Critical business decisions about zero trust network access (ZTNA) vs. virtual private network (VPN) approaches to enterprise security are currently driven by the rise of hybrid work and the increasing use of cloud-based services. These important trends mean that organizations can no longer rely on traditional perimeter-based security to effectively combat security threats.
Here is the breakdown of ZTNA vs. VPN, including their differences and how ZTNA interacts with secure access service edge (SASE) to help you decide on the best security approach for your business.
ZTNA vs. VPN: What’s the difference?
Approach to security
ZTNA is an identity-driven security model that combines a range of security automation tools with adaptive security policies to restrict or grant access to an organization's network. It's anchored on the principle of least privilege, which means users only have access to the data and applications they need based on their roles. ZTNA assumes every user or device requesting access is a potential threat and enables context-aware, risk-based security decision-making that allows organizations to effectively protect their networks.
VPN security encompasses an entirely different approach. VPNs allow employees or other authorized users to connect remotely, with firewall protection at each connection point or on the actual device. Data is encrypted and is transmitted through a virtual tunnel to securely connect a user to the internet from their respective location. VPNs use a central entry point to authenticate users and protect the perimeter, whereas ZTNA security is dynamic and based on real-time risks in an organization's environment.
Complexity
Organizations that use VPNs for remote access have to decide where to place VPN gateways for good performance and user experiences. But because VPNs rely on appliances, they're infrastructure-centric and limited in the capacity and number of entry points they can provide. VPNs can make sense for on-premise environments and flat networks, but most organizations now operate within a hybrid cloud environment with hundreds, if not thousands, of endpoints connecting to their networks. VPNs also require organizations to adjust routing for new user groups and create firewall or access control list rules to provide authorization to applications. This adds complexity and risk, which requires multilayered security, robust security intelligence and automation, all of which ZTNA technologies encompass.
Performance
Performance is another point of difference when you compare ZTNA vs. VPN. VPNs often have slower connections because they must backhaul traffic to a centralized enterprise data center. Based on the distance between a user's location and the server's location, the farther away the user, the slower the connection will be. This can delay user access to data-intensive work-from-home applications, like videoconferencing solutions and digital workspace platforms. In addition, Traditional VPNs aren't as scalable as ZTNA solutions, often requiring dedicated hardware (which can increase costs for organizations) that is time-consuming to deploy and not scalable when needs spike. VPN-based security also offers less visibility into connections than zero trust, especially if the connection is already infected with malware or other malicious software.
VPNs provide some measure of protection if a user connects through their home network, happens to be on public Wi-Fi or if a company wants to facilitate secure access for employees at different branch offices. However, with the current threat environment and the increased potential for insider threats, the traditional castle-and-moat approach to security may not be the most effective approach for many organizations going forward. The perimeter now extends to employees' homes and from wherever they choose to work remotely, there is risk in trusting every user—even after they're granted access. To strengthen their security posture, organizations will need to restrict access and verify identities.
ZTNA security and SASE
When comparing ZTNA vs. VPN, it's also useful to consider how ZTNA can be used as a critical component of emerging service-based security models, such as SASE.
SASE is a service-based security architecture that when combined with software-defined wide-area networking (SD WAN) provides protection closer to the connection point, rather than backhauling traffic back to a centralized data center. Like ZTNA, SASE is an identity-driven security approach. However, rather than focusing narrowly on controlling access, SASE focuses more broadly on protecting the enterprise overall. ZTNA can keep bad actors from entering the gates and restrict their lateral movement if they do, while SASE integrates ZTNA security into a unified, cloud-delivered, service-based architecture to strengthen network security, optimize how traffic is routed and streamline network management. Together, SASE and ZTNA can strike the right balance between employee access and security to remove friction while effectively protecting the enterprise.
Building a secure enterprise with ZTNA
As companies continue to adopt remote and hybrid work models and digitize their operations, they must ensure their security infrastructure is equipped to support this new way of working. VPNs were more effective during a time when threat actors weren't using sophisticated tools like artificial intelligence and machine learning to gain unauthorized access to systems and quickly move laterally through the network, wreaking havoc in their wake. The risks organizations face are great. ZTNA security is now a vital tool for them to manage a complex digital environment, increase their business agility and secure the enterprise in this new era of remote work.
Learn how Verizon can help provide a better approach to securing your complex digital environment.
The author of this content is a paid contributor for Verizon.
1Gartner, Zero Trust Architecture and Solutions, 2020.