A virtual private network (VPN) is a mechanism that creates a secure and private connection between remote devices and networks over an unsecured public network such as the internet. In modern enterprise networks, VPNs are most often used to connect remote employees to the corporate network so that they can access all network resources as if they were physically located in the company headquarters and connected to the local network.
VPNs rely on the well-established “perimeter security” approach to network security. In this setup, a security perimeter is established around the enterprise network by deploying security devices such as firewalls as well as intrusion detection/prevention systems (IDS/IPS) at the edge of the network. This creates a safe zone inside the enterprise network that is separated by the perimeter from the unsafe zone outside the organization’s deployed security devices. VPNs simply extend that safe zone to the remote device establishing the VPN connection.
VPNs work very well and deliver a high level of security for remote workers. However, as an extension of the perimeter security method, VPNs inherit the drawbacks of this approach. One of the most important is that perimeter security fails to safeguard remote users or the corporate network against potential threats inside the established security boundary.
There are noteworthy alternatives to VPNs that can address the drawbacks of this more traditional network security methodology. These include technologies such as software-defined perimeters (SDPs), application programming interface (API) gateways, secure access service edge (SASE), and remote browser isolation (RBI).
It is worth noting that these technologies are excellent stepping stones to eventually reaching the ultimate goal of adopting a full zero trust network access (ZTNA) approach to security. ZTNA is poised to eliminate the shortcomings of the more traditional perimeter security method that includes the use of VPNs for secure remote access.
The following table describes the key concepts addressed in this article, alternative technologies, and the path to a network fully secured using ZTNA.
Virtual Private Networks
What is a VPN?
Virtual private networks allow users to create secure, encrypted connections between their devices and a remote server over an unsecured public network, typically the internet. When employed within the framework of a business, the technology is most commonly used to enable remote employees to securely access their organization’s corporate network remotely. It creates an encrypted connection between the user’s device and the corporate network, allowing the user to safely access internal resources, such as files, applications, and intranet sites, as if they were physically present at the office.
How Does a VPN Work?
End-user devices connected to the internet establish a secure tunnel with a VPN server that exists somewhere on the corporate network. Refer to the following diagram.
To achieve this connectivity, the devices perform the following steps:
- The employee’s device (e.g., laptop or smartphone) connects to the internet through the user’s home network or via a public wi-fi network.
- The user launches the VPN client software installed on the device and enters credentials (e.g., username and password) to authenticate with the VPN server.
- Once authenticated, the VPN client establishes an encrypted tunnel between the user’s device and the corporate VPN server.
- The user’s Internet traffic is encrypted and routed through the tunnel to the VPN server, which is typically located within the organization’s internal network, as shown in the diagram.
- The VPN server decrypts the traffic and forwards it to the intended destination within the corporate network (e.g., a file server or internal application). The user can then access and interact with these internal resources as if physically in the office.
In this sense, the safe internal corporate network is extended through a tunnel to the particular device connected via the VPN. The result is that any traffic that may be intercepted over the internet would be unintelligible to an eavesdropper, so the information remains safe.
What Are the Drawbacks of VPNs?
Although VPNs deliver security that protects from potential threats outside the network, they do not resolve some of the inherent drawbacks of the perimeter-based security scheme.
VPNs rely on creating a secure connection to the corporate network, effectively extending the network perimeter to remote users. However, once connected to the VPN, the user may have access to a wide range of internal resources, potentially posing a security risk if the device is compromised or if the individual has excessive privileges. The users of the VPN themselves may become security risks, whether intentionally as active threat actors or unintentionally due to malware- or virus-infected devices.
VPNs typically grant trust to users once they have been authenticated, which means that if an attacker manages to compromise a user’s credentials, the attacker can gain access to the corporate network and its resources. This approach does not continuously validate the trustworthiness of users and devices: it requires only an initial authentication, after which trust is unequivocally granted.
VPNs often provide access to entire segments of the corporate network rather than granting access on a per-application, per-resource, or per-transaction basis. This can make it difficult to enforce the principle of least privilege, where users should only have access to the resources necessary for their specific roles and only for the limited time that they need that access. This also gives the opportunity to attackers that may have hacked into a particular system or application, to move laterally from that system to any other system since all systems are contained within the trusted network.
There are a number of alternatives to VPNs that deliver a similar level of security without the drawbacks of the network-perimeter-based security approach. Each has a slightly different implementation methodology and may serve particular applications and services. All of them, however, are worth examining for any business seeking to improve its security posture and possibly reach full ZTNA-based network security.
Software-Defined Perimeters (SDPs)
An SDP is a modern security framework that provides secure, application-specific access to resources regardless of their locations (on-premises or in the cloud). SDP is designed to address the limitations of traditional VPNs by implementing a zero-trust approach, where no user or device is trusted by default.
How it Works
The deployment of an SDP solution typically involves three main components that work together to create a secure and dynamic access control framework:
- SDP controller: The SDP controller acts as the central authority for managing access policies, authentication, and authorization. It is responsible for authenticating users, devices, and gateways and for orchestrating secure connections between clients and protected resources. The controller maintains a list of authorized users, their roles, and associated permissions. It is also responsible for issuing security tokens and ensuring that access requests conform to defined policies.
- SDP gateways: These gateways serve as intermediaries between clients and protected resources such as applications or services. They enforce access policies and provide secure connectivity by establishing encrypted communication channels between clients and the resources they are authorized to access. Gateways can be deployed on-premises, in the cloud, or in hybrid environments, depending on the organization’s needs. They are typically responsible for decrypting incoming traffic, inspecting it for potential threats or violations, and forwarding it to the appropriate resource, if authorized. Note that depending upon the SDP deployment model, the role of the SDP gateway may alternatively be incorporated into other components of the framework, rather than in a standalone entity.
- SDP clients: These are software agents installed on user devices such as laptops, smartphones, or tablets. They are responsible for establishing secure connections to the SDP gateways, initiating authentication requests, and managing encrypted communication channels with the protected resources. Clients typically communicate with the SDP controller to obtain security tokens, which are then used to authenticate and establish connections with the appropriate gateways.
These components work together to create a secure, application-specific perimeter.
SDP is a viable way to implement zero trust security. Consequently, the implementation of an SDP can benefit a business looking to improve the security posture of its VPNs in several ways.
First, it can enhance access control: An SDP solution provides granular, context-aware access controls, allowing organizations to define and enforce user and device access policies based on factors such as identity, device posture, location, and behavior. This ensures that users only have access to the resources they need, minimizing the potential attack surface.
Second, it uses dynamic, application-specific perimeters rather than fixed network perimeters that are tailored to the needs of individual users, devices, and applications. Τhis approach reduces the risk of unauthorized access and lateral movement within the network, which is a common issue in traditional VPN deployments.
SDP solutions typically offer centralized management consoles, enabling IT administrators to easily configure and manage access policies, monitor user activities, and respond to potential security incidents. This simplified network management can lead to reduced operational complexity and lower management overhead.
SDP architectures also help improve scalability, as they are designed to scale seamlessly, accommodating the growing needs of businesses as they expand their network infrastructure, adopt new technologies, or experience fluctuations in user demand.
By dynamically creating and enforcing access policies, an SDP solution can significantly enhance an organization’s security posture and provide a more effective alternative to traditional VPNs.
An API gateway is a software layer that sits between a client and a collection of microservices or APIs, acting as an intermediary for all the API calls between the client and the microservices. It provides a single entry point for all client requests and manages the communication, security, and scalability aspects of the API infrastructure.
From the diagram above, you can see that the API gateway acts as a single point of entry. Via this gateway, multiple backend APIs can be leveraged to access multiple microservices. These backend APIs are dynamic in nature and can change over time; the API gateway essentially delivers an abstraction layer through which the client can access the microservices.
API gateways are designed to address the complexities of API management within a production network. This management includes elements like:
- Routing and load balancing: API gateways route API requests to the appropriate backend service or microservice while distributing traffic across multiple instances of those services.
- Security and authentication: API gateways authenticate and authorize client requests, offering encryption and access control.
- Rate limiting and throttling: API gateways control the number of requests permitted from a specific client or source, preventing overload and safeguarding backend services.
- Monitoring and analytics: API gateways gather and analyze data on API usage, performance, and availability, delivering insights into API utilization and potential improvements.
As alternatives to VPNs on the path toward a ZTNA solution, API gateways contribute to simplifying and streamlining API infrastructures by providing a consolidated entry point for clients and abstracting the complexities of the underlying microservices. Additionally, they offer a centralized location for managing security, authentication, and other aspects of API management, enhancing the overall security and reliability of the API ecosystem.
Secure Access Service Edge (SASE)
SASE is a comprehensive, cloud-based security framework that converges networking and security services into a single, unified platform. SASE integrates various security functions, such as secure web gateways, cloud access security brokers (CASBs), firewall as a service (FWaaS), and ZTNA with software- defined WAN (SD-WAN) capabilities. It simplifies the management of secure access across distributed environments, including remote branches, mobile users, and cloud applications.
SASE can benefit a business looking to improve the security posture of its VPNs and to work toward deploying ZTNA in several ways:
- SASE combines networking and security functions, simplifying the management of secure access and reducing the complexity of managing multiple-point solutions. This unified approach enhances visibility, control, and security across the organization.
- SASE is typically delivered as a cloud-based service, making it highly scalable, cost-effective, and easily adaptable to the evolving needs of businesses, including the growing adoption of cloud services and the increasing number of remote users.
- SASE incorporates context-aware access controls, taking into account factors such as user identity, device posture, location, and application sensitivity, to make dynamic access decisions. This granular, context-aware security approach aligns with the principles of ZTNA and improves the security posture compared to traditional VPNs.
- By leveraging SD-WAN capabilities and cloud-based delivery, SASE optimizes network performance. It reduces latency and improves the user experience, especially for remote users and those accessing cloud-based applications.
In addition to these benefits, it is important to note that since SASE includes ZTNA as part of its security functions, businesses can transition more smoothly and incrementally to a fully deployed ZTNA solution. This allows organizations to benefit from the enhanced security posture, granular access controls, and reduced attack surface that SASE offers, and simultaneously move more easily toward a more secure and robust ZTNA-based environment.
Remote Browser Isolation (RBI)
RBI can benefit a business looking at it as an alternative to VPNs and seeking to improve its network security posture while aiming to deploy ZTNA. It is a security technology that isolates web browsing activities from an end user’s device and the corporate network by executing web content within a virtual container or remote environment.
Most importantly, RBI isolates web content in a remote environment, preventing malicious content from reaching the end user’s device. This significantly reduces the risk of malware infections, drive-by downloads, and other web-based threats that could compromise the device and the corporate network. In turn, this helps safeguard sensitive data from potential exposure through browser vulnerabilities or exploits, reducing an enterprise’s attack surface.
Also important is the fact that RBI enables secure browsing without requiring end users to install additional software or change their browsing habits. This ensures a smooth user experience while enhancing security.
RBI is specifically geared toward delivering protection to web browser sessions, making it an excellent alternative to VPNs for users who exclusively use web-based services and applications for their day-to-day business. Although authentication and access control are generally not integral components of RBI, its use complements potential future ZTNA adoption, which targets broader network access control. By replacing VPNs with RBI and combining them with ZTNA, businesses can further strengthen their security posture and protect their networks from a wide range of threats.
Achieving a ZTNA Network
Alternatives to VPNs, such as SDPs, API gateways, SASE, and RBI, address the limitations of traditional VPNs and perimeter security, allowing organizations to be more agile, flexible, and better prepared to face the ever-evolving cyber-threat landscape. In doing so, they can play a significant role in progressing toward a ZTNA approach.
The truth is that some of these technologies do add a level of complexity to the process of implementing comprehensive network security because they often require the deployment of multiple components with intricate interactions to be successful. However, the result is a much more streamlined experience for the end user, which is one of the primary requirements of ZTNA deployment. Compared to VPN clients, many of these technologies require equal or less interaction with the end user to employ.
In addition, many of these alternatives are delivered as pre configured intelligent software implementations, like ZTMesh, that have a high level of dynamic, automated deployment procedures. This simplifies much of the complexity from the point of view of the network administrator as well, ensuring a highly manageable admin interface and operational experience.
By integrating these technologies as alternatives to their current VPN deployments, organizations can move incrementally toward a comprehensive ZTNA approach, enhancing security posture and minimizing the risk of breaches.
Summary of Key Concepts
VPNs are an essential part of the arsenal of security features and applications of modern corporations, especially for those seeking to deliver secure network connectivity to their remote workforce. However, VPNs simply extend the perimeter of an already perimeter-based security approach, which has inherent drawbacks and limitations.
Alternatives to VPNs, such as SDP, SASE, API gateways, and RBI, are among the technologies that can be used to address the security shortcomings of VPNs and perimeter-based security. They not only deliver user, role, context, and resource-based security measures but are also excellent choices for businesses seeking to eventually adopt a full ZTNA security approach for their networks.