VPN to ZTNA – A Paradigm Shift in Secure Remote Access

Before this year’s Gartner Security & Risk Management Summit even started, I had a sense that given the extraordinary events that occurred across the world this year, security techniques related to secure remote access, cloud based secure access control and end point security will be on Gartner’s top security projects or strategies lists. It turned out to be true.

It is obvious that the prolonged shelter-in-place orders due to the COVID-19 pandemic and slow economic reopening process have, in some aspects, forever changed the landscape on how companies and organizations are conducting businesses and in many cases, forever shifted the paradigms on how employees will work in the future.

At the top of Gartner’s security project through 2021 is “securing remote workforce”. According to Gartner, companies “turned on” remote capabilities in March, willingly or unwillingly, but they are now facing requirements gathering and needs assessment, security teams need to know whether they open up too much access for the employees.

More than half year has passed in 2020, many of the corporate workers are still working from homes, meeting and discussing using Zoom or other virtual meeting tools, logging into corporate networks remotely to access resources in corporate datacenters. This is most likely to be the case for the remaining of the year or even longer. Many companies now even offer their employees the options to work at home permanently.

The massive exodus from office working environment to work at homes remotely opens up new opportunities to both corporations and their employees. Although many of them positively, it also introduces many new problems or challenges that we have never met before, both culturally and technically. Specifically, how to provide efficient remote access capabilities to maintain or achieve high productivities and user experiences, at the same time to ensure secure remote access to shield off any potential threat attacks due to the increased attacking surfaces, is one of the critical tasks to be addressed. That is why securing remote workforce on Gartner’s top security project lists going into 2021.

Remote access VPN or SSL VPN has been the most common remote connectivity option in use today. Typically, user downloads and installs a VPN client on his laptop or mobile device. When user wants to access corporate network remotely, for example, on business trips or, in this case, works from home due, he will be authenticated first using various forms of passcodes or other verification techniques. Once authenticated, a secure VPN tunnel is created between user’s device and corporate networks gateway over the wide area network, data sent over this tunnel will be encrypted. The connection over this secure tunnel allows user to communicate back the corporate networks without requiring private or dedicated lines.

Remote access VPN has been providing secure communications between user devices to the corporate networks. It is very mature in term of technologies and deployments. SSL VPN has many benefits, it also has many limitations or disadvantages, notably the following few:

  • Scaling and performance
  • VPN tunnels are usually terminated at the corporate gateway (usually next generation firewall or security gateway devices). Encrypted traffic will be decrypted and forwarded to the destination. Though system performances have improved drastically over the years, they are often outpaced by ever growing numbers of VPN connections and working from home during pandemic era make it even worse. Additional capacity needs to be added to handle large numbers of concurrent VPN connections.

  • User experience
  • From novice to experienced users, it is quite often cumbersome to install, upgrade client software, maintain passcodes, fobs, select or switch site to connect or have to have multiple chain of connections in order to access different resources etc., very often, network latency or unstable network connections can also have infuriating user experience.

  • Security
  • The other important aspect is security. At the time the user is authenticated and logged in, network border vanishes. User is basically opened to the entire corporate networks. This will introduce new security threats. If the user credentials or devices are compromised, or communication channel is tampered by MITM or other backdoor attacks, the “Pandora’s Box” is opened. Various kinds of Trojans, worms or malwares will be able to penetrate the security defenses at network perimeters without being noticed.

Nowadays, more and more organizations are moving their business from on-premises corporate datacenters to the cloud and provide cloud based services, they are moving to cloud at rapid speeds. In fact, Gartner projects the cloud services industry to grow exponentially through 2022 and the market size and growth of the cloud services industry at nearly three times the growth of overall IT services.

Cloud migrations and cloud services are shaking up the entire industry, from infrastructure, platform, networking to applications. Network borders are blurred and extended; access control needs to be more stringent yet more user friendly; cloud resources management need to more dynamic and adaptive; application controls need to be more fine grained; east- west traffic inside the cloud networks need to be more visible and so on. On top of all these changes, end to end security is one of the crucial factors of the entire spectrum for today’s cloud based services migrations. As the results, we are seeing more emerging remote access architectures and technologies and Zero Trust Network Access (ZTNA) is a promising one among them.

Zero Trust Network Access (ZTNA) also known as the software-defined perimeter (SDP). It is a model and a set of associated technologies that offer dynamic and adaptive trust model that starts with “least trustable user” and “least access privileges” implicitly. Access to applications, data and other cloud services are restricted through a trusted broker which authenticates the applicants. Granular security policies are associated with individual or group of applications allowing finer control. Only allowed applications and services are visible and accessible to the applicants. The ZTNA architecture establishes a clear boundary around applications and their users.

The ZTNA architecture reverses the previous philosophy in legacy approaches of network and application securities where users and applications were trusted to be secure just because they were authenticated at network perimeter.

ZTNA is not a single technology or an individual add-on feature atop today’s existing secure access technology. It is rather a new strategy and includes several different aspects of networking and security technologies and services.

At the heart of ZTNA is the user or device identity security. User’s identity, credentials and behaviors are continuously monitored and adapted in the ZTNA model to govern its authentications and access privileges. Multiple technologies including machine learning have been developed to enable stronger user and device identity security, for example, using multi- factor authentication with considerations of user behaviors to grant least access privileges and adaptively and dynamically adjust them later during run time.

The other important aspect in ZTNA model is the micro-segmentation. Users, applications and data can be segmented at finer granularities; each can have their own security policy to control the access, visibilities and user visible behaviors. Users can only “see” and access what they are allowed to. This is a significant contract to “zero or all” type of access in case of remote access VPNs.

The third important element in ZTNA is the comprehensive visibility at all levels, including users, devices, applications, data and east-west traffics. Only with the continuous and consistent visibilities of the user, the behaviors, the data or applications he is trying to use or access can security controls and enforcements be applied precisely and with minimal extended boundary of users and their applications.

According to Gartner’s prediction, by 2022, 80% of new digital business applications opened up to the ecosystem partners will be accessed through zero trust network access (ZTNA). By 2023, 60% of enterprises will phase out most of their remote access VPNs in favor of ZTNA.

ZTNA solutions are typically cloud based, thus they are elastic and scale well with the increase of demand or subscriptions. With ZTNA, users are not trusted by default comparing with remote access VPNs, they only see what they are supposed to see, do what security policies allow to do, thus greatly reduce the attacking surfaces and minimize security risks. From traditional remote access VPNs to ZTNA is a great leap forward to safely and securely enable organizations migrate their digital business to the cloud based services. ecurely enable organizations migrate their digital business to the cloud based services.