Engineering
October 11, 2023
10 min read

Zero Trust Network Access (ZTNA) vs VPNs

Kong

In today’s modern digital environment, more organizations are relying on remote work than ever before. While this shift has given companies unprecedented flexibility when it comes to deploying their workforce, it has also presented challenges in keeping their devices, operations, and personnel protected, especially in regard to API security. Without proper oversight, attackers can access your organization’s server by exploiting such security vulnerabilities. 

Virtual Private Networks (VPNs) have long been the traditional solution for companies to establish remote access to their networks. Still, the perimeter-based nature of the VPN security model has brought about the need for an alternative — which is where Zero Trust Network Access (ZTNA), a cloud native security solution, comes in.

How do you decide which option is right for your business? Read on to learn about the key attributes of VPNs and ZTNA solutions and their differences.

What are Virtual Private Networks (VPNs)?

A Virtual Private Network (VPN) is a security solution that establishes a private server you can access via a public network. The VPN utilizes encryption and API authentication techniques to hide your IP address from third parties so you can transmit data and conduct remote work securely. When you install a VPN on a device — such as a computer, phone, or tablet — it’s launched instantly or configured to connect whenever a user goes online.

When a user signs into the VPN — typically with a username and password — the VPN establishes an encrypted tunnel that connects the user’s device to the corporate server. This tunnel ensures that all traffic and private user information is rerouted directly to the VPN server so the user can browse the company’s internet connection as though they were using a device on the premises. 

Unscrambling encrypted data is extremely difficult, even for the most advanced attackers. This ensures that no one except network admins can monitor user activity within their VPN server.

Common VPN Use Cases

Secure shared network

Using a VPN ensures that business communication and collaboration are protected with encryption to keep your network safe from cyber attacks. 

Safe browsing

With a remotely hosted VPN, you can connect to your company’s network on any device and from any location.

Flexible remote workforce

Every employee working on a VPN can securely log into the shared company network, allowing you to expand your workforce outside the office.

Access control

If you don’t want employees to access all of your company information, you can require that users verify their authorization control before being granted access.

Easy public Wi-Fi use

VPNs allow users to connect to Wi-Fi from anywhere and work on the go by creating private server access.

Bypass blocks

If you’re in a country that blocks sections of the internet, like social media channels, you may be unable to work efficiently. Avoid these blocks with a VPN based in your home location.

Protected financial transactions

You can rest easy knowing your financial transactions aren’t at risk of a data breach with authorization controls and encryption of transfers.

VPN Benefits and Challenges 

Benefits

  • Flexibility: One of the main benefits of a VPN is that it extends access to many employees and remote workers at the same time. You can run applications efficiently so that adding more employees isn’t dependent on network capability.
  • Secured network: The VPN’s ability to offer companies a secure network is what cemented its popularity. VPNs prevent attackers from tracking your traffic, sabotaging your connection, or bombarding you with targeted attacks.
  • Protected private information: Attackers are often after your confidential information to access your bank accounts, sensitive documents, and more. By encrypting your data, attackers won’t be able to intercept your data.

Challenges

  • Perimeter-based security model: VPNs grant authenticated users full access to the corporate network, which means an attacker can access sensitive information with stolen credentials.
  • Lack of cloud-based resources: VPNs are limited to providing remote access to corporate servers. As such, they typically need more support for cloud technology outside the perimeter.
  • Network access control: VPN access controls work at the server level, which can give horizontal access to resources in different applications across the network.

What is Zero Trust Network Access (ZTNA)?

Zero Trust Network Access is a secure remote access solution that relies on Zero Trust security principles — meaning that no network, device, or user is automatically granted access to company resources. Remote workers are given resource-specific permissions on a case-by-case basis, with contextual factors like location, role, IP address, and restrictions taken into account. 

