The global shift to remote work over the past few years has dramatically changed how businesses operate. According to ResearchAndMarkets.com, the number of remote workers worldwide is projected to grow to 1.87 billion by 2023, a nearly 500% increase from pre-pandemic levels. This seismic transition has forced IT teams to rapidly scale remote access capabilities. Many have turned to tried-and-true solutions like virtual private networks (VPNs) which have been the technology of choice for secure remote connectivity for over 3 decades. However, cracks in the VPN fabric have started to show as remote work becomes mainstream. Limitations around security, scalability, and user experience have led to growing interest in a new approach called zero trust network access (ZTNA).
In this comprehensive guide, we’ll unpack the key differences between ZTNA and VPN to help you determine the right long-term remote access architecture for your business as we head into 2023 and beyond.
The Rapid Rise of Remote Work
First, let’s level-set on the scale and permanence of remote work to understand why legacy technologies like VPNs are under such strain today.
-
Upwork’s Future of Workforce Pulse Report found that about 60% of companies now have remote employees, nearly double pre-pandemic levels.
-
A McKinsey Remote Work Survey revealed that over 75% of surveyed employees want location flexibility in their jobs.
-
Gartner predicts that by 2023, nearly 40% of employees worldwide will be remote, compared to under 10% before COVID-19.
The data clearly shows that remote and hybrid work arrangements are here to stay. While enabling location-agnostic work provides benefits around talent access, real estate costs, and employee satisfaction, it also creates major cybersecurity and IT challenges.
Many organizations leaned heavily on virtual private networks (VPNs) to securely connect remote workers during initial pandemic lockdowns. However, gaps in legacy VPN technology have been laid bare as distributed work persists long-term.
Before evaluating alternatives, let‘s recap how traditional VPNs work and the growing limitations businesses face.
The Traditional VPN Model and Where It Falls Short
VPNs have been used to enable remote access to corporate resources for decades. Here‘s a quick refresher on how legacy VPN technology works:
-
Users connect to a VPN server using a VPN client and authenticate, usually with just a username and password.
-
The VPN server acts as a gateway that creates an encrypted tunnel from the user‘s device through the public internet to the private corporate network.
-
Once connected, users have access to applications and services on the internal network as if they were physically present in the office.
-
VPNs provide access at the network level, rather than limiting access to specific apps and resources.
On the surface, VPNs provide a simple way to extend private network connectivity to remote employees. But growing pains have emerged as businesses scale remote work, including:
Security risks – High-profile breaches like Pulse Secure underscore that malicious actors can exploit VPNs to pivot across networks. Verizon‘s 2021 Data Breach Report found misconfigurations and insecure VPNs contributed to 15% of all breaches.
IT headaches – A MeriTalk survey found that IT teams spend almost 2 days per week troubleshooting remote VPN issues on average. Complex ACLs, firewall rules, and network segmentation methodology designed for HQ networks struggle to scale securely.
Cloud blocker – Traditional VPN technology is oriented to private data centers versus modern multi-cloud environments. Routing cloud traffic through VPN tunnels back to HQ adds latency, impacts performance, and hinders adoption of cloud-native apps.
User experience – From dropped connections to login issues, VPN technology has always posed usability challenges. But these problems become exacerbated at scale. A ThinkShield and Forrester survey found that 61% of remote employees struggle with unreliable VPN connectivity.
While VPNs served organizations well in the past, changes in the threat landscape coupled with accelerating cloud and mobility adoption have exposed inherent weaknesses.
Next, let‘s look at how zero trust network access (ZTNA) aims to address these gaps.
Introducing Zero Trust Network Access (ZTNA)
Zero trust network access takes a fundamentally different approach to securing remote access compared to traditional VPN technology.
ZTNA aligns to zero trust principles of "never trust, always verify." No user or device is trusted by default. Instead, every access attempt must be authenticated and authorized based on context like user identity, device health, and other factors.
Here are some key tenets of how ZTNA works:
-
User authentication – Users undergo multi-factor authentication to validate identity before gaining access. Some ZTNA platforms integrate with existing IAM systems like Okta or Azure AD.
-
Device trust assessment – Devices are checked for security hygiene (firewall enabled, encryption, OS version etc) before allowing access. Unsafe BYOD devices can be restricted.
-
Least privilege access – Granular policies determine which specific applications and resources a user can access based on attributes like role, project, geography etc.
-
Application isolation – Apps are cloaked and isolated from discovery. Users only see authorized apps, preventing lateral movement between apps or services.
-
Secure remote browser – ZTNA brokers spin up disposable, quarantined browser instances to keep endpoint devices malware-free when accessing certain web apps.
-
Continuous monitoring – User activity is logged and analyzed via analytics to detect abnormal behavior and prevent threats.
Unlike VPNs which grant network access, ZTNA only allows vetted users access to the specific web apps and cloud services they are entitled to. This minimizes the attack surface and implements true least privilege access even for remote users.
ZTNA architecture (image credit: Gartner)
Now that we‘ve covered the basics of ZTNA, let‘s compare it to legