5 reasons to make the switch from corporate VPNs to zero trust network access solutions

David Haadsma, 9 Feb 2021
David Haadsma, 9 Feb 2021

Find out how ZTNA technology benefits both users and security teams

For businesses needing secure access to their privately hosted applications, remote access VPNs have been the traditional solution – but they are slow, not user friendly, and most importantly, present security gaps. That’s where zero trust network access can fill a pressing need.

Traditionally, when organizations wanted to secure business resources, corporate virtual private network (VPN) technology was the method of choice. They were a valuable means of creating an encrypted connection tunnel between offsite workers and on-premises business systems, such as CRM servers. But remote access VPNs are often slow, routing traffic through a physical corporate network that might be thousands of miles away from the user. 

With most organizations now following cloud-first or hybrid models, and many workers collaborating remotely, mission-critical resources – and those accessing them – are more widely distributed between corporate networks, public, and private clouds. Traditional means of defining and securing a perimeter based upon the connecting network are no longer fit for today’s needs. Zero trust network access solutions, which focus on authenticated user access to applications (rather than connecting devices to the network), provide a solution more relevant to modern connectivity challenges. Instead of punching holes in the firewall and letting users (and bad actors) inside the network, the more secure ZTNA is connecting users directly to specific applications securely. 

What are zero trust network access solutions?

Zero trust network access (ZTNA) technology is based on Software Defined Perimeter (SDP) and Software Defined Network (SDN) models. According to these models, security is provided based on connecting an authenticated user only to the applications they need to do their job. Assuming everything is working, the traditional VPN user logs in, then once inside the network, connects to the needed application with another login.

The new security perimeter becomes the secure connection for remote users to access specific (allowed) areas of the application. A distinguishing feature of this type of security is that trust is based upon the authenticated user and access is configured granularly to certain areas of the app. Thus, the software, rather than the network, defines the new micro perimeter that is protected.

Why are ZTNA solutions better than corporate VPNs?

Relative to using remote access VPNs to secure access to applications, ZTNA solutions have several advantages for companies. To understand why they continue to increase in popularity, let’s explore what makes ZTNA so different from the traditional corporate VPN.

1. Reduced attack surface, limited damage

Regardless of whether they are connecting remotely or from within the business, ZTNA solutions are designed to provide users with access to specific applications (or parts of them). They follow a “zero trust” and “need to know” model, allowing administrators to be strict in the access credentials they configure. 

Configurations tend to be granular. Administrators can grant or restrict access to certain functionalities of an application – a practice that would be practically impossible to achieve with remote access VPNs, which grant users access to a network segment where an application is hosted rather than just to the application itself. The security objective of this is simple: to reduce the potential attack surface in the event of a successful security breach. 

Consider, for instance, the case of a user who accesses critical on-premises business systems through a corporate VPN from an infected endpoint. The malware could be transmitted through the VPN and propagated throughout the corporate network, potentially infecting many systems. Even a modest payload could wreak enormous harm to the company. 

In contrast, if this company was deploying a ZTNA security solution, the remote user might have been confined within a certain component of a system. Even if the malware was uploaded to the company server, the potential for damage is more limited.

ZTNA provides added security by reducing the attack surface. Unlike remote access VPNs, ZTNA does not require firewall changes for inbound listening ports or public IP addresses and DNS records. ZTNA connectors communicate outbound over TLS to the cloud based servers

2. Cloud-first solutions

ZTNA solutions are a much more logical choice for organizations that have already transitioned most business systems to the cloud. 

Given that virtually all cloud-available applications are protected by SSL encryption and many remote users are connecting from secure, trusted networks, the focus for cybersecurity teams protecting the integrity of these resources is no longer on providing basic security. Much has changed since corporate VPNs were first introduced and companies are looking for systems that reflect that in their native architecture.

Instead, trusted users and devices can be authenticated on a per-application basis, irrespective of where they are connecting from. For instance, a ZTNA solution could provide access from whitelisted devices to the company CRM, but not to a different business system like the ERM. Using remote access VPNs, it would be cumbersome to configure such gradations in access policies. 

For cloud-first organizations, ZTNA solutions also fit much more congruously with the type of workflows that administrators need to secure. Plus, authentication is location and network agnostic. Remote workers can be authenticated with applications wherever they are connecting from – no VPN client is required.

3. Better user experience

Accessing cloud services protected by a ZTNA solution is much easier for users than having to use a corporate VPN. It’s as simple as opening a browser. Users don’t need to remember if they’re accessing internal or external applications. They don’t need to worry about installing VPN clients, authentication, or additional MFA passwords, which provides a more frictionless user experience. For companies, this means reduced latency – cybersecurity teams no longer need to battle colleagues regarding VPN compliance. 

ZTNA solutions also provide faster connection speeds than VPNs. Users can enjoy a more seamless online experience and spend more time on their work, rather than waiting for online applications to load.

4. Less infrastructure for IT to manage

Deploying a corporate VPN for securing network access is a complicated technical endeavor that requires significant resources. Network administrators need to provision servers on-premises and often need to replicate the gateway at each of their data center locations.

In contrast, deploying a cloud-hosted ZTNA solution eliminates the need to host and manage infrastructure. 

5. Cost savings

Several features of ZTNA solutions can make them less expensive to operate, as opposed to remote access VPNs, for the companies that provide them and their clients:

  • They’re easily scalable and quick to deploy, meaning less time spent on client training
  • There isn’t a complex VPN infrastructure to maintain
  • A better user experience makes employees more productive

As a side benefit, this security methodology works perfectly with ‘bring your own device’ (BYOD) policies. As such, organizations may find that they have reduced hardware costs in terms of issuing computers to employees.

ZTNA solutions are a win-win 

So, why is ZTNA technology better than a corporate VPN? Because it offers a win-win: the authentication method is both superior for users and more powerful for security teams. 

Discover Secure Private Access

Offering a 100% cloud-delivered zero trust network access solution, the Avast Business Secure Private Access tool is built with end-users and IT admins in mind. Using lightweight software, Secure Private Access connects users and applications in the cloud, for happier, more productive users who connect anytime, anywhere to secure networks.