With the rise of employees now working more often from home, there has been a lot of conversation about securing the remote workforce. Traditionally, IT organizations have leveraged VPN (Virtual Private Network) connections to enable users to access the corporate network remotely. But, with the tremendous surge of today’s remote workers, many businesses found that the capacity in those VPN connections have prevented simultaneous access for all employees. This has driven a rapid move to address the issue.
Now, even though stay at home restrictions are being relaxed, we’re still seeing the need to support remote workers more than ever. This is increasing conversations about how to properly deploy and secure remote worker connectivity. For the long term, will VPNs deliver the needed access remote workers require? Or is it time to consider emerging technologies such as ZTNA (Zero Trust Network Access) options? Consider the following decision factors.
Using a Remote Access VPN
The remote access VPN is the most common remote connectivity option in use today. To use a VPN, users will typically need to install a software client on their workstations which creates an encrypted connection over the Internet to a device (typically a firewall or VPN concentrator) back at the corporate data center. This connection then allows communication back to that data center to occur securely without requiring a physically private line.
VPNs have been in use for decades, so they are a well-known quantity. The ability to create a remote access VPN is table stakes for firewalls these days, and every firewall vendor supports them. However, there are downsides to VPNs. Here are some of the most notable:
- Simultaneous VPN Connections Are Limited. Each firewall or VPN concentrator can only accept a certain number of simultaneous VPN connections. To get more requires a “rip and replace” of the VPN hardware.
- VPNs May Introduce Security Risk. Internal networks may be exposed to security risks by users connecting via VPN from personal devices because they enable full network access. If a user’s personal device has malware, for example, it can expose the corporate network when it accesses internal systems via a VPN.
- VPNs Can Limit Location Connections, Impacting User Experience. Usually, a VPN will only connect users to one location at a time. If the user needs to access another data center, a cloud-based application, or data in a cloud infrastructure, all that communication must hairpin through that one location. This can cause severe user experience and reliability issues.
- VPNs May Expose Networks to Backdoor Attacks. Often, because of the complexity of VPN connections, organizations will configure them to be selectively bypassed for certain traffic, such as web browsing or accessing SaaS applications. Doing this, though, leaves the organization open to backdoor attacks through the users’ machines as they connect simultaneously to internal and external networks.
- Slow VPN Performance and Poor Experience Frustrate Users. VPN clients are notoriously cumbersome for users to operate. They need to start up a piece of software, tell it to connect to something they may not fully understand, authenticate, and make sure it connects. Only then can user do the things that are just automatic on the corporate network like connecting network drives, accessing internal web sites, or running internal software.
The Network Access Advancements of ZTNA
ZTNA is an emerging technology that was designed to solve many of the challenges posed by VPNs. Using a ZTNA solution still typically requires a client on the workstation, but otherwise differs from VPN connections substantially.
There are many different ZTNA products from various manufacturers, each with their own strengths and weaknesses. Here are some general ZTNA considerations that contrast with the VPN points we covered above:
- ZTNA Connections Support Dynamic Scalability. ZTNA solutions are typically cloud-based, which means that no hardware replacement is needed to scale. By increasing or decreasing subscription quantities, organizations can scale up or down to match their remote access requirements.
- ZTNA Technology Minimizes the Attack Surface. With a ZTNA connection, users are not treated as trusted users by default (thus the Zero Trust part.) They are given access only to the things they need to do their job, reducing the attack surface greatly and minimizing security risk.
- ZTNA Connections can be Point to Multi-Point. Users are connected directly to the services they need over a secure connection no matter where those services are, be that on-premises, in a cloud infrastructure, or provided as a software as a service (SaaS) option. This improves both performance and security.
- ZTNA Clients Remain Connected. Since they are so much less likely to interrupt a user’s workflow, ZTNA clients can stay connected all the time, making them much more difficult and less necessary to bypass. This greatly reduces security vulnerabilities and backdoor attack risk.
- ZTNA Connections Expand the Security Boundary. Many ZTNA connections are integrated with cloud based secure web gateways or similar security services. This allows users to connect directly to web sites or SAAS applications outside of the organization, while still protecting them from malware.
- ZTNA Enhances User Experience. Because ZTNA clients stay connected all the time, working on a ZTNA connection feels a lot more like working in the office. This lowers help desk call volume, improves the user experience, and enhances workforce productivity.
Remote Access VPNs and ZTNA Connections Won’t Solve It All
Certainly, there are some remote worker scenarios that remote access VPNs and ZTNA connections won’t solve. These include providing easy access for multiple people at the same site or connecting devices that can’t support a client (like office phones or card readers). There are great solutions for these that can further extend an organization’s wired and wireless connectivity to any location securely.
Here is where a conversation about SASE (Security Access Service Edge) solutions can be valuable. We’ll cover this topic in an upcoming blog, but in the meantime, read more about Veristor networking solutions here then contact us for a consultation. You’ll find that our solution architects can provide the field-proven insights you need to deliver the best remote experience for your users.