Virtual private networks (VPNs) create secure encrypted tunnels between two endpoints or networks over an insecure intermediary network such as the public internet. They represent an important step that offers more secure remote access to the corporate network for remote users, but they have some limitations.
VPNs only secure traffic flow in the tunnel from point A to point B – they don’t ensure that endpoints or networks past the tunnel are secure. Traditionally, when a user connects to a corporate network via a VPN, security for network segments and devices before or after the VPN tunnel is implemented in the form of VLANs or subnets using ACLs permitting or denying based on pre-configured rules. The shortcoming of this method is that it is a perimeter-based approach to security. Once an individual has circumvented the perimeter defense via some discovered weakness they will begin looking for vulnerable systems to exploit unless there are other security measures in place.
Addressing the perimeter approach weakness is where zero trust network access (ZTNA) really starts to shine. Like a VPN, ZTNA also facilitates secure encrypted remote access, but ZTNA doesn’t have the same inherent perimeter weakness as a VPN because it only allows access to explicitly authorized endpoints, applications, and services, regardless of where that access originates.
ZTNA is the network equivalent of an RFID key badge that can open the main door but then only any interior door to which an employee has been granted access. It is much more granular in the way it grants access, and it is centrally administered. For example, with a key card system, when you hire a new employee, you can just create an RFID card with the appropriate access for that person; upon departure, you just deactivate the card in the system. ZTNA works the same way: Users only get access to the resources necessary for their roles within the company, and access levels can be changed at any time through a centrally administered system.
Summary Comparison: ZTNA vs. VPN
VPN vs. ZTNA Summary Graphic
The images below illustrate the main difference between a VPN and ZTNA. A VPN creates a secure tunnel between two networks, while ZTNA creates secure connections between end users and endpoints at any location to remote devices or applications based on characteristics such as time, location, identity, and endpoint verification status.
Functionality
VPNs work by encapsulating network traffic in a secure tunnel, which is encrypted end-to-end within the tunnel between the client and VPN concentrator. This provides secure connectivity between the user’s device and the internal corporate network. VPNs are often used for remote access, teleworking, and secure data transmission. However, VPNs have one main disadvantage in terms of security: They only deliver perimeter security and not a way to protect against a network attacker already within the perimeter.
Zero trust network access (ZTNA) is an approach to security that provides secure access to specific network resources, applications, and services without exposing them to the public internet. ZTNA solutions use identity verification and access controls to limit access to only authorized users and devices on a per-service basis. This approach reduces the attack surface and minimizes the risk of data breaches, credential theft, or other security threats.
The main functional difference between VPNs and ZTNA solutions is that ZTNA grants the administrator flexibility to secure access to systems, services, and applications based on defined policies and identity management. VPNs only secure the access to the network perimeter.
ZTNA solutions leverage a range of technologies—such as multi-factor authentication, identity federation, and micro-segmentation—to provide fine-grained access controls and ensure that only trusted users and devices can access network resources. ZTNA solutions are often faster, more reliable, and easier to use than VPNs, but they can also be more complex to deploy and manage.
Hardware vs. Software
VPNs and ZTNA can be implemented using both hardware and software solutions, but ZTNA is primarily software-based.
Hardware-based solutions typically involve the use of specialized appliances or routers that are designed to handle the encryption and tunneling of traffic for VPNs or ZTNA. These appliances are often purpose-built and optimized for high performance and scalability, making them suitable for large enterprise networks with high traffic volumes. Hardware-based solutions can also provide additional security features, such as hardware-based encryption, that may not be available in software-based solutions. However, hardware-based solutions can be more expensive to deploy and maintain and may require specialized expertise to manage.
Software-based solutions, on the other hand, can be installed on standard hardware or virtual machines and deployed quickly and easily. Software-based solutions are often more flexible and scalable than hardware-based solutions, making them suitable for small and mid-sized businesses or organizations with limited IT resources.
