Webinar:
First Line of Defense: Menlo Secure Enterprise Browser
Icon Rounded Closed - BRIX Templates

VPNs do not equal security: How ZTNA fixes the problem

Mark Guntrip
|
September 19, 2021
linkedin logotwitter/x logofacebook logoSocial share icon via eMail

Late March and early April 2020 were tough times for IT teams around the world as mandatory shelter-in-place policies forced users out of corporate offices with hardened data centers to home offices, kids’ rooms, and dining tables. IT leaders scrambled to prop up overloaded remote access and virtual private network (VPN) environments that were designed to support no more than a small percentage of the workforce. Suddenly, 100 percent of users were working from home, and everyone required access to the tools and information they needed to keep the business up and running.

For quite some time, enterprises have known that legacy hub-and-spoke network architectures would eventually need to be retired. VPN appliances simply aren’t scalable to meet the needs of today’s digital, agile organizations and their users, who need to reliably access applications and data wherever business takes them. VPNs also suffered from security and latency issues that had to be addressed. Because a VPN provides access to an organization’s entire network, it introduces a huge security gap that can be exploited if a threat actor gains access to user credentials. If that happens, the attacker can search and traverse the network without constraints.

IT teams thought they had years to figure out how to scale secure access to their VPNs, but COVID-19 accelerated the timeline to weeks.

Many organizations responded by deploying Zero Trust Network Access (ZTNA) tools as a way to replace or augment existing VPN environments. Based in the cloud, these ZTNA solutions served as highly scalable connections between applications and a highly distributed workforce. However, while IT teams focused on solving the scalability and accessibility issues with VPNs, they were forced to kick the can down the road in terms of security.

The bare-bones ZTNA solutions gave distributed users access to specific applications, but, like VPNs, they did not provide policy enforcement or monitoring capabilities. Once a user (or in unfortunate cases, a threat actor) was authorized to access an application, they could essentially behave in any way they wanted—preventing the organization from identifying abnormal behavior such as making admin or configuration changes or exfiltrating data.

ZTNA solutions provided a crucial band-aid fix to apply in unprecedented times. Now that the dust has settled, it’s time to really fix the VPN problem and apply the necessary stitches.

More than a VPN in the cloud

ZTNA solutions are a critical part of the Secure Access Service Edge (SASE) framework that provides secure access to internal applications regardless of the underlying infrastructure or connection. But simply using ZTNA as a cloud-based VPN is like taking a sports car out for a spin around the block. The unique architecture of ZTNA in the cloud makes it a critical building block for securing digital and cloud transformations, but you have to release the throttle and take advantage of everything ZTNA has to offer.

Here are three things you should look for when evaluating a ZTNA solution as a replacement for or augmentation of VPNs:

1. Policy enforcement

Today, the goal is to provide remote and hybrid users with the same application experience they would have if they were logging in from the office. This includes accessibility, performance, and security. The cloud-based ZTNA architecture ensures accessibility and performance, but IT teams also need a way to enforce security policies to all traffic between users and applications as a way to extend protection beyond the data center. Look for a ZTNA solution that can serve as a central access point for policy management, ensuring that data center security policies are applied to all network traffic—regardless of physical location, underlying infrastructure, or connection type. This type of ZTNA solution closes the critical security gaps in VPN infrastructure that threat actors freely exploited during the early days of the pandemic. It’s important that visibility and control go in both directions—preventing users from unauthorized behavior as well as the exfiltration of data from these critical applications.

2. Agentless architecture

Most ZTNA solutions require an agent on the endpoint. This provides reliable application access but requires IT teams to deploy, configure, patch, and maintain the agent—adding more responsibilities and operational costs to an already overextended IT organization. When evaluating a ZTNA solution, organizations should be able to improve their security posture without adding network bloat or operational costs. That’s not to say that agent-based solutions don’t have their place. Some applications may require an agent on the endpoint depending on the requirements of a specific application. But a client-based architecture should not be the default. Organizations should look for a ZTNA solution that is built on an agentless architecture and has the ability to deploy agents when applications require it.

3. Integration into the full security stack

Your ZTNA solution should not be a stand-alone tool. Instead, it should integrate seamlessly with your existing security stack—including your secure web gateway (SWG), firewall, data loss prevention (DLP), cloud access security broker (CASB), security operations center (SOC), and isolation capabilities. This integration ensures complete control and visibility into network security in today’s decentralized and mobile world, while giving IT teams a consolidated view to monitor and manage it all. No more opening up dozens of control planes to figure out how to implement or fix something. Everything is located in one centralized platform.

Enabling digital transformation

Work-from-home policies laid bare the challenges of traditional VPN networks for dynamic, agile businesses. At the beginning of the pandemic crisis, IT teams scrambled to empower a distributed workforce virtually overnight with reliable application access that could scale effortlessly through the cloud. Now it’s time to address the implicit security issues by taking the next step in ZTNA deployments. Organizations need a next-gen ZTNA solution that provides reliable availability and performance without ignoring critical security gaps or increasing operational costs.

The workforce of today requires fast, reliable web application access.
Learn how Menlo Secure Application Access makes that happen.