Zero Trust Network Access

ZTNA Reinvented: All the benefits and none of the downsides

Published December 14, 2022 by Nicholas DiCola

Watch the full recording below or read on to learn more about this webinar.

Remote work has created a wide array of benefits in the workplace, ranging from reported increases in productivity, decrease in stress, and more. But from a security perspective, it’s not so clear cut. A study done with VP and C-suite security professionals revealed that they view home and public networks as risky because both are out of their control, i.e., they don’t have access to or can’t manage them. Two solutions have risen above the rest, VPN and ZTNA, in order to fill the security gap with remote access, but these solutions are far from perfect.

Recently, Zero Networks hosted a webinar with SANS Institute to discuss the flaws with VPN and ZTNA and explore how Zero Networks was able to address them with their new product, Zero Networks ConnectTM.

The featured guest speakers included:

  • Nicholas DiCola, VP Customers @ Zero Networks
  • John Shaffer, Chief Information Officer @ Greenhill

Some of the key takeaways:

What are the security gaps present in VPN solutions?
With VPN connectivity, the user connects once a tunnel is established. Once connected, they're able to access those corporate resources as if they were connected at the office directly. This means if an attacker was able to gain credentials, they would have access to the resources they need to move laterally. VPNs are typically legacy devices, too, so attackers can even go direct and try to brute force or find a vulnerability into a VPN server. Lastly, there's also no centralized policy, which makes it hard for security teams to manage these VPN profiles.

What are the security gaps present in ZTNA solutions?
The ZTNA model works by making users connect to a cloud provider via MFA. That cloud provider stitches together a network connection to some on-prem ZTNA proxy, which allows that traffic to route and connect. This approach addresses some of the security flaws with VPNs, as the ZTNA proxy isn’t exposed and there’s a centralized policy for simplified management. But like VPN, ZTNA comes with its own issues. Connecting via ZTNA means user traffic is routed through yet another point or hop, creating latency. Also, ZTNA has a higher cost due to cloud networking requirements. Bandwidth is not cheap, and no provider is going to pay for it out-of-pocket, so they bake it into the cost of their ZTNA product. Finally, all connections are now NATed through a ZTNA provider, so all connections look like they are coming from one subnet (or maybe a couple of IPs). As a result, you don't know who the actual source is anymore. And if you're monitoring those logs and trying to understand what's going on with those connections, it becomes impossible.

What would the next-generation solution for the work-from-home economy look like?
Next generation ZTNA would address the security gaps from VPN and ZTNA solutions while preserving the benefits of each solution– Zero Networks ConnectTM does exactly that. Zero Networks ConnectTM requires a user to issue a connection to a cloud where we will force the user to auth via MFA. Then, the cloud application will tell the on-prem server to allow only that source IP to establish a tunnel. With this approach, organizations can remove the latency, bandwidth costs, and visibility of traditional ZTNA while avoiding the risks associated with VPN solutions.

Want to download the webinar?

Tell us a bit about yourself, and we'll redirect you to the full recording.