Software-based VPNs and ZTNA technologies are typically less expensive than hardware-based solutions and can be managed and updated remotely using centralized management tools. However, software-based solutions may not perform as well as hardware-based solutions and may require more computing power to operate efficiently. Additionally, software-based solutions may be more vulnerable to security threats, such as software vulnerabilities or malware attacks. In the case of ZTNA, software-based solutions have the advantage that they can support direct end-to-end secure communication without routing traffic through any appliance, thus increasing throughput and reducing latency.
Prerequisites
VPNs and ZTNA have different prerequisites for deployment and use. For VPNs, the primary requirement is a secure tunnel between the user’s device and the corporate network. This can be achieved using secure protocols such as TLS or IPsec, which require compatible client software on the user’s device. VPNs also typically require the user to authenticate using a username and password or other credentials, which are verified by a centralized authentication server or directory service. In some cases, VPNs may also require the installation of specialized software or the configuration of network settings on the user’s device.
ZTNA, on the other hand, has a more comprehensive set of prerequisites. ZTNA relies on a zero-trust security model that requires the use of identity and access management (IAM) technologies, such as multi-factor authentication and identity federation, to verify the user’s identity and device posture. Additionally, ZTNA requires network segmentation and application integration to enforce access controls and ensure that only authorized users and devices can access specific resources. ZTNA may also require the use of specialized client software or browser extensions, which provide additional security features such as encryption and device posture assessment.
Breach Containment
VPN and ZTNA solutions differ in their approach to breach containment. VPNs rely on perimeter-based security, which assumes that once a user is authenticated and connected to the network, that user can be trusted to access all network resources. An attacker who gains access to a VPN user’s credentials will be able to access all of the network resources available to that particular VPN segment, which could result in a widespread data breach.
ZTNA, on the other hand, assumes that all access attempts are potentially malicious and must be verified and authorized before granting access to network resources. This approach minimizes the attack surface and reduces the risk of data breaches by limiting access to only authorized users and devices while also limiting the attacker’s ability to move laterally through the network. An attacker will not have visibility and access to resources within the network because there no longer is a concept of implicit trust. ZTNA uses micro-segmentation and application-level controls to enforce access policies, which can isolate compromised devices and prevent the spread of malware or other threats.
Encryption
Encryption is a critical component of both VPN and ZTNA solutions since it provides a secure communication channel between the user’s device and the network. VPNs may use transports such as TLS or IPsec to secure traffic between the user’s device and the private network. The level of encryption used by VPNs varies depending on the specific implementation, but modern VPNs typically employ Advanced Encryption Standard (AES) or an equivalent. VPNs will typically also use other security features, such as public key authentication, message authentication codes (MACs), and ephemeral key exchange protocols to ensure that the encryption keys used to secure the communication channel are secure and ensure perfect forward secrecy.
ZTNA also relies on encryption to secure communication channels between users and the network and often uses many of the same underlying cryptographic mechanisms that VPNs use. Systems that implement ZTNA may use a variety of secure transport protocols, including Transport Layer Security (TLS), WireGuard, or Datagram Transport Layer Security (DTLS), to encrypt traffic between two communicating devices. ZTNA may also use additional security features, such as mutual authentication, to verify the identity of both the user and the service. This helps ensure that neither the user nor the service are fraudulent and helps to prevent man-in-the-middle attacks that can compromise the security of the communication channel.
One major difference between the way encryption is used by VPNs versus certain ZTNA setups is that ZTNA can deploy encryption at the application, or endpoint level, allowing for more granular and tighter security.
Performance
VPNs can potentially introduce latency and decrease network performance due to the fact that the VPN concentrator can become a bottleneck, not to mention a single point of failure. This can be noticeable for large data transfers or real-time applications such as video conferencing or online gaming. However, in practice, VPNs can be optimized for performance by using hardware-based encryption, load balancing, and other performance-enhancing features.
