From VPN to ZTNA – The Evolution of Secure Remote Work

By Mor Ahuvia, Product Marketing Manager

Is your VPN getting in the way of productivity? If so, you’re not alone.

When it comes to remote network access, you  have difficult choices to make. But essentially, they all boil down to two things:

  • You need to make access for legitimate users as easy as possible
  • You need to make access for anyone else as hard as possible

Until now, many organizations have relied on a traditional network security model centered on perimeter security, using virtual private networks, or VPNs.

The basic model of the VPN is that the network is surrounded by a virtual perimeter, or “fence”, to keep out intruders. But in today’s decentralized climate, that model is becoming increasingly hard to manage. Not everybody accessing your network needs to have or should have the same level of access permissions, for example third party users such as consultants, administrators are not likely to require access to the same applications, or require the same level of permissions (e.g. read, write, manage permissions etc.) .

The relevance of VPNs is tested to the limit as organizations move applications off the corporate network, especially into the cloud, and with more and more employees working from remote locations at least part of the time. Not only can all these changes render your VPN far less effective, but they can also interfere with productivity.

Let’s explore some of the ways your traditional VPN may be letting you down. Then, we’ll look at an emerging security model that’s simpler to manage and offers you more granular control to take back the reins of your network security.

The Limitations of VPNs for Remote Network Access

As many organizations have already realized, traditional VPN and perimeter-based access controls aren’t sufficient. Why not?

As mentioned, corporate networks are becoming decentralized. Work from home (WFH) and third-party access (e.g. by consultants and partners) mean that remote network access requests are coming in from everywhere. Performance can be compromised and latency increased due to an on-premises, perimeter-centric security architecture that forces all traffic to be routed through the datacenter.

Inability to support BYOD unmanaged devices

Enabling access from these unmanaged, non-corporate sourced devices means your network and assets are being accessed from unknown endpoints, whose risk posture is unknown and which may or may not be infected with malware. In this climate, you can’t always recognize or control the endpoints to make sure they’re patched and healthy. An intruder could easily piggyback into your network via a compromised endpoint.

No secure access to cloud workloads

VPNs also lack the flexibility you need in today’s IT environments. They don’t transition well to cloud and usually have limited capability to support secure access to cloud workloads and IaaS (e.g. AWS, GCP, Azure).

Overly permissive third party access

And when it comes to supporting third party users, VPN use may not be permitted at all, due to regulations that prohibit the installation of clients on non-employee devices. Alternatively, where such regulations do not exist, excessive permissions may be given to external parties by enabling them to install a client and thus receive an unnecessarily high level of implicit trust, which may also allow easy access to sensitive company assets and information.

No granular network or in-app controls

Plus, by attempting to simplify security with a perimeter model, VPNs disempower you and your security team. With a VPN, you lack granular control over a few key areas, creating multiple problems:

  • Overly broad network-level authorization and access controls
  • Implicit risk of lateral movement and discoverability of sensitive assets
  • No single place to manage controls for different applications
  • No in-app controls over what users can do within each app (read, write, edit, )

Considering VPN Alternatives

VPNs were great for their time—when most users were on-site, and when most apps were on local servers.

But today, we’re seeing serious data breaches happening because hackers know that if they can get through a corporate firewall, chances are good that they won’t meet with much resistance from internal systems. Indeed, VPNs and firewalls can all make us overconfident in the state of our network security.

For all these reasons, Gartner has estimated that by 2023, up to 60% of enterprises will phase out VPNs in favor of a different architecture–Zero Trust Network Access or ZTNA.

The Rise of Zero Trust and ZTNA

Some of the problems with VPNs have helped create awareness of the need for a security model that doesn’t simply allow trusted users to roam freely within the corporate network. Into this vacuum has emerged the Zero Trust security model, a concept originally coined by Forrester.

