Zero trust access, VPN, both? The changing face of remote network access [Q&A]
Virtual private network (VPN), software defined perimeter (SDP), zero trust network access (ZTNA), there are plenty of technologies around for protecting remote access to enterprise networks.
This is an area that's been thrown into sharper focus this year, but what's the best option for keeping remote access secure? We spoke to Scott Gordon, CISSP for Pulse Secure to discuss the value of the different options available.
BN: What's changed over the last one or two years to reinvigorate the remote access market?
SG: One of the biggest changes over time has been remote and branch offices, which previously accessed resources and applications in the data center, now needing access to resources in the cloud. Additionally, users themselves are more mobile and engaged digitally with resources in the cloud and SaaS-based apps. Those users have three or five devices on average, including a mix of both corporate and personal. Because of this change, the user is now accessing the web from various networks, both public and private. Furthermore, there is an influx of IoT devices with adoption continuing to rise. Threats are also increasingly becoming more sophisticated, targeting the remote end user identity and their devices.
These dynamics increase a company's attack surface and potential data breach exposures, introducing less intrusive ways to get to sensitive corporate resources and information. This has driven the need to progress requirements like converged secure access and zero trust.
BN: So what is converged secure access and how does zero trust apply?
SG: Applications and information are moving at an accelerated pace towards the cloud, meanwhile, companies are migrating infrastructure and legacy applications from on-premises to multi-cloud and hybrid IT environments. This requires organizations to reassess how they can advance access visibility and governance. Enterprises also need to ensure data protection obligations are managed across the cloud. Unfortunately, companies have fragmented policies and tools across their hybrid IT infrastructure due to a variety of disjointed implementations. With islands of intelligence and control, it's both harder to monitor, audit, respond to threats and diagnose issues, and challenging to ensure the organizations have active, appropriate and more unified access to policy and data protection mechanisms.
Enterprises also need easier ways to consume and provision access security; to understand where they need it, when they need it and how to implement it in a way that is scalable. As there has been an increase in data breaches, companies are looking at preventative and responsive security measures. This has driven the adoption of the zero trust security model. As it relates to converged secure access, it is about coordinating controls that verify the user, device, and overall security posture prior to granting access. Beyond ensuring identity and endpoint authentication prior to securing data in flight and at rest, the approach also requires adaptive risk assessment in that the security posture is continually monitored to determine if conditions have changed or there's risk which would require access to be limited or blocked. Examples of zero trust security include ensuring VPN tunnel modes are always active, endpoint security is compliant, and the segregation of network resources and applications.
BN: We often hear about accessing resources at any time, from any place, and any device. How do new secure access solutions meet this need?
SG: Organizations have often made an investment in VPN technology, with processes built around the use of a VPN to satisfy remote access needs for their employees or devices. However, a new architecture has been developed called software defined perimeter (SDP), otherwise known as zero trust network access (ZTNA), which provides users direct trusted access between their device and applications no matter where they exist. ZTNA verifies user identity through multi-factor authentication (MFA) and ensures the device configuration meets company security standards. ZTNA takes these and other attributes into account to determine what applications a user is allowed to access.
ZTNA has three components. A centralized manager called the Controller that manages policies, gateways and clients, and orchestrates secure access. A Gateway that serves as a proxy in front of applications whether they are on-premises or in the cloud. And a Client that operates on a device or via web connection to a device. The client would request access to the Controller. The Controller would determine application access based initiating user, device and security state verification according to policy and, if met, establish a direct, trusted connection between the Client and the Gateway.
From a usability perspective, ZTNA delivers a simpler user experience as the user does not need to know how or where they will be securely accessing applications. ZTNA also provides a more scalable, manageable solution by separating the control plane and data plane, and enabling a direct connection directly between the device and gateway server in front of the application. From a security perspective, since an endpoint can only see applications made visible by the Controller, ZTNA negates malware and threat actors from being able to have unwarranted exposure to resources -- as you can attack what you can see. Beyond security elements, ZTNA has advantages for administration, it's easier to set up and provision users, application and access mapping, manage policies, monitor transactions and respond to issues.
BN: What other innovations can ZTNA provide to enterprises?
SG: As I've said, the Controller engages with the Client and Gateways to orchestrate authenticated and appropriate application access using least privilege. The Controller obtains all access data, from user and the endpoint, as well as the gateway. Armed with this big data, the Controller can apply analytics to present a unified view into all access, providing visuals, trends, reports and audit details to the operator and other systems. By applying machine learning, the Controller can also understand access norms of users and roles, and compare that baseline to live access requests, denies and transactions in order to apply risk scoring, as well as to identify malicious and anomalous activity. Through continuous monitoring, adaptive access control can be applied based on state change and risk assessment.
BN: Are enterprises replacing VPNs with ZTNA/SDP solutions and should they be doing so?
SG: VPNs are a well understood solution for many organizations and modern VPNs deliver many usability, endpoint, user and device authentication, adaptive access, data protection and application support features desired by enterprises. ZTNA offers significant advantages in terms of usability, performance and security. There are caveats and considerations though. Does the organization want to invoke access as a service? Are there any data protection and sovereignty issues? ZNTA may not support all application types such as VDI, HTML5, VOIP,P2P and TCP/IP and legacy apps, and workarounds may be required. Since ZTNA delivers a direct, trusted connection between the user device and the application, this requires established user to application mapping -- which for many enterprises is not well defined across all combinations of corporate and divisional user types and applications. Lastly, there are implementation considerations including efforts to configure and maintain connectors to support hybrid IT.
As the majority of enterprises are at various stages of their hybrid IT implementation to support their digital business transformation, it's more likely that organizations will rely on both VPN and ZTNA technology for some time. Many organizations have decided that they will implement ZTNA according to a business need, division or region to support that set of users and applications. This introduces the complications of managing two or more separate secure access systems, which contradicts the benefits and economies of IT consolidation. Ultimately, organizations should progress their investment and initiatives for secure access and zero trust where they can incorporate the best of both modern VPN and ZTNA technologies with a more integrated, platform approach. By doing so, enterprises can realize greater access oversight, policy unification, deployment flexibility, resource optimization, and cost-savings while also gaining enhanced user experience and security.