ZTNA setups are designed to minimize latency and optimize network performance because ZTNA can be implemented as a distributed architecture with no central point of congestion, authentication at the endpoints, end-to-end encryption, and centralized policy management. ZTNA can also improve network performance by reducing the amount of network traffic that needs to be encrypted and decrypted, as it uses application-level controls to enforce access policies. This can reduce the overhead associated with traditional VPN solutions and improve the performance of real-time applications.
For most use cases, both modern VPNs and ZTNA will offer sufficient performance. The primary benefit of ZTNA is that its implementation can be fine-tuned to minimize any impact on performance at the application, service, and even transaction level while improving the overall security posture. In contrast, VPNs are a one-size-fits-all setup, where the same level of overhead will be present for the duration of each session.
Uptime
VPNs can potentially experience downtime or disruptions due to a variety of factors, including concentrator hardware failure, network congestion, and software bugs. This can result in a loss of productivity and increased IT support costs. However, VPNs can be configured for high availability using techniques such as load balancing, failover, and hardware redundancy.
ZTNA systems are designed to be highly available and resilient to disruptions by using a distributed architecture. ZTNA can also improve uptime by reducing the attack surface of the network through enforcing access policies at the application level and preventing unauthorized access to sensitive resources.
ZTNA often involves dependencies on cloud-hosted services used to administer the ZTNA policies, so uptime partially hinges on the ZTNA and hosting providers’ uptime. This makes it important to get clear commitments for uptime in the service-level agreements (SLAs) negotiated in the contract with the vendor. However, depending on the ZTNA implementation, the cloud-hosted admin server does not have to be available for each connection. Depending on the implementation, it may be used to disseminate credentials and access control rules but does not have to be contacted for each session. Thus uptime is improved with this type of ZTNA implementation.
Standardization
Standardization is an important consideration when choosing between VPN and ZTNA solutions since it can affect interoperability, security, and ease of management.
VPNs have been around for many years and are well established in the industry, with several standards and protocols available to ensure interoperability and security. The most common VPN protocols—L2TP, IPsec, SSL/TLS, and PPTP, though the last of these is no longer considered secure—are widely supported by networking equipment and software. This makes it easier to deploy and manage VPN solutions.
ZTNA is a relatively new technology and does not yet have a standardized protocol or framework. However, industry organizations such as the Cloud Security Alliance (CSA) and the Trusted Computing Group (TCG) are working to develop standards and best practices for ZTNA solutions. The CSA’s software-defined perimeter (SDP) framework and TCG’s Device Identity Composition Engine (DICE) are two examples of emerging standards for ZTNA solutions. While these standards are not yet widely adopted, they provide a framework for ensuring interoperability and security in ZTNA deployments.
Remote Worker Support
VPNs have been widely used to provide remote workers with secure access to corporate resources, and they come with several features that make them suitable for this use case. For instance, VPNs usually include a software or app component that is compatible with a wide range of devices, including laptops, smartphones, and tablets. They can also offer access to a broad range of applications and services. Additionally, VPNs can be configured to enforce security policies such as requiring multi-factor authentication or limiting access to specific resources.
ZTNA can also offer secure access to corporate resources for remote workers, and these setups provide some advantages over traditional VPNs. One of the primary benefits of ZTNA is that it can provide access to specific applications or services rather than the entire network. This can help reduce the attack surface and enhance security by limiting access to only what is necessary. Furthermore, ZTNA can provide an improved user experience by optimizing network performance for particular applications or services. Additionally, ZTNA can be easier to manage than VPNs, as it can be configured and managed from a centralized location. To the end user, a ZTNA client can feel like a VPN: they authenticate and can access the remote resources for which they are authorized. In some environments, a ZTNA client can be more convenient than a VPN since they can run a single client to access a geographically distributed collection of corporate networks where they might otherwise have to establish distinct VPN sessions to various subnets.
Cloud support
VPNs have been widely used to provide remote access to cloud resources, but they can have some limitations. VPNs provide a secure bridge between on-premises resources with cloud resources. In this way, VPNs are an all-or-nothing solution with limited flexibility over configuration. Furthermore, VPNs can have scalability issues when connecting to large and complex cloud environments, which may require additional infrastructure and maintenance.
