the Internet, exposing firewall ports and network servers, becoming the entry point for penetration attacks. Once the VPN is connected, users can access the internal network without restrictions, which has weak data permission control capabilities, and hackers can cause larger-scale attacks through lateral movement.
• Complex configuration: The security of VPN requires complex configuration to compensate, such as opening firewall ports, DDOS attack shielding, and network application attack shielding, which requires a lot of cost. In addition, additional deployment is required for the configuration of internal data access for employees.
• Adaptability and scalability: For modern companies, many systems are also deployed in cloud environments under non-company networks, and these resources cannot be controlled by VPN. In addition, employees have a variety of devices, and enterprise IT will also encounter scalability problems during management.

Therefore, when addressing the needs for remote network access, VPN is a direct tool and also a solution that can quickly realize the implementation of the needs. However, as mentioned in the existing problems, in more complex scenarios, VPN will appear to be unable to bear the load.

About ZTNA

Zero Trust Network Access (ZTNA) also has a relatively long evolution period, but it is still a concept that has been proposed in recent years. The following are several key nodes in its development:

• In 1994, Stephen Paul Marsh first mentioned the term 'Zero Trust' in his doctoral dissertation
• In 2010, John Kindervag, an analyst at Forrester, used the term 'Zero Trust Model' to represent a more stringent corporate internal network security plan and access control. In the following years, Google began to apply these models to its 'BeyondCorp' security plan
• In 2019, Gartner proposed the term Zero Trust Network Access (ZTNA), representing a set of new technologies aimed at secure access to private applications

Since its announcement, ZTNA technology has been designed for modern network environments and modern work styles. On the one hand, it is aimed at the ever-evolving network attacks, and on the other hand, it is aimed at the more diverse and complex enterprise employees and digital assets, making connections between different identity users, business systems, and digital assets

Advantages brought by emerging technology

As a new technology that has emerged in recent years, ZTNA is naturally imbued with the gene of transformation. However, it is not designed to replace VPN, but to meet the more diverse needs of the current era. It shows obvious advantages in the following aspects:

• Security

Reduce system exposure: When accessing applications, it is first necessary to pass the verification of ZTNA, so ZTNA does not expose IP addresses to the network. In addition to the applications within its own authority, other parts of the network are still invisible to the connected devices

Avoid lateral movement: The micro-segmented design can set separate access controls for each application. Attackers cannot obtain access permissions to other micro-segments

Continuous and multi-dimensional security monitoring: The zero trust concept assumes that anyone, device, and network are not trusted, and through continuous and multi-dimensional security monitoring, this is one of the important distinctions from traditional IT concepts

• Management

Unified management of user system devices: Through a unified ZTNA management backend, user, device, policy, and application management can be completed, which greatly improves the management efficiency of IT personnel

Flexible access access strategy: It is not only about verifying the identity of the visitor, but also setting verification strategies for multiple dimensions such as device baseline, network environment, and file integrity. Any risk will trigger the implementation of security policies

Minimize authorization: ZTNA will become a checkpoint before application access, with each visitor corresponding to the lowest application access permissions that match them, which is a management capability that VPN does not have

• Experience

Unrestricted by bandwidth: Cloud-based ZTNA will be able to respond faster to the requests of visitors, even with large-scale application access, without affecting the access experience due to bandwidth bottlenecks

Scalable and easy to deploy: For diverse identities and applications, it can also be rapidly expanded through the background. Based on cloud or lightweight clients, users can also quickly complete deployment.

Full-platform use, seamless experience: ZTNA supports various access methods on desktop and mobile devices, meeting the needs of modern work styles to access anywhere, on any device at any time.

3 scenarios where ZTNA can replace VPN

After understanding the development and characteristics of VPN and ZTNA, we can clearly see the reasons why ZTNA is attracting so much attention. It is a solution that is more suitable for managing network access needs in modern office environments.

As for VPN, we need to look at it from two aspects. On the one hand, for VPN products, ZTNA is a strong competitor, complementing the shortcomings of VPN products while bringing multiple security improvements and becoming a more complete network security access solution. On the other hand, for VPN technology, it will still inspire ZTNA products to continuously improve the network access experience and meet the access needs of enterprises in more scenarios.

Therefore, 'whether ZTNA can replace VPN products' will not be a two-dimensional conclusion of yes or no, but a best judgment based on the current scene and development needs of the enterprise. The following are 3 scenarios where ZTNA is suitable to replace VPN:

• Management for identity

Users with different identities, such as corporate employees, outsourcing, third-party companies, etc., all have the need to access business systems. In the past, there was a lack of management of user permissions with different identities, and granting the same access permissions posed a great risk. ZTNA has flexible minimal authorization functions that can allocate minimal permissions corresponding to user identities, reducing unnecessary risk access.

• Management for business systems

From the perspective of business systems, there have also been significant changes. Now, it is very common for businesses to move to the cloud, and the company's digital assets are often distributed in a multi-cloud environment. Simply managing the internal network is not enough to manage all systems, and ZTNA can unify access strategy control for various networks, achieving unified management of digital assets.

• Management for different login methods

User-owned devices (BYOD) are the entry points for accessing the company's network, and security needs to be given due attention. ZTNA is compatible with traditional C/S application clients, Agentless B/S applications, and lightweight SSH, RDP application proxy scenarios. It meets different device network access issues and supports multi-end adaptation.

For example, in large-scale offensive and defensive exercises, when choosing what kind of technology to ensure network access security, it is necessary to make a comprehensive assessment of the network status in combination with the specific needs of the scene and the current defense weaknesses, so as to select the appropriate technical solution according to the core requirements. According to the needs, ZTNA will be a more suitable technical solution in this scenario.