VPN Vs. ZTNA: What’s The Difference?

Today’s workplaces are flexible. Users can work from their own familiar devices as well as corporate-issued ones, and they can work from anywhere in the world. This flexibility reduces costs in terms of provisioning devices and renting office space, empowers growth by widening the available talent pool, and boosts productivity by enabling users to work comfortably and effectively. But it also poses several security challenges.

Without the proper security in place, remote and hybrid working policies can leave room for serious vulnerabilities—such as unpatched devices and unsecured Wi-Fi networks—that cybercriminals can exploit to gain access to your corporate network.

To prevent this, businesses must find a way to secure network access for remote workers—and indeed, they’ve found two! Virtual private networks (VPNs) and zero trust network access (ZTNA) solutions both enable remote users to securely access network resources such as applications, servers, and databases.

But what exactly is the difference between a VPN and a ZTNA solution, and which one does your business need?

Why Do You Need To Secure Remote Access?

Unsecure remote access to a corporate network via unmanaged endpoints, such as personal cell phones and laptops, leaves that network vulnerable to cyberattacks. There are two main vectors for attack on remote workforces: endpoints, and the web.

81% of businesses have suffered an endpoint attack involving some form of malware, and remote workers using unmanaged devices are more susceptible to these attacks. That’s because 80% of successful breaches are caused by zero-day attacks that often exploit undisclosed vulnerabilities, and unmanaged personal devices are less likely to be patched than their managed corporate counterparts. But vulnerability exploits aren’t the only way attackers can infiltrate your endpoints. Cybercriminals are opportunistic, creative, and innovative; they are always coming up with new ways to target vulnerable users—such as a newly remote workforce. Juice jacking, for example, is an attack method that involves modifying USB ports—such as free chargers in public spaces—to install malware onto a device once plugged in.

Web threats are just as harmful: if a user is connecting to your corporate network via their home or public Wi-Fi, it’s unlikely that connection will be as secure as connecting to the network on-prem. And if a threat actor manages to crack their Wi-Fi password, they can intercept that user’s online activity—including their connection to the corporate network—or remotely install malware on that user’s device. Despite this risk, less than half of organizations prohibit their employees from using public Wi-Fi for work and, as a result, 72% of users do just that.

These types of attack can be devastating to a business. If a threat actor accesses your corporate network, they can carry out credential theft and impersonation attacks or install more malware to gain access to further areas of the network, stealing data and destroying systems as they go.

This can lead to user downtime, compliance and legal action, and reputational damage, as well as irreparable financial damage; a recent study found that, between detecting and escalating the breach and lost business cost, the average data breach costs 4.24 million dollars. The same study highlights a growing rift in terms of the cost incurred by organizations with a formal security architecture in place, vs those with fewer security processes: those with more advanced security tools and processes incurred significantly less financial loss than those without such protection.

Luckily, when it comes to securing remote access, there are plenty of security solutions to choose from to help mitigate these risks—including VPNs and ZTNA solutions.

What Is A VPN?

A virtual private network (VPN) is a cybersecurity solution that creates a private network across a public internet connection using authentication, encryption, and tunnelling. They allow users to anonymize and secure their internet activity by hiding their IP address—which makes it difficult for third parties to identify a user or their device—and encrypting their connections.

Once a user has been authenticated (usually via username and password) and signed into the VPN app, the VPN connects the end user’s device to the corporate server via an encrypted tunnel and enables the user to browse using their company’s internet connection. Through the VPN connection, the user has complete access to the corporate network, as though they were using a device on-premises.

All traffic between the user’s device and the corporate network stays securely within that tunnel, where it’s encrypted. Most VPNs use AES 256-bit encryption to secure user data. AES 256-bit encryption has an encryption/decryption key of 256 bits, which means that it uses 14 rounds of encryption to turn the original data into encrypted ciphertext. This makes it the most secure type of AES encryption; an attacker would have to go through 2^256 combinations (a number 78 digits long!) to work out the decryption key—a task that would take billions of years with today’s computers. Long story short, it’s virtually impossible for a cybercriminal to crack AES 256-bit encryption with brute force.

Encrypting the data transferred between the user’s device and the corporate network means that nobody but the user and the admins of that network can see what the user is doing within that connection; not a malicious actor tapping into their session, nor the internet service provider, nor—in the case of a solution with a strong “no logging” policy—the VPN provider.

What Is ZTNA?

Zero trust network access (ZTNA) solutions are often seen as an evolution of the traditional VPN. Once connected, they enable remote users to securely access individual resources on the corporate network, rather than the entire network.

ZTNA solutions create identity- and context-based perimeters around network resources or groups of resources. These perimeters hide the IP address of each of those assets, making them undiscoverable for unauthorized third parties. The ZTNA solution then restricts access through those perimeters on a zero trust and least privilege basis. Before granting a user access, the ZTNA provider authenticates their identity, verifies the context of their login in line with admin-configured access policies, and verifies their device’s identity and health posture, i.e., that the device’s endpoint security or antivirus tools are operating properly, and that the operating system is up-to-date and patched. Some ZTNA solutions also offer in-built multi-factor authentication (MFA) or strong integrations with third-party MFA tools for a further layer of user identity verification.

Only once they’ve passed these checks is a user granted access, and then only to that specific resource or resource group, rather than to the entire network; if they want to access another area of the network, the ZTNA solution must re-authenticate them. This segmentation helps prevent the lateral spread of attacks if an attacker does manage to compromise a user’s login. 

Because ZTNA solutions employ the principle of “never trust; always verify”, they can be used to build a zero trust architecture. They ensure that the organization is continuously verifying that all users and devices—whether internal or external—are who they say they are, they segment access to company data, and they help admins monitor the network for anomalous or malicious activity.

VPN Vs. ZTNA: What’s The Difference?

While VPNs and ZTNA solutions both enable secure remote access, there are some key differences between the two that could be a deciding factor as to which solution you decide to implement. Here are some of the most important differences between a VPN and ZTNA:

Trust And Access

One of the main differences between VPNs and ZTNA solutions is that ZTNA is founded on the principle of “never trust; always verify”. VPNs assume that, once a user or device is connected to the corporate network, they can be trusted. These trusted users and devices, once authenticated at the start of their sessions, are then granted unlimited access to the entire network. This means that an attacker only needs to bypass one round of authentication before being granted to the entire internal network via a compromised device or user account.  

ZTNA, on the other hand, segments network resources at the application level and only allows users to access individual apps that their privileges authorize them to use. On top of this, the ZTNA solution authenticates the user and device each time they make a request to access a different part of the network. This makes it much more difficult for an attacker to access the network in the first place, and greatly limits how much damage an attacker could do even if they did gain access.

Visibility

When a user connects to the network via a VPN, IT or security admins can only see that they have accessed the network and when; they can’t see which applications the user has signed in to, or for how long.

The micro-segmentation offered by ZTNA solutions gives admins visibility into which apps users are accessing in real-time. This has two benefits. Firstly, it allows admins to quickly identify any anomalous behavior that could indicate account compromise, such as a user accessing an application that they wouldn’t normally need. Secondly, it enables admins to identify whether they’ve subscribed to any apps that aren’t being used, or are being used by fewer people than they thought would need them, allowing them to cut costs on unnecessary subscriptions.

Speed

VPNs route traffic through multiple servers and then through a central point in the corporate data center, which can cause latency in the connection.

ZTNA solutions, however, connect users to applications directly without having to transmit data through that central point, which reduces latency.

Ease Of Use

To enable access via a VPN, businesses must download and set up a VPN client on each user’s device. Once deployed, VPNs often offer integrated single sign-on (SSO) to simplify access management and give users a frictionless login experience. They’ve been extremely popular for a long time amongst organizations that needed to enable employees to work remotely for a limited amount of time—such as whilst on a business trip or while working around personal appointments. However, for long-term remote access, VPNs can be cumbersome as end users must remember to sign in to the VPN client each time they want to access network resources.

ZTNA solutions are a little more complex to initially deploy than a VPN but, once correctly configured, they run quietly in the background; once a user authenticates themselves, they can run the applications they need without further interaction.

Summary

VPNs and ZTNA solutions both enable remote workers to securely access the corporate network, but they do so in very different ways.

While ZTNA is often considered as a more secure, intuitive evolution of the VPN, VPNs do provide security against endpoint and web threats via unsecured Wi-Fi networks and unmanaged devices, and they still have their place. We recommend a VPN solution for smaller businesses that only have a few employees working remotely, or whose employees don’t work remotely all the time.

ZTNA solutions, on the other hand, are a great option for larger organizations or those with a high percentage of remote or hybrid workers. One they’re set up, they’re easier to use from an end-user perspective than a traditional VPN, and they provide secure, least privilege access to corporate resources—making them particularly suitable for businesses that want to implement a zero trust architecture.

Now that you’ve worked out which type of remote access solution you need, it’s time to pick the best solution for your business. To help you do this, we’ve put together guides to the top VPN solutions for small businesses, and the top ZTNA solutions. You can access those guides via the links below:

• The Top 10 Enterprise VPN Solutions
• The Top 10 Zero Trust Network Access (ZTNA) Solutions