Select your country

BelgiumBelgium

ChinaChina

DenmarkDenmark

FranceFrance

GermanyGermany

GlobalGlobal

Maghreb & West AfricaMaghreb & West Africa

NetherlandsNetherlands

NorwayNorway

South AfricaSouth Africa

SwedenSweden

SwitzerlandSwitzerland

United KingdomUnited Kingdom

Not finding what you are looking for, select your country from our regional selector:

Search

  1. Orange Cyberdefense
  2. Insights
  3. Blog
  4. Cybersecurity
  5. VPN and what comes after: why ZTNA and SASE are the future of business security

VPN and what comes after: why ZTNA and SASE are the future of business security

CybersecurityCloud Security

Share

 

Harjinder Singh Harar
Professional Services Consultant

VPN’s (Virtual Private Networks) have been crucial for businesses, providing secure remote access to corporate networks. However, traditional VPNs are increasingly vulnerable to sophisticated cyberattacks with most VPN vendors experiencing critical vulnerabilities however not all attacks are sophisticated, many are simpler and exploiting weak encryption, outdated protocols or hold vulnerabilities within their OS. Zero Trust Network Access (ZTNA) and Secure Access Service Edge (SASE) have emerged as modern approaches to addressing the evolving security and access challenges faced by today’s businesses.

ZTNA operates on a “never trust, always verify” model, granting access only to authenticated users, thereby significantly reducing the attack surface. Traditional VPNs also give access to authenticated users majority of the time with username and password authentication and at times multi-factor authentication however with this method once your in the network you have very few if at all any further authentication checks.  SASE, on the other hand, combines networking and security into a single cloud-based service, offering enhanced flexibility, scalability, and performance. For businesses, ZTNA and SASE offer superior security as it not only authenticates users but it also checks user identity, device posture, location and more before granting access along with simplified management, and greater resilience against evolving threats. Simply put a VPN gets you in the building but ZTNA gets you in the building, efficiently taking you to the room your allowed in and locking all other doors. 

No network overhaul required

Do you have to overhaul your infrastructure to adopt ZTNA?
No! ZTNA doesn’t require extending the corporate network to remote users as VPN’s do. This simplifies management and can reduce operational and maintenance costs with a lower deployment complexity depending on per-application access models and the added benefits of application specific access models compared to broader network access commonly seen with traditional VPN’s.

ZTNA also alleviates some of the burden on your Infrastructure team. Majority of solutions are delivered as a service, meaning they’re managed and updated by the provider. This reduces the need for your infrastructure teams to maintain infrastructure like a dedicated VPN concentrators or worry about scaling hardware to handle remote user traffic or re-routing traffic due to “Traffic tromboning” design flaws.

Many ZTNA tools also come with pre-built integrations for identity providers, endpoint management tools, and cloud platforms, which means a lot of the heavy lifting is already done for you. 

Where to start?

ZTNA is designed to be flexible and shaped around your environment whether you’re a large enterprise or a small organization. ZTNA can be implemented and rolled out in stages without the need to rip out your existing security infrastructure or measures, and while ZTNA is cloud centric it works just as well with legacy infrastructure whether that would be on-prem or hybrid.  

So, adopting ZTNA may sound like a huge technical overhaul however with some good old planning and phased deployments the transition can be easier than you may think.   

How does SASE tie in with ZTNA?

In a modern infrastructure, a SASE framework restricts access of all edges across sites, mobile users and cloud resources in accordance with ZTNA principles of enforcing user based policies limiting access to where it is specifically required based on roles and responsibilities. ZTNA within SASE enforces the “never trust, always verify” principles ensuring both users and devices are authenticated and authorized on a granular level before they access internal/external applications.

How does it work?

Imagine a user working from home who needs access to an internal cloud-based tool and an on-prem directory. SASE and ZTNA would work together to secure the user session:

ZTNA:

  1. User logs in verifying identity via MFA
  2. ZTNA Policy checks the device posture patching/encryption policies
  3. Access is granted based on required apps – not full network access

SASE:

  1. User traffic is routed through secure gateway away from dirty internet
  2. Cloud access security broker (CASB) monitors session to ensure compliance with group policy

Working hand in hand ZTNA will ensure the user can only access authorized applications while SASE handles security and session performance.

The future of business security

In summary, legacy VPNs represent a significant threat vector that necessitates quick mitigation. Transitioning from these outdated systems to a ZTNA model not only enhances security but also lays the groundwork for a future shift towards full SASE implementation. Organizations should begin by focusing on the use cases that are most critical to their business needs. Additionally, while considering the technology, it’s essential not to overlook the people and process aspects, as these are vital for a successful deployment. Embracing this holistic approach will ensure a smoother transition and a more secure infrastructure.

Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline.

CSIRT