The Zero Trust framework has an oppositional design to that of a VPN, which trusts everyone inside the perimeter of a company server. ZTNA solutions create individual context-based perimeters around resources that hide the IP addresses of assets, restricting access through those perimeters on the assumption of least privilege. Users can't access these resources until the ZTNA provider authenticates their identity, contextually verifies their login, double-checks with access policies, and confirms their device’s operational health. 

Even after these security rounds, users can only access the specified resource group for which they were approved, instead of the entire network. Any further access will require re-authentication by the ZTNA solution, which prevents a horizontal attack if a user’s credentials become compromised.

Common ZTNA Use Cases 

Multi-cloud environment 

ZTNA solutions support a multi-cloud environment for corporate applications, whether public, private, or hybrid. For an ever-growing number of cloud-based companies, this can reduce costs and accelerate digital transformation

Limited user access

Instead of using a perimeter-based solution that verifies any user with login credentials, ZTNA solutions operate with least-privileged access controls that provide the highest level of protection for a company’s resources.

Remote workforce

Zero Trust network access lets workers in any location access data on a need-to-know basis, which helps companies expand with ease.

User ecosystem management

As your company brings in outsiders such as suppliers, freelancers, partners, and users from mergers and acquisitions, you must be careful about how much access you grant them. ZTNA helps you manage your API access controls seamlessly.

VPN elimination 

Legacy and perimeter-based security solutions are slowly being phased out for cloud-based applications. ZTNA provides an alternative with more visibility and tighter security practices. 

Micro-segmentation

ZTNA solutions limit lateral movement across a network by isolating network segments. This means that even if an attacker compromises a user’s login, they can't access other segments of the network.

BYOD (Bring Your Own Device) support

ZTNA can be adapted to provide secure resource access to any device, even employees’ personal devices. With this solution, BYOD does not increase the risk of a data breach. 

ZTNA Benefits and Challenges

Benefits

  • Cloud-based resources: ZTNA is a cloud native solution that provides a host of helpful cloud-based resources to improve end-user experience.
  • Contextual access perimeter: ZTNA moves away from traditional perimeter-based security by using micro-segmentation to protect assets outside the traditional perimeter. This approach ensures that users are only granted access to resources on a need-to-know basis.
  • App-level access management: ZTNA provides visibility into the application layer, allowing companies to manage application policies easily.

Challenges

  • Initial setup load: Introducing Zero Trust architecture into your organization may require creating a new network from the ground up if you’re working with older technology. Since your network must continue to function during the switch, your development team should be aware of this possibility.
  • Control of user activities: Since Zero Trust works on least-privilege access, employees and outside parties alike will be subject to stricter requirements and regulations. You can explain that this isn't an effort to control their activities, but to increase security.
  • More extensive technology fleet: Modern cloud companies use a wide array of devices with distinct features that may require individual attention during setup and management. 

Comparing ZTNA vs VPNs

Security

Security is the main difference between VPN and Zero Trust; the former connects devices to the network without restriction, while the latter requires continuous context-based verification before granting access to customers. As such, VPNs create a greater security risk by granting unlimited access to entire networks once a user or device has been authenticated. If an attacker can access a user’s credentials, and the VPN’s direct tunnel, they can then access a whole host of confidential company information.

ZTNA solutions, on the other hand, minimize attacks as much as possible while providing encryption, multi-factor authentication, and access controls that allow for better micro-segmentation and visibility. With security regulations for each network segment, ZTNA prevents attackers from compromising entire systems.

User experience

VPNs must be individually set up on each user’s device, after which they use single-sign-on (SSO) to allow users to log in quickly. This offers a speedy user experience, provided that users remember that they must sign into the VPN whenever they need to access an organization’s resources.

ZTNA solutions offer a seamless user experience as a modern, cloud-based solution that requires little action from users after initial setup. Users can access a company’s resources on any device without configuring additional features or installing more software. On top of that, ZTNA provides a higher level of reliability and overall performance to boost user productivity. 