ZTNA, on the other hand, can be deployed directly in the cloud environment, reducing the latency and bandwidth limitations that are inherent in VPN connections. Additionally, ZTNA can provide a more granular and scalable approach to cloud access, allowing for finer-grained access controls at the application level and reducing the attack surface. Furthermore, ZTNA can be easier to manage than VPNs, as it can be configured and managed from a centralized location.
SSO Integration
Single sign-on (SSO) integration is critical for providing a seamless and secure experience for users when accessing network resources.
VPNs can provide SSO integration by leveraging existing identity providers of services such as Active Directory (AD) or Lightweight Directory Access Protocol (LDAP). This allows users to authenticate once with their existing credentials and then access the VPN and other network resources without the need for multiple logins.
Configuring VPNs to utilize SSO will most likely require federation and redirection to an identity provider portal where centralized logins can happen and then be passed to the VPN for authentication. This adds a lot of moving parts into the equation, and sometimes a VPN may not support a particular method of SSO integration, though these methods will usually work well.
ZTNA has approximately the same SSO experience and level of complexity as a VPN with SSO integration.
Speed of Implementation
VPNs can leverage existing network components such as firewalls and routers, making them relatively straightforward and quick to configure and deploy.
ZTNA can provide a more agile and scalable approach to implementation than VPNs. ZTNA can leverage cloud-based infrastructure, allowing for faster deployment and configuration of network resources. Additionally, ZTNA can provide more granular access controls, which can improve the security posture of the organization. ZTNA can also potentially be implemented via a more phased, granular approach, down to the application and/or service level (whereas traditional VPNs take more of an all-or-nothing approach at the network level).
Administration
VPNs typically require a dedicated IT team to manage and maintain the infrastructure. This can involve configuring and maintaining VPN servers, managing user access and credentials, and monitoring for security threats. This can be a time-consuming process, especially for organizations with large user bases or complex network architectures. However, VPNs do provide a more traditional network model that IT teams may already be familiar with, so they may be more able to integrate VPNs into their current workflows.
ZTNA, on the other hand, can provide a more simplified and centralized approach to administration. ZTNA can leverage cloud-based infrastructure, allowing for easier management and monitoring of network resources. Additionally, ZTNA’s more granular access controls can simplify the management of user access and credentials. However, this approach may require a shift in the organization’s security posture and may involve working with different tools and interfaces that IT teams may not be as familiar with.
Security Strength
VPNs can provide strong security by encrypting network traffic and providing secure remote access. However, VPNs are limited in their security effectiveness since they provide security at the perimeter and don’t do anything for an attacker who gets beyond that perimeter. Additionally, their security is less flexible and is only applied between networks using encrypted tunnels.
ZTNA can provide granular access controls, allowing organizations to restrict access to network resources based on specific criteria, such as user identity or device type. Additionally, ZTNA can leverage a variety of security measures, such as multi-factor authentication, device profiling, and behavior-based analytics, to improve the security of network access.
Compliance
VPNs can help organizations meet compliance requirements by providing secure remote access and the encryption of network traffic. However, VPNs may not provide the same level of visibility and control over network traffic as ZTNA, which can make it more difficult to enforce compliance policies. Additionally, VPNs may have limited support for compliance standards, such as HIPAA or PCI DSS, without significant customization and segmentation.
ZTNA, on the other hand, can enforce compliance policies by restricting access to network resources based on specific criteria, such as user identity or device type. Additionally, ZTNA may have built-in compliance features, such as logging and auditing capabilities, that can help organizations meet regulatory requirements.
Market Maturity
VPNs have been widely used for remote access and secure data transmission for many years; the market for VPN solutions is well established, ranging from open-source options to enterprise-grade solutions, and vendors have had ample time to develop and refine their offerings. There is also significant documentation available and a great deal of familiarity with VPNs in current IT teams.
