FOR YEARS, the virtual private network (VPN) has been the gold standard of secure technologies for accessing networks remotely. With evidence mounting that VPNs are more vulnerable than previously realized, however, experts are beginning to recommend zero-trust network access (ZTNA) solutions as an alternative.
VPNs make a remote client look like part of the internal network, and that’s an element of the security issue, says Gerry Gebel, vice president of business development at access control provider Axiomatics. “This harkens back to early network configuration principles where outsiders were not trusted, but insiders were implicitly trusted.” If an intruder gains access via VPN, they have “access to penetrate the critical internal resources of the enterprise,” he explains.
Patrick Tiquet sees many of the same issues—and more. “VPNs do nothing to protect access to cloud services,” says the director of security and architecture at password management security provider Keeper Security. Resources like VoIP servers, collaboration portals, and more are part of the modern network, and “VPN can do little to protect resources hosted outside of the network perimeter,” Tiquet says.
A Software-Defined Perimeter
Implementing controls over users inside the network, whether they’re using a desktop physically tied to the company network or a laptop routed over a VPN, has become a more attractive option, according to Gebel. “Governed by the principles of least-privilege access, multifactor authentication, and micro segmentation, zero-trust network access is a software-defined perimeter that governs strict identity verification for every person and device trying to access resources on a private network,” he says. Consider this the next step from traditional network access security that only protects the perimeter.
Tiquet adds, “Zero-trust network access does not allow access simply because the user is connected to the network. Access to resources can be protected whether those services are hosted on an internal network or in the cloud.” Perimeter-based security gives way to the practice of, “No user or device is trusted by default.”
Gebel believes ZTNA will change the remote access game fairly quickly. Users and customers demand access from anywhere at any time to any service, and ZTNA provides the granularity needed for access with control. “With ZTNA, enterprises can implement a more precise methodology for enabling access, rather than relying on a blunt instrument like a VPN.”
Of course, ZTNA is only as secure as its underlying technologies, says Tiquet. “For example, ZTNA that makes use of TLS [transport layer security] is still at risk of experiencing a man-in-the-middle attack, or it may be subject to surveillance.” Inadequate provisioning processes would leave resources unprotected.