Management

VPN requires more management and configuration for network-level access — including security responses that must occur immediately to prevent breaches. ZTNA policies and solutions are easier to deploy, scale, and manage since they automatically create secure connections. Once deployed, Zero Trust runs quietly in the background without extensive user interaction, which means less management overhaul from development teams.

Scalability

One of the initial benefits of VPNs was their scalability by allowing companies to move more remote. However, VPNs work with individual devices out of customer data centers, which can cause issues if remote workers are located too far away. 

Because ZTNA is cloud native, data centers are not an issue for scalability; these solutions scale automatically with the number of users, from any location.

Performance

VPN performance depends on the upkeep by development teams, but because they act as gateways for remote traffic, they're subject to bottlenecks and more frequent data issues. When VPNs experience latency in connection, it affects every user on the VPN.

ZTNA solutions route data and users to applications directly, sometimes never passing through the network — resulting in higher productivity and fewer performance issues.

Transitioning from VPNs to ZTNA

While VPNs have been a popular security solution for many years, the perimeter-based security model was created to accommodate fixed perimeters around company devices, resources, and employees. Now that companies are spreading out with cloud-based techniques, the perimeter is becoming increasingly obsolete.

Not only do employees need access to resources worldwide after COVID-19, but collaboration with other companies is becoming more common, meaning resources are being shared with outside partners. Over time, VPNs will become harder to maintain because companies will need to add more gateways that act as a quick bandaid to deeper performance and security problems.

There are plenty of ZTNA providers that facilitate a seamless transition from VPN to ZTNA, and if your company chooses to make the switch, it’s not necessary to do it in one fell swoop. You can begin deploying a ZTNA solution and implementing its policies while maintaining your VPN footprint so that, over time, you can phase out VPN completely — without introducing significant security risks. Many ZTNA providers offer hybrid solutions that let your organization go at its own pace.

However, there are a few things you should keep in mind as you’re making the transition:

  • Adjustment period: With any system change, there will be an adjustment period that comes with discomfort. But you can make the most of this with a positive organizational outlook. Prep your employees for the shift and let them know you’ll work through bugs as quickly as possible. You can also explain that this change will benefit them in the long run.
  • High-level policy discussion: Because Zero Trust is based on context-based access control, your executive and development teams should discuss roles and responsibilities ahead of time, including who will have access to which resources. These conversations can prevent unnecessary confusion during the transition.
  • Choose a provider wisely: Your experience when moving to ZTNA is determined mainly by the provider you work with. Going with a flexible solution that offers hybrid solutions for both your workforce and technology can improve issues.

Choosing between ZTNA and VPNs

Now that we’ve covered the different origins and goals of ZTNA and VPNs, how do you know which is right for your organization?

VPNs work best for smaller companies with a modest number of remote employees. If your organization lacks in-house IT manpower, your best option is to opt for a cloud VPN, which will be manageable for contracted IT admins. 

If your organization has a rapidly growing number of remote workers, ZTNA is the suitable solution for you. After the initial setup, ZTNA provides high performance and user experience, scales easily, and accommodates a large ecosystem of applications. It’s undoubtedly the most secure remote access technology on the market for organizations that want to establish zero-trust architecture.

Remember that you can always choose a hybrid approach incorporating both solutions when transitioning from your VPN — or you may continue using them for different use cases. At the end of the day, you’ll need to evaluate your organization’s needs and capabilities to find the best fit for you. 

Conclusion

As the remote workforce is steadily growing in today’s business environment, so too are security threats and advanced attack mechanisms. Companies need a secure remote access solution to protect the sensitive data within their cloud infrastructure. 

Both VPNs and ZTNA solutions provide remote access to corporate networks, but they do so with different approaches. While VPNs have their place within smaller organizations, ZTNA is widely regarded as the more modern, secure, and scalable solution. 

Kong’s service mesh delivers Zero Trust to your applications by applying traffic permissions to control which services can interact with each other, enforcing mutual TLS communication, and integrating with the Open Policy Agent (OPA) to ensure authorization — just to name a few capabilities. For more information, request a demo today!