ZTNA is a newer technology that has gained traction in recent years as remote work has become more prevalent and as prior assumptions of implicit trust within a network perimeter were no longer valid. While the market for ZTNA solutions is still developing, there are now several vendors offering ZTNA solutions, and the market is expected to continue to grow in the coming years. While VPNs are currently more mature, ZTNA solutions are projected to continue to gain traction and eventually may become part of the standard security design.
Open-Source Support
One of the most widely used open-source VPN options is OpenVPN, which is a free and open-source software application that can be used to create secure point-to-point or site-to-site connections. Other popular VPN solutions, like SoftEther VPN and StrongSwan, also have open-source options available.
There isn’t a widely used open-source ZTNA solution, but a technology that can be used as a building block in a homegrown implementation is WireGuard, an advanced cryptographic encryption solution to create secure, private networks over the internet.
Using open-source options can offer a number of benefits, including greater flexibility in customizing the solution to meet specific needs and cost savings from not having to pay for commercial licenses. However, it’s important to note that open-source solutions may require more technical expertise to implement, and mistakes can open up critical security vulnerabilities. Commercial versions of ZTNA with enterprise support may be well worth the investment for the ongoing support expertise and implementation assistance they can provide.
Total Cost of Ownership
Total cost of ownership (TCO) includes not only the upfront costs of purchasing and deploying a solution but also ongoing costs like maintenance, licensing, support, and upgrades.
For VPNs, TCO can vary widely depending on the solution chosen. Commercial VPN solutions typically involve ongoing licensing fees and may also require dedicated hardware for optimal performance. Open-source VPN solutions may have lower upfront costs but might require more technical expertise (and thus, consulting fees) to implement and maintain.
TCO can also vary depending on the solution chosen for ZTNA. ZTNA solutions are typically cloud-based, which can reduce the need for dedicated hardware and simplify deployment. However, ongoing subscription fees may be required for cloud-based ZTNA solutions, and they may require more technical expertise to implement and maintain.
When evaluating TCO for VPNs and ZTNA, it’s important to consider factors like the initial deployment costs, ongoing maintenance and support costs, and any additional hardware or software requirements. Also take into account the specific needs of the organization, such as the number of remote workers and the level of security required.
In the short run, VPNs will usually be cheaper to implement than ZTNA, since much of the infrastructure is in place already. However, in the long run, the return on investment from ZTNA makes it superior in terms of TCO, especially in terms of its ability to mitigate security threats.
Recommendations
When it comes to choosing between VPN and ZTNA, it’s important to consider your specific needs and use cases. VPNs have been around for a long time and can be useful for remote workers who need to access resources on a company network or for individuals who want to protect their online privacy. On the other hand, ZTNA is a newer technology that takes a more granular approach to security. This can be especially useful for organizations that need to enforce strict access control policies and minimize the risk of data breaches. It is worth noting that ZTNA is not just for connecting networks for remote access but for providing security between any communicating systems. That is a capability beyond what VPNs can accomplish and warrants consideration based on the organization's needs.
It is likely that, at least to some extent, both VPNs and ZTNA will be incorporated into the overall network architecture, especially given that VPNs may already be part of the network. ZTNA offers a potential big improvement, and the best approach may be to start small, implement ZTNA for a select application, service, group, or office as a pilot, and then gradually expand usage.
Conclusion
VPN and ZTNA are two different technologies used for securing remote access to resources over the internet. VPNs create an encrypted connection between two devices, which can be useful for remote workers or individuals who want to protect their online privacy. ZTNA uses a more granular approach to security by only allowing access to specific applications or resources on a per-user basis. This can be particularly useful for organizations that need to enforce strict access control policies and minimize the risk of data breaches.
VPNs have been around for a long time and are well established. In contrast, ZTNA is a newer technology that is gaining popularity due to its enhanced security features, flexibility of deployment, and ability to accommodate secure access for remote workers.
Ultimately, the choice between VPN and ZTNA will come down to evaluating the specific needs and use cases of the user or organization, and it is our hope this will provide you with a framework with which you can conduct your evaluation.
