VPN vs. ZTNA: A security perspective for remote user access

Replacing a VPN with a zero-trust approach can increase network security while also improving the user experience for remote employees.

Chris Crellin, senior director of product management, Barracuda MSP

In 2020, a significant segment of the global workforce found themselves working remotely due to a once-in-a-century pandemic. As a result, many companies scrambled to connect employees to data and applications securely.

In most cases, companies relied on virtual private networks (VPNs), a well-established remote access solution. However, it quickly became clear that when connecting remote workers, VPNs had their limitations and weren’t designed to address modern security challenges. In place of these legacy solutions, Zero Trust Network Access (ZTNA) has emerged as a rapidly growing alternative that provides several key advantages.

Built around the principle of defined access control policies, ZTNA solutions only provide access to services that are explicitly granted to a specific user. So how can you determine whether ZTNA is a good fit for you and your clients?

The Downside of VPNs

VPNs were initially designed to protect the perimeter of a company’s IT infrastructure, in much the same way as a key card system or a security guard could keep unwelcome visitors from getting past the front door of the building. They were not created to be used with hybrid IT infrastructures and globally dispersed employees. 

As such, VPNs present many critical vulnerabilities:

VPNs are focused on the perimeter. After a user authenticates at the edge, they have full access to the entire network. If a cybercriminal breaches the perimeter, they can move about freely. VPNs also have open, continuously listening ports, which can be accessed by cybercriminals, who can do as they wish once inside the network.

Trust is based on a user’s IP address. Traditional VPNs rely on IP addresses to provision network access. This is problematic because an IP address provides no contextual information about the user or device.

Network-level access controls limit visibility. In addition, because VPNs don’t provide application layer controls, user access is inherently overly permissive. This is especially problematic for employees working from home, where a VPN may grant them much more application access than they would have if they were working in the office. As a result, home-based users are vulnerable to various exploits that target less-secure, often unpatched devices that are common on home networks.

VPNs have limited cloud support. As organizations shift to cloud or hybrid infrastructures, the utility of the VPN is significantly reduced. VPNs were typically not designed to handle distributed networks, including multiple offices, data centers, and multi-cloud environments. 

Furthermore, network traffic to cloud applications is backhauled through a local data center on its way through the VPN, which can lead to latency problems that, in turn, degrade employee productivity. 

Generally, VPNs provide security based on an increasingly erroneous assumption: that the user and device connected to the VPN are secure. ZTNA addresses the above limitations head-on and offers a much more reliable security solution, particularly given the expansion of remote work.

Zero-Trust Provides Comprehensive Protection

As described above, ZTNA avoids many of these pitfalls by utilizing a secure access service edge (SASE). The ZTNA framework routes traffic directly to the cloud and on-premises resources through a secure cloud gateway. Because this approach does not assume end user or end device security, it can better protect organizations that rely on remote employee access. 

Other key elements that make a ZTNA a better choice than a VPN include:

ZTNA enforces the principle of least privilege regarding network access, so end users and potential attackers can move laterally across the network at will. In addition, a single packet authorization (SPA) approach means that network resources are invisible to users unless they are fully authenticated. As a result, users only have access to resources needed to do their jobs, no matter where they log on.

Identity-centric authentication is more secure. The ZTNA combines IP address data with information from an identity store and contextual variables to authenticate users.

The logical access perimeter approach of the ZTNA meets the needs of a modern, dispersed organization. Instead of a physical network boundary, the perimeter is the software, which enables micro-segmentations and extends security to assets that are not within that traditional network boundary.

ZTNA solutions offer programmable APIs. These can be easily integrated across different IT and security platforms for better visibility and automation. 

The ZTNA approach is also easier to implement. It doesn’t require installation on individual user devices. ZTNA also provides application-layer policy management.

The ZTNA user experience is also better. Without the need for backhauling, latency can be significantly reduced. These solutions also work transparently for the end user, and employees don’t have to go through the hassle of setting up the VPN connection manually.

As more companies adopt remote work policies, offer work-from-home options, and require staff to stay connected while traveling or in the field, the need for secure remote access is expanding. Replacing a VPN with a zero-trust approach can increase network security, while also improving the user experience for remote employees. ZTNA also provides greater flexibility and visibility. 

The transition away from the VPN won’t happen overnight—many companies have invested heavily in these solutions. However, VPNs are beginning to buckle as network environments include more cloud resources and the number of remote employees expands. For most companies, ZTNA is the next evolution of remote access.

Chris Crellin is Senior Director of Product Management for Barracuda MSP, a provider of security and data protection solutions for managed services providers, where he is responsible for leading product strategy and management.