Transforming Network Security Through Zero Trust Network Access
Zero Trust Network Access (ZTNA) is a pivotal component of digital transformation. It sits squarely at the intersection of more efficient workflows that enable businesses to transform and grow, and the stronger cybersecurity needed to protect organizations in a highly connected, “always on” world.
In this article, we will examine some key benefits of a zero trust approach and focus in on a surprising illustration of what ZTNA makes possible when it comes to remote access: phasing out virtual private networks (VPNs) within your organization. This is a critical component of zero trust adoption — and digital transformation, as well. Then we’ll explore how this is accomplished, and how it reduces friction while improving security.
Why ZTNA and Why Now
For stakeholders undertaking security modernization, ease of use is paramount. Users need a seamless experience with less friction, fewer logins, and easier authentication requests. This experience is the opposite of what most users expect when it comes to reinforcing organizational security, but zero trust actually makes it possible to enhance security without impacting productivity. This ability to make businesses more resilient in the face of an ever more sophisticated and active threat landscape —without making users work harder to achieve it — is one of the driving forces behind the acceleration in ZTNA adoption.
Another driving factor is the ascension of cloud computing, big data, and remote access as important business enablers that are essential to staying competitive, despite the disappearance of traditional network perimeters. The world’s hybrid workforce model requires 24/7/365 access to resources from anywhere and on any device. This new age of productivity and mobility has, in turn, led to an unintended consequence of business transformation: an explosion in the attack surface area for many organizations. With more devices connecting to enterprise resources than ever before, it’s nearly impossible to comprehensively catalog and control all exposure points because the environment has become so dynamic.
The need for both higher performance and higher security levels necessitates a new approach to secure access — one that legacy security solutions are unable to deliver. One of those outdated technologies that can unintentionally sabotage business transformation initiatives remains a mainstay in many organizations struggling to support the shift to hybrid work models: the VPN.
How Do VPNs Create Network Security Vulnerabilities?
Virtual private network use exploded during the pandemic as part of the effort to enable business continuity as organizations shifted to a remote and hybrid workforce, and it remains a key component of the more flexible workplace many organizations have adopted. However, the traditional VPN (or perimeter defense) approach requires full trust in both the user and device, which has proven to be problematic because:
- VPNs grant access to the network, and once access is granted, threat actors can exploit vulnerabilities and try to access other resources within the network.
- Access control is based on static authentication methods that lack sufficient barriers to keep external adversaries out.
- Backhauling traffic degrades the user experience for application connectivity quality.
These drawbacks, coupled with the knowledge that over 80% of hacking-related breaches are caused by credential abuse, solidify the growing realization that traditional VPN technologies can leave organizations exposed. ZTNA greatly mitigates the risk from VPN usage. It allows you to treat every user and device as potentially hostile, unless and until they prove they are trustworthy.
This is a key reason driving some organizations to consider phasing out VPN usage. But what will this transition mean for the user experience, and how can organizations implement such an approach?
How Does ZTNA Empower the Shift Away From VPN Usage?
When considering VPN replacement, delivering an improved user experience — despite the prevalence of bring your own device (BYOD) and work from home (WFH) policies — should be top-of-mind.
VPNs route all traffic through a corporate data center to take advantage of the largely defunct notion of a secure perimeter. But this effectively creates a traffic jam, degrading the quality of application performance to the end-user. By enabling direct connectivity to on-premises and cloud-based applications, such as Microsoft® Office 365®, rather than delivering global network access to all authenticated users, organizations can promote secure access without the need for backhauling traffic. This results in crystal-clear teleconferencing apps, and enhanced access to data that keeps businesses moving globally.
By micro-segmenting applications, a shift from VPN can be implemented without compromising security or performance. Micro-segmentation hides applications from public visibility and enables direct connectivity to private apps and services via identity-based authentication. This process ensures these users are never placed directly on the network. The attack surface is subsequently reduced, preventing issues like denial-of-service attacks, and effectively eliminating lateral movement.
By continuously authorizing every user, every device, and every resource request, organizations are empowered to grant “just-in-time” and “just-enough” access to only the applications and data they require. By handling this in the cloud, multiple hardware stacks can be eliminated, and costs decreased.
At the same time, this approach reduces risk by giving organizations much-needed application‐layer visibility, to understand who is accessing what, when, and how.
Without a zero trust approach to remote access, inspecting network traffic via VPNs is difficult. Often administrators are only provided with high-level data, such as how long a user has been connected to the VPN. The encryption blind spots can be significant.
Getting Started With ZTNA
Any ZTNA journey requires a strategy deeply rooted in security while balancing workforce flexibility and risk. Here are 3 steps to get your organization started on the road to VPN replacement through zero trust network access.
- Consider offloading VPN use cases that may cause network congestion due to your growing remote workforce. Ease into a transformation journey by piloting a ZTNA project with select applications that require access by partners, contractors, or even specific groups of full-time remote employees. These groups can help a business understand what it may look like to roll out a program more broadly to support WFH and BYOD programs.
- Upon completion of the first step, begin to phase out VPN access for the highest-risk use cases, or for users who do not require full network access, replacing it with ZTNA. Doing so will also begin to reduce the need to maintain VPN clients, and administrators can start to enable access more broadly to support workforce flexibility.
- Finally, choose a solution provider that offers the full breadth of zero trust solutions, including deep endpoint protection and network‐based access control. Doing so will offer a notable and more holistic impact on outcomes — instead of bolting together products from multiple vendors, which may leave gaps in your organization’s security posture.
To learn more about transforming network security through ZTNA, click here.