Examining the differences between two network security models at the WAN edge
As the global reliance on internet applications continues to rise, the rate of cybercrime is also rising. Cybersecurity Ventures expects the global costs of cybercrime to reach US$10.5 trillion per year by 2025, up from US$3 trillion in 2015 (Cybersecurity Ventures, 2020). In Australia, in fiscal year 2020, over A$81 million was lost due to business email compromise alone (ACSC Annual Cyber Threat Report 2020-21). With credentials and personal information being the data most sought after in security breaches, it is more important than ever for organizations to assume the presence of a threat and take the necessary steps to protect against it.
For decades, most businesses have been using Virtual Private Networks (VPNs). When defining a traditional virtual private network (VPN) setting, we often use the analogy that network security acts like a moat surrounding a castle. Once the ditch is crossed, almost everything within its perimeter is accessible. Outside of network security, some of the earliest evidence of moats has been found around ancient Egyptian castles. Although a fantastic innovation for the time, countries are now using more advanced technologies to protect areas, such as aerial drones and satellite surveillance. Likewise, companies looking to truly secure their network in today’s distributed work environment should consider additional options.
With adaptive, context-aware policies that limit access and the potential impact of compromised credentials, Zero Trust Network Access (ZTNA) is a model that provides access to private enterprise network applications from way more secure than a VPN. But there are trade-offs in moving to ZTNA that need to be considered.
Before we look at ZTNA vs. VPN, let’s dive a little deeper into the definitions first.
What is ZTNA?
As its name suggests, ZTNA is a security concept based on the assumption that anyone attempting to access a network or application is a malicious actor whose use should be restricted by continuous verification. To enforce its security levels, ZTNA uses an adaptive verification policy on a per-session basis that can consider a combination of identity, location, device, time and date of user demand and previously observed usage patterns.
Once verified, the Zero Trust Network creates a secure tunnel between the user’s device and the requested application. This authenticated tunnel prohibits public discovery or lateral movement to other applications on the network, and ultimately decreases the likelihood of cyberattacks.
Compare and Contrast Between ZTNA and VPN
Remote access VPNs have been the standard for enterprise security for decades, but their functionality hasn’t evolved as quickly as the cunning of modern hackers. Although businesses can use both security solutions, ZTNA has several advantages over a VPN.
ZTNA security limits scope of user access
Going back to our previous moat analogy, the greatest damage to the castle occurs when a perpetrator crosses that moat, or in the case of network security, data breaches occur when a hacker crosses a corporate firewall via a perimeter-based VPN and then has free rein to roam within secure corporate applications without too much resistance. A perimeter-based security network that allows wide spans of access creates more opportunities for data breaches and no longer meets the needs of modern businesses.
ZTNA does not consider any part of the corporate network to be an implicit trusted zone. Instead, it applies prescriptive microsegmentation and security policies to the enterprise edge architecture to create tunnels that allow users to access specific applications and nothing else. At most, a user can only access what exists behind the unique microsegments they have access to.
ZTNA Adaptive Security Policies Consistently Mitigate Risk
While a VPN uses single sign-on to allow users access to a corporate network, ZTNA uses an adaptive policy that continuously assesses security for the duration of a user’s session. These security assessments examine whether a user has changed location, when they last attempted to access an application, if they are using a new device, and if they are exhibiting abnormal behavior such as modifying or fast data deletion. ZTNA’s security monitoring capabilities are not possible with VPN alone.
Direct app connections create a better user experience
Zero Trust networks eliminate the concept of perimeter and force all user traffic to a cloud inspection point every time information is transmitted. By moving this inspection to the cloud, especially on a 5G network, the authentication process is completed with such low latency that it is virtually imperceptible to the end user. A VPN, however, can be bogged down by limited bandwidth and backend performance limitations. Additionally, since ZTNA is network and location independent, employees can spend more time on their jobs and less time waiting for applications to load while working remotely.
Businesses save money with ZTNA
Deploying a corporate VPN network is expensive and labor intensive. In addition to hardware purchases, including authentication tokens and software provisions on laptops, cell phones, and other devices, VPN infrastructure in data centers can be cumbersome, and the dedication of IT resources to manage this infrastructure and ensure compliance with the VPN policy is costly.
Alternatively, ZTNA is agile, quick to deploy, and highly scalable. Without a complicated infrastructure to maintain, fewer IT resources need to be dedicated to training and security management, making ZTNA solutions more cost-effective compared to a VPN. Businesses can also realize hardware savings by allowing employees to use their own devices – a policy that is often incompatible with VPN.
ZTNA becomes essential for enterprise networks
Although ZTNA offers significant advantages, it is not always the best option for all applications. Today’s network will likely include a mix of ZTNA and traditional VPN, and it’s important to understand the trade-offs.
However, as corporate work becomes increasingly remote and the diversity of the workforce expands to include contractors as well as part-time and temporary workers, security, flexibility and scalability of ZTNA in the cloud will make it an essential part of any business network.
For more information visit: www.cradlepoint.com/au.