How ZTNA and SDP are becoming the gold standard in secure remote access
VPN services still use concepts based on software from the mid-1990s. However, zero-trust network access (ZTNA) reflects modern security sensibilities. A network designed to conform to ZTNA standards represents a complete rethinking of how network security functions. Unlike a VPN, ZTNA networks treat all users, internal or external, the same.
When computers first started working their way onto corporate desktops, they triggered a productivity revolution. Suddenly, employees gained the ability to multitask and handle ever-larger workloads, having been freed from countless processes that used to be done by hand. The biggest problem at the time was the fact that it was impossible to give employees the same type of access to corporate systems and software while traveling that they had in the office.
In the mid-1990s, that all changed.
That’s when Gurdeep Singh-Pall spearheaded the development of the PPTP protocol while working for Microsoft. It represented the first practical use of VPN technology as we know it today, and it allowed businesses to provide real, secure remote network access for employees at scale for the first time.
In the years since, VPN technology has evolved to the point that it has even become a vital online security tool for individuals, too. Today, it’s easy (and inexpensive) to use a commercial VPN service to provide encrypted internet access while using unfamiliar or untrusted networks, and that’s spawned an enormous industry of providers for every conceivable use case.
Meanwhile, though, corporate and business users are starting to outgrow VPN services as they exist today. They’re now being replaced by what’s known as zero-trust network access (ZTNA) models that allow for much stricter access controls than traditional VPN can accommodate. Here’s how they work, and how they’re changing corporate remote access systems forever.
What is the ZTNA model?
Put simply, a network designed to conform to ZTNA standards represents a complete rethinking of how network security functions. In a classic network design, users inside the network’s perimeter (LAN side, behind external firewalls) have wide access to network resources, controlled only by a single authentication with one set of credentials. In the beginning, this made the most sense when networks were small and access rights easy to manage. Within today’s sprawling business networks, though, it has led to some spectacular security failures.
It has made it possible for determined outsiders to gain entry to business networks by stealing the credentials of a trusted insider, where they have privileged access to company systems and data. As it pertains to a VPN solution, the logic is the same. The idea of a VPN is to provide a hardened doorway for external users to reach internal resources. The problem is that VPN users are treated the same as internal users once they enter the door, making them an attractive target for hackers.
In their place, ZTNA networks treat all users, internal or external, the same. In the model, no user has access to any more resources than policy permits, and the network is micro-segmented to limit lateral movement of authenticated users. For remote access, users authenticate via what’s known as a software-defined perimeter (SDP), which grants ephemeral on-demand access to the resources a user is authorized to access. That access is revoked the moment the user disconnects. In other words, it doesn’t leave a doorway for an attacker to try and exploit – vastly lowering the network’s attack surface.
The benefits of SDP over VPN
The security benefits of an SDP setup should be obvious, in that it allows for far more granular control of resources for authenticated users. The bigger advantage, though, is that an SDP can control access to hybrid resources that consist of on-premises hardware and cloud services. Since there’s no physical gateway, such resources may be grouped together by system administrators as they see fit, and all access control happens at the software level.
That kind of control is a much better fit for today’s blended network deployments. It also centralizes security control and allows for more ready inspection of user activity, which is a key component of a modern cyber threat defense. Most importantly, however, it can help organizations to eliminate the kind of insider credential abuse that is responsible for so many of today’s data breaches.
Next-generation remote access
It’s pretty clear that the 90s-era technologies that led to the VPNs we know today are starting to show their age. They were designed at a time when networks consisted of simpler topologies and when the concept of credentials and trust didn’t have to account for the wave of cyber-theft that’s happened in recent years. For that reason, ZTNA networks that provide SDP access for remote users look like they’re going to become the new standard for business computing resource access as we move further into the 21st century. VPNs will still have their uses, of course, but it is likely those uses will be limited to consumer-facing deployments where access control isn’t the primary concern.
On the whole, that’s a good thing. It should allow businesses far more flexibility in their remote access offerings, while dramatically cutting down on the risk of a network intrusion by an attacker. Also, as a software solution, it should cut costs and make it possible for more companies to support mobile workforces (like PPTP did thirty-odd years ago). If past is prologue, the new technology should set off a whole new productivity boom, which is good for everyone involved.