As the landscape of corporate networks has grown more complex, many organizations are turning to Zero Trust Network Access (ZTNA) to enhance their security. It also replaces or supplements older technologies like VPN.
We spoke to Kurt Glazemakers, CTO at Secure Access Specialist Appgate who believes there is a strong business case for ZTNA as well as a safety issue.
BN: Does the VPN still have its place today, with more and more services and systems moving to the cloud?
KG: That’s a good question and in fact VPN is still probably the most used technology, especially since COVID, because it was, I think, the only thing available at the time, people were already used to it and then made decisions to see if they could extend it.
The biggest risk with VPN in general is that it is essentially an extension of your corporate network, right down to the device. This means that it can often be an entry point into the network. This is the reason why we are moving away from it a bit and moving to a ZTNA approach where connectivity and authentication are aligned, not only for network access, but also for access to the application.
BN: So is ZTNA in direct competition with VPN?
KG: Yeah, I think the most common use case we’re seeing is VPN replacement. It is increasingly taking control of these VPN services. We need to move away from corporate networks all the way to the endpoint and take a more granular approach where only the applications you need are accessible along the way.
I think we’ll see the end of the VPN, especially on the user side, but you also have the site-to-site VPN that connects multiple parts of the network securely. This is where the user needs to connect to the corporate network that we see the most activity right now and this is where we see a fundamental change in moving from a VPN solution to allow access. to the network to a ZTNA approach.
With more and more systems migrating to the cloud, that means you have entry points into the network and then we have to spread all kinds of activity across different locations. This is where ZTNA offers a completely different approach as it effectively separates those activities outside of the corporate network and treats them as individuals. This leads to an improvement in the volume of security, but it also reduces interconnectivity costs and reduces complexity, which also benefits the business.
BN: What effect has the switch to telework had over the past year and a half?
KG: VPNs weren’t designed for such high volumes of remote traffic, they were meant for maybe 25% max. VPNs are always very device-centric, so you have delays in scaling them. But scale also becomes an issue – let’s take a simple example of Zoom calls – if you want to capture all network traffic to your VPN because of the bandwidth involved.
Since ZTNA can be used both indoors and outdoors, you only have one access profile to manage, so for a user there is no difference between working from the office or outside.
BN: We are seeing more and more security breaches, both in corporate networks and in the cloud, due to misconfigurations. How does ZTNA help fight them?
KG: That’s a very good question, it’s about trying to make access to the grid a little smarter. In a conventional scenario, you need all of the corporate device policies, such as proper endpoint protection, etc., installed and patched. But the endpoint is just one thing that identifies the user.
What we do differently with ZTNA is that we can now also create descriptive policies, so you can say, “Give me all the assets that are marked for engineering”, in a different location or in the cloud. , then our solution will find them and create individual network access to each of them. This means that if you launch new assets in the cloud or in-house for the engineering department, they will automatically become part of your network. If these assets are deleted, they will disappear. This helps to deal with more complex structures when an app does not always have a long lifespan, where apps are launched automatically and set for an audience, they are automatically able to take the right controls and that is certainly a problem. big step forward compared to VPN.
BN: So it makes it easier when employees leave or change roles?
KG: If your role changes, your network access will change as well. This helps reduce the attack surface as the policy automatically adapts, reducing the chances of human error, especially with applications or containers that sometimes run for a very short period of time. Removing the human factor is where agility and security go hand in hand.
In addition, ZTNA provides huge cost savings because all of your metrics that need to be interconnected in a corporate network and received in a solution can in fact establish an internet connection to your cloud and your data center. at the same time. You don’t need additional connectivity between the two. We’re seeing tremendous savings by reducing firewalls, security stacks, MPLS connections, and site-to-site VPNs because you can reduce the number of hours spent creating and maintaining rule sets.