Ditch your legacy VPN hardware and automate your network security with ZTNA. Secure remote access from anywhere with just a few clicks. Onboard your entire organization in minutes, not days. Learn why Perimeter 81 is one of TechRadar's choices for the best ZTNA security providers. Download the report. (opens in new tab)
ZTNA services are designed to ensure that only authorized users can access specific applications based on business policies. Unlike with VPNs, with ZTNA users are never placed on the network and apps are never exposed to the internet which creates a zero attack surface that protects businesses from cyber threats such as the recent wave of malware and successful VPN attacks.
Zscaler's report also found that 61 percent of organizations are concerned about partners with weak security practices who access their internal applications. Additionally, 53 percent of respondents believe that their current security technology can mitigate risk even though legacy technologies directly connect users to the network, thereby expanding the attack surface.
Zero trust can replace or complement VPNs. After screening the network entry point through MFA or biometric authentication like Cyolo does, zero trust also authenticates any attempt to access systems, apps and assets. With zero trust, the network is hidden from the perpetrator and access to systems is not enabled.
Scaling with zero trust is like scaling with SaaS. All that needs to be done is to add a user or device to the policy. Cyolo even enables this through a web-based UI. As a result, scaling becomes a non-issue for security teams and IT.
Zero trust implements security in any network and between networks. The network employees are originating from is not important. Therefore, they can connect to the office from the public internet, and zero trust will still secure all assets. This is an ideal solution for remote work.
While VPNs could be a good solution in some business cases, relying solely on them for secure connection and agile work is bound to cause grievances. Zero trust is a security model that is designed for modern businesses and meets all of the following needs: security, agility, performance, remote work, cost-effectiveness, 3rd party access, and more.
With so many now reliant on a remote workforce, the use of virtual private networks, or VPNs, is at an all-time high as businesses look to keep proprietary information and sensitive communications secure. But some security experts express concern over what they consider an outdated technology and are turning to a Zero Trust model for corporate network access.
Scott Gordon, CISSP and chief marketing officer at Pulse Secure, said Zero Trust differs from the traditional VPN model of security in the way it continually authenticates all users or devices that attempt to access the network, whereas VPN uses a one-time authentication process and assumes all is well if the user is within the network.
A recent report by Pulse Secure and Enterprise Management Associates (EMA) revealed that 60% of organizations have accelerated Zero Trust projects in response to COVID-19. The report also indicated that enterprise businesses were positive about their Zero Trust networking, with 50% saying they were successful and 44% reporting they were somewhat successful.
Tarun Desikan, COO of Banyan Security, said VPN is an outdated technology that was developed over 20 years ago to expand trusted networks with a goal of connecting corporate officers into a unified network. VPN technology was later expanded to support a relatively small percentage of users that had specific remote access needs.
Since we exist in a world with hyper-connected networks, network trust is critical for establishing Zero Trust, said Nigel Thompson, vice president of product marketing at BlackBerry. Rules-based perimeter definitions are no longer good enough to maintain secure networks with so many companies moving to the cloud and using mobile and Wi-Fi networks. The network itself should be viewed as a dynamic and ever-evolving entity.
The growth will continue as organizations become familiar with ZTNA and elect to deploy it for office workers as well. Gartner predicts that the transition from virtual private networks (VPNs) to zero-trust network access will continue, so that by 2025 at least 70% of new remote access deployments will rely on ZTNA rather than VPN services.
With the rise in remote work and the continuing threat of cyber attacks, companies are constantly searching for better security frameworks. A zero-trust network is a blanket term that simply means that a business (especially those that house sensitive information like data centers) adopts a stringent, multi-tiered approach to network security that assumes no user is automatically trustworthy.
Companies have been using VPNs for over two decades. The tool allows employees, contractors and other parties to access an organization's internal data, assets and applications. Unfortunately, VPNs are ill equipped to adapt to changes in technology and security needs. They no longer keep company resources safe and secure, which is their primary function. Alternatively, organizations that use zero-trust models are better equipped at handling security risks.
VPNs grant immense trust to authenticated users, allowing users to access information and resources they do not need. Also, VPNs often suffer performance problems from routing traffic through centralized data centers. Bandwidth-intensive cloud applications are also quite costly. Lastly, and most concerning, VPNs are ill equipped to defend against many security threats. For instance, if an infected user or an attacker with stolen credentials connects to your internal network through a VPN, there is a risk that viruses, ransomware and data breaches spread throughout the network. VPNs were ideal before the cloud when the legacy security model was a set perimeter based on a castle-and-moat architecture.
Zero trust is simple: There is no such thing as a trusted user. Instead, when users are authenticated, they are placed within a security bubble, or software-defined perimeter. Here, users only get access to authorized resources rather than everything. Even if the user's computer is compromised by a remote agent, the user is unable to directly access other users or resources. In addition, URLs are obfuscated, and sensitive data is hidden from view.
In a zero-trust model, each user is always monitored, using identity-aware proxies -- technologies that can scrutinize user behavior patterns and detect erratic behavior in real time. The zero-trust model enables more security checks. It generates logs that are not possible with traditional VPNs, such as recording the user's location and application use histories.
When legacy VPNs were first adopted, cloud-based applications and many current scaling problems were nonexistent. Outside contracting, cloud expansion and remote work exceed the original system's capabilities. When you add outliers -- like a pandemic -- VPNs show their age. Additionally, networks cannot be segregated with legacy VPNs in the same way they can with zero-trust architectures. It is important to note that these two technologies are not necessarily exclusive. VPNs can be re-architected to work within a zero-trust architecture, which may please administrators who find this system familiar.
Part of the issue with legacy VPNs is the nature of trust itself. In the traditional VPN model, users are restricted using access lists by lines of code. Large access lists are notoriously hard to manage and have the potential for error. Additionally, users are placed in an internal VPN subnet, which potentially gives them access to the internal network. Traditional VPNs also require an inbound connection to your network, which is a threat if your VPN credentials are stolen. For example, VPN credentials were stolen during the Colonial Pipeline attack.
To protect data and resources, many companies may turn to zero trust. However, there are drawbacks for well-established companies to consider when embracing zero-trust protocols. Companies that use older legacy applications may have trouble implementing them on zero-trust networks. Other companies that have made significant investments in architecture might find additional expenses less appealing. Other issues involve data control, what that implicitly means for liability and whether it can be safely allowed outside the traditional security perimeter.
Despite concerns, zero-trust models have many strengths. While it does not guarantee safety, zero trust improves breach detection and can shut down connections faster than a traditional VPN. It also compartmentalizes resources, which helps to mitigate damage that might occur. Zero trust makes companies better equipped to handle today's emergencies and minimizes the impact of tomorrow's challenges. Since zero trust is implemented with cloud-based computing in mind, it also enables greater scalability and reduces the capital investment requirements needed for implementation.
Zero trust mitigates security risks by removing trust and reducing inbound connections to protect data, assets and applications. Too often, companies merely react to security threats following an attack. By then, attackers may have accessed business-critical assets and data. Implementing zero-trust models enabling organizations to re-architect their systems and discover efficiencies they previously missed when using older, traditional VPN structures.
If zero trust is a security concept rather than a product, what is needed to implement the technology? There are of course many vendors providing zero trust network access solutions, like Microsoft, Palo Alto, and ScaleFT. But as Petri is a site mainly dedicated to Microsoft technologies, I want to look in more detail at the Microsoft solutions needed to implement zero trust.
Azure Active Directory (Azure AD) is the primary product around which zero trust is based at Microsoft. Azure AD is an identity management service for cloud-born applications. Azure AD has a feature called Application Proxy that lets users access corporate web applications, and apps hosted behind a Remote Desktop Gateway, using a remote client. 2b1af7f3a8