Zero Trust Network Access (ZTNA) vs Virtual Private Networking (VPN)
Published June 1, 2023, 9:20 p.m. by Monica Louis
Zero Trust Network Access (ZTNA) has several advantages over traditional virtual private networking for remote employees. ZTNA has a lower overall cost profile, is easier to administer and improves the user's experience. Further, limiting what users can access at the application level reduces the need for complex micro-segmentation in your network.
Learn more about ZTNA - https://youtu.be/9BNQRuLYJsg
Feel free to reach out to continue the conversation: smurphy(at)myarg(dot)com.
You may also like to read about:
we can do better providing employees
access to their critical work resources
no matter where they are
if you're still using a traditional VPN
we can do better let's discuss zero
trust network access and talk about how
that can replace the traditional VPN
hi I'm Steve Murphy I'm a vice president
at ARG and while I work for ARG this
video is my own and does not represent
the views or opinions of my employer
this channel is dedicated to helping
technology leaders make great business
decisions and traditional networking
methods that rely on hardware-based vpns
is not a great business decision in this
day and age vpns just aren't as
practical for securing today's Network
environment vpns are nearly 30 years old
invented when the internet access was in
its infancy and security and access to
workloads were very different
back then through just until a few years
ago the old Hub and spoke approach and
data centers was fun VPN was more or
less fine as well people were still
going to work at their offices five days
a week and all the corporate resources
were on company managed servers and some
computer closet if you had a remote
employee they were typically the
exception and they understood that
getting back to corporate resources was
a bit of a challenge
you were generally just coming to the
data center and not seeking internet
access over that VPN as well internet
access was generally done outside the
VPN at least that's been my experience
but the cloud in combination with with a
truly mobile Workforce as well as a
heightened uh concern around cyber
security has changed all of that and it
managers have to organize and
accommodate not only on-prem corporate
resources but cloud-based services such
as Salesforce Office 365 and so forth
to deal with this Evolution and a mobile
Workforce that we have we've developed
two basic Solutions the first is to use
that Legacy VPN to connect to the
business Network and then jump to
internet resources from there it's not a
great experience for it since this
usually requires manual configuration at
the router level and latency complaints
that can be hard to solve from the end
user
speaking of the end User it's not that
great of environment when more and more
people are working remotely the fact
that's not likely to change even though
we're getting back to the office in
in-person meetings
a full 90 of companies surveys still
plan on sticking with some remote or
hybrid work model in and in short the
remote Revolution is here to stay
so let's take a look at the second
option zero trust network access or ztna
and see how that compares to an on-prem
Hardware solution
now if you're not familiar with ztna it
starts from a position of denying access
to everything for everyone
and then you open up the resources based
upon the rules that you create I like to
use a hypothetical exclusive Hotel
analogy
uh imagine the most exclusive Hotel
possible a place where the famous go and
don't want to be seen or see anyone else
now I know this analogy isn't perfect
but just work with me on this if you
have a better way of explaining it
please share uh in the comments I'd love
to get a new way of sharing how ztna
works with people who aren't familiar
with the concept but anyway
I've also got some deeper Dives on my
channel I'm going to put a link to one
of those videos in the description of
this video in the notes of this video so
if you want to get some more information
on ztna you'll have a resource I'm not
going to go into the details too much on
this video
so ztna is like staying in in this
exclusive Hotel your identity is
confirmed before you even enter the
property you go straight through the
lobby without seeing a soul you get on
the elevator and the only floor button
that's presented is yours you can't even
see the other floors as options
hey and as you're walking down the
hallway to your room you can't even see
that there might be other rooms nearby
the only door you can see is yours you
use your key that only allows you access
to your particular room and you have no
idea what other rooms or other guests
are at the hotel nor do they see you or
your room
so that's how I explain
ztna to others not as familiar with the
concept
if a bad actor tries to impersonate our
hypothetical celebrity they may get into
the hotel
they may even get access to a room
but the only thing that they can see is
that particular room that limits the
attack surface to a very small segment
of your environment
so what are the advantages of ztna over
the traditional VPN
well first is cost zero trust network
access reduces configuration and
complexity as well as onboarding time
Cloud Security Services eliminate the
need for storage and maintenance on the
VPN Side Hardware is still required and
it requires a manual installation and
configuration and physical storage space
you need to install and maintain the
platform on an ongoing basis and it
requires trained people to make those
installations and those upgrades
ztna does typically cost a little more
than a traditional VPN license but you
get much more in my view
for unified management ztna networks and
users are easily managed from one single
platform on the VPN Side Hardware is
individually managed across multiple
offices with complex interfaces unless
you have a management platform which
typically is an extra cost an extra
configuration on your part
with regard to network performance you
get faster connections with ctna and
better Network performance overall with
users able to Route more directly to
their desired resources whether they be
in the data center or in the cloud for
vpns you generally have one or two data
centers for your on-prem platform it's a
non-optimal traffic routing that causes
users to experience low performance so
everyone has to be forced through this
year one or two data centers through
your VPN platform through your security
stack in general and then they get it to
go out to the internet do their work and
that traffic has to come back through
the data center and all to ultimately be
delivered over the VPN tunnel back to
the user it's referred to as hairpinning
I've got a bunch of videos on
hairpinning and why it's not a good idea
um
so in terms of user identification now
let's move on to the next one uh user
access with identification and
multi-factor authentication is available
with ztnas with vpns user identities
have to be managed across multiple
firewalls and your identity platforms
that you can choose from and integrate
with may be limited
with ztna well you get zero trust
application access as the name would
imply you can provide access to as many
or as few applications as the user
requires with a VPN there's no inherent
segmentation of application access
and that gets us to our last item micro
segmentation so when users access only
permitted resources across the networks
with ztna but you have to separately
segment and manage those segments or
micro segment micro segments in your
network with a traditional VPN and this
can be extremely complex and expensive
I guess to sum this up today's mobile
corporate worker needs a new solution
that allows them to access the internet
securely without having to jump through
an overly complex Network
that's the promise of ztna in fact using
ztna will turn the internet itself into
your corporate network no more forcing
traffic through headquarters or Branch
offices that could be hundreds of miles
or even thousands of miles away instead
you hit the cloud services more directly
now we'll say you do have to go through
most ztna provider Networks
and so it's not truly a direct route to
those Cloud workloads but if your ztna
provider has a good pop density and we'd
expect a vastly superior experience to
the traditional VPN so pop density and
locations are one of your more important
purchasing considerations when you're
looking at ztna
I just wanted to mention one um that one
of the killer features in this model is
a device posture check which takes
permission policies right down to each
employee's end user device
so um it sets the requirements for
individual devices before they ever gain
access to the company resources and as
it requires attributes such as the
presence or specific anti presence of a
specific antivirus solution an operating
system update or specific files or
certificates being present on that
device
and yes device posture checks are now
available from some VPN platforms but
I've heard mixed reviews there
we also want ztna to address outside
contractors and provide them with an
agent us access feature this feature
allows you to provide limited access
through a web-based portal to
third-party contractors and employees
who need access from any device
the best part is that all of this can be
deployed with a few clicks and finished
within minutes or maybe a few hours
depending upon the size of of your
network
so that's ztna it used to be super hard
to deploy not gonna uh not gonna lie
there but improvements have been
dramatic and it's a mature offering at
this stage if you want to continue the
conversation feel free to reach out my
contact information is in the
description of this video
if you got some value I'd appreciate a
like or thumbs up below and thank you
very much for doing that in advance and
if you want to find your way back to
this channel in the future just hit that
subscribe button that will allow you to
come back here at your convenience
thanks very much for watching and I hope
you have a great day