Zero Trust—endorsed by heavy hitters such as the U.S. Department of Defense—focuses on a reality in which we must “never trust, always verify.” In this way, Zero Trust makes it easier to ensure only the right people get least privileged access to the right application, in the right role at each and every access attempt, ideally with in-app controls and visibility available into what they do post-login..

In fact, Zero Trust is more a state of mind or paradigm shift than a single tool—there is no “zero trust in a box.” The Zero Trust model:

  • Relies on the principle of limited access on an application-by-application basis
  • Relies on authentication of every single device and user no matter where they are located
  • Acknowledges the complex reality of today’s networks and makes zero assumptions

Zero Trust can be difficult to implement, and certainly, most organizations will want to shift gradually. A U.S. Department of Defense document explains that “Zero Trust can be applied incrementally, group by group, or application by application, although end-user experience should definitely be a consideration.”

Choosing tools to simplify the shift will help transition your entire operation to a Zero Trust architecture far more easily than you might think.

Analyst firm Gartner has taken the zero trust notion a step further, specifically defining an architecture called Zero Trust Network Access. To quote its ZTNA glossary definition:

“Zero trust network access (ZTNA) is a product or service that creates an identity- and context- based, logical access boundary around an application or set of applications.”

Or put simply, ZTNA services replace network-layer permissions with application-specific permissions, taking into account identity-based access controls and contextual authentication, e.g. user group or role, multi-factor authentication, IP address, location and day or time restrictions.

“The applications are hidden from discovery, and access is restricted via a trust broker to a set of named entities.”

In practice, this may work with a cloud-based ZTNA-as-a-service that hides the network from view via the public internet, essentially serving as a DMZ-as-a-service that “darkens” the datacenter. The broker authorizes or forbids access to specific applications on a case-by-case basis.

“The broker verifies the identity, context and policy adherence of the specified participants before allowing access and prohibits lateral movement elsewhere in the network. “

By authorizing access only to the requested resource, the risk of lateral movement is eliminated, as users only see applications they are allowed to access. All other applications are hidden from view (for example, using a personalized portal that only shows apps authorized for access by a particular user).

“This removes application assets from public visibility and significantly reduces the surface area for attack.”

Moving from Network to Application-layer Access

One tool that can make shifting to Zero Trust and a modern network environment easy is Harmony Connect Remote Access. Part of Check Point Harmony Connect, Check Point’s a SASE (secure access service edge) solution, Check Point Harmony Connect Remote Access addresses the limitations of current infrastructures providing a viable VPN replacementalternative that enables you to:

  • Move from a physical to logical access perimeter: Instead of vetting users once at the entrance to your IT perimeter, shift access control decisions to business-driven policies that take into account devices, users, contextual attributed and requested
  • Authenticate and authorize each access attempt: Use multi-factor authentication to eliminate the risk of unauthorized access arising from credential theft, integrating with your current identity provider as
  • Support BYOD and third party users: With a clientless architecture, you no longer need to install any VPN client on user devices, meaning that consultants and partners get simple access to resources, and that users can easily connect and work from mobile devices
  • Darken your data center and network: Reduce the risk of lateral movement by hiding your network and every unauthorized resource with a cloud-based trust broker, thereby also reducing the risk of DDoS attacks
  • Define and enforce in-app permissions: Manage policies not only at the app level, but also at the query and command level, including permissions such as read, write, administer permissions etc..
  • Get granular visibility into user session activity: A centralized SIEM-friendly audit trail ensures you know who accessed which app, what actions they took within it, and optional session recordings.

Learn More about our ZTNA-as-a-Service

There are many reasons to begin the transition to Zero Trust sooner.

You may already be experiencing growing pains with your VPN as you scale and expand into hybrid and cloud-based environments, especially as work from home has become business as usual. Perhaps you’re also looking to the Zero Trust future for security or compliance reasons, to ensure that your organization’s assets are as well-defended as possible.

Discover how Check Point Harmony Connect Remote Access keeps your business running at its best. Here are a few resources to get you started: