Remote access VPN has long served us well, but the recent increase in remote working has cast a spotlight on the limitations of this aging technology.
Written by Tejas Kashyap
Remote access VPN has been a staple of most networks for decades, providing a secure method to remotely access systems and resources on the network. However, VPN was developed to mimic the experience of being in the office. Once you’re in, you’ve got broad access to everything.
Zero trust network access (ZTNA), on the other hand, can be summed up in four words: trust nothing, verify everything. It’s based on the principle that any connection to your network should be treated as hostile until it’s been authenticated, authorized, and granted access to resources.
Simply put: with virtual private networking (VPN), you’re providing broad network access. With ZTNA, you’re providing specific application access.
Traditional remote access VPN vs. ZTNA
There are several differences between traditional remote access VPN and ZTNA. Here are some important ones, covering trust, device health, administration, and more.
Trust
With remote access VPN, users are implicitly trusted with broad access to resources, which can create serious security risks.
ZTNA treats each user and device individually so that only the resources that user and device are allowed to access are made available. Instead of granting users complete freedom of movement on the network, individual tunnels are established between the user and the specific gateway for the application they’re authorized to access – and nothing more.
Device health
Remote access VPN has no awareness of the health state of a connecting device. If a compromised device connects via VPN, it could affect the rest of the network.
ZTNA integrates device compliance and health into access policies, giving you the option to exclude non-compliant, infected, or compromised systems from accessing corporate applications and data. This greatly reduces the risk of data theft or leakage.
Remote connections
Remote access VPN provides a single point-of-presence on the network, which means a potentially inefficient backhauling of traffic from multiple locations, datacenters, or applications through the remote access VPN tunnel.