Virtual private network (VPN) usage soared in March 2020 as employers sought to connect a growing number of homebound employees to company resources.
But limitations of VPNs—namely, drawbacks in security and scalability—have left an opening for a technology area known as “zero-trust network access” (ZTNA), according to industry consultants.
VPN’d
While a VPN provides an encrypted tunnel to a network, its benefits don’t always impress IT pros.
- Scalability: The road gets crowded—and network performance potentially degraded—when a whole work-from-home workforce bottlenecks to the same destination. “If you’re going to scale big and you’re going to want lots of people coming in remotely, there are much more cost-effective approaches,” said Dan Lohrmann, field CISO at the IT services provider Presidio.
- Security: A tunneled device is not within your direct control, said Paddy Harrington, senior analyst at Forrester. “Sure, business traffic goes down the VPN, but internet traffic heads out my home network,” Harrington told IT Brew. “Well, what else on that home network could jump onto my device and then go on across the business network?”
Gartner sees a growing interest in the area of technologies known as ZTNA.
“Most organizations adopting ZTNA services are looking beyond VPN approaches due to the spike in remote working, combined with unmanaged device usage,” the consultancy said in a report updated in April 2022.
ZTNA: not a warrior princess
‘Zero trust,’ according to Forrester, is an information security model that denies access to applications and data by default, where “Threat prevention is achieved by only granting access to networks and workloads utilizing policy informed by continuous, contextual, risk-based verification across users and their associated devices.”
In other words: User access is limited to explicitly authorized applications.
If a VPN is the tunnel that hides your car, zero trust sends a few boxes from the trunk rather than the whole Buick—directly to the person on the other side, while checking along the way to make sure that what’s said to be in the boxes is really in the boxes, said Harrington, who considers ZTNA to be a “really good” replacement for traditional VPNs.
“It’s connecting at an application level, versus at a device level,” Harrington told IT Brew. “So, it’s not just saying ‘you can only get to web apps,’…it’s saying, ‘If I’m going to set up a connection from your endpoint to the business network, it’s going to be restricted to this particular application, talking to this set of application servers in this set of data in this location.”
Gartner estimates that by 2025, at least 70% of new remote-access deployments will be served predominantly by ZTNA as opposed to VPN services, up from less than 10% at the end of 2021.
Many technology options support a zero trust model, including software-defined wide area networks (SD-WANs), secure web gateways (SWGs), and cloud access security brokers (CASBs), said Lohrmann, but identity is central to the concept: “Who are you? What can you access? What are you authorized to access? What are you accessing? And then monitoring all around that.”
A VPN isn’t really following zero-trust principles at all, said Lohrmann: “It’s just giving you a point-to-point secure encrypted connection.”