¿Replace your VPN with ZTNA? Discover 3 approaches to remote access
Secure and uninterrupted remote access is a business enabler: it increases productivity of remote users and reduces time spent by IT teams incorporating and maintaining connectivity between user and application with agility and resilience. However, remote access remains a challenge for many organizations.
VPN offered a simple way of connecting some remote users to corporate networks during short periods of time. But as the work force became more distributed and organizations need to keep remote users securely connected during longer periods of time, their failures became apparent, yielding slow performance, higher security risks and even scalability issues.
As the need for remote access grows, organizations increasingly move away from traditional VPN implementations and towards safer, more effective remote access solutions. Zero Trust Network Access or ZTNA creates safe limits around specific applications, private IPs and host names, replacing default authorized VPN with preset denial policies that grant access based on identity and context.
In 2020, approximately 5% of total usage of remote access was handled mainly by ZTNA, due to the access limitations of traditional VPN and the need to provide session control and more precise access. This number is expected to rise to 40% by 2024.
VPN vs Zero Trust Security
VPN Security
Although VPN offers basic privacy for remote users, it was not designed for security or scalability. Traditionally, organizations have used VPN to connect some remote users to the corporate network for short periods of time. However, issues around VPN are beginning to multiply:
- Users experience slow performance. If the VPN infrastructure lacks the capacity to handle the traffic performance and simultaneous connections created for the workforce, users experience slower Internet connection.
- Corporate networks become vulnerable to attacks. VPN often uses a castle-and-moat model, where the user has limitless access to all corporate resources once they connect to the network.
Zero Trust Security
Zero Trust Security avoids several of the challenges inherent to VPN. It relies on the principle that you cannot preemptively trust in any user or device inside or outside of your network.
With the aim of reducing risk and impact of data leaks, internal attacks and other threats, a zero trust approach:
- Authenticates and logs every log-in and request,
- Requires strict verification of all users and devices,
- Limits information accessible by each user and device base on identity and context
- Adds end-to-end encryption to isolate applications and data within the network.
Ways of configuring ZTNA
- Clientless ZTNA (or service based) uses an existing browser in lieu of a client to create a safe connection and authenticate users’ devices. Traditionally, clientless ZTNA has been limited to applications with HTTP/HTTPS protocols, but compatibility is evolving rapidly.
- Client Based ZTNA (or end-point based) installs the software on each of the user’s devices before they can establish an encrypted connection between the control agent and authorized applications.
- Challenges to Implementing ZTNA
Although ZTNA offers clear advantages over traditional VPN, it is not a perfect approach for ensuring network access for remote users. During the Zero Trust adoption, you may run into one or more of the following challenges:
1. Solutions are not truly cloud native.
2. Providers may not offer client-based or clientless ZTNA options.
3. Set up may be complex and time-consuming.
This content will be of interest to you:
Cloudflare: Long-term Connectivity for Remote Workers
Cybersecurity: Why is it and why protect your business?
Protect and Optimize the Infrastructure of your Business Network with SASE
Cloudflare Approach for Remote Workers
Ensuring and scaling remote access should be a fluid process that doesn’t overlap rigid security solutions, generate performance compensations or unnecessary costs. Cloudflare empowers teams to handle each remote access use case, with the following benefits:
- Simple and risk-free onboarding for users and administrators. Cloudflare easily integrates with existing identity providers and endpoint protection platforms to enforce zero trust policies that limit access to corporate applications and resources.
- Flexibility for client-based and clientless ZTNA deployments. Cloudflare provides clientless support for connections to web applications, SSH, VNC (and soon, RDP), and client-based support for non-HTTP applications and private routing to internal IP addresses.
How Does Cloudflare Approach Remote Access Challenges?
|
Problem |
Solution |
CloudFlare implementation |
|
Scalability Challenges |
Global perimeter network |
Cloudflare's global Anycast network not only makes user connections faster than a VPN, but also ensures that remote workforces of any size can connect securely and quickly to corporate resources. |
|
Low compatibility with mobile devices. |
Light client |
Cloudflare's WARP client uses the state-of-the-art Wireguard protocol, running in user space to support a broader set of operating system options with a faster user experience than traditional options. Cloudflare's WARP client can be configured on Windows, MacOS, iOS, Android and, soon, Linux devices. |
|
Non-existent or weak integrated DDoS protection |
Integrated industry-leading DDoS protection |
Cloudflare's 67+ Tbps network provides integrated DDoS protection for any ZTNA mode, protecting networks against the largest volumetric attacks. |
|
Protocol Limitations |
Web Application Support |
Mode support: Clientless ZTNA for SSH/VNC applications; client-based ZTNA for all other non-web applications. |
|
No integrated network firewall |
Built-in network firewall |
Cloudflare enables administrators to enforce network firewall policies at the perimeter, giving them fine-grained control over what data can enter and leave their network and improving visibility into how traffic flows through it. |
|
Lack of detailed control |
Integrated Secure Web Gateway (SWG) |
By combining ZTNA with SWG, Cloudflare enables administrators to exercise more granular control over user and device access rights within applications. |
Access without making compromises in protocol support or functionality. The recommended migration path varies depending on the business priorities driving your project:
- If faster connectivity to applications is your priority, first implement client-based ZTNA for non-web applications.
- If improving the security of your application access rules is more important, start with web applications.
- Replacing your VPN is just the first step in a complete network transformation. Because the transition to a SASE model can be overwhelming, we've broken down a common path to Zero Trust security based on the approach our customers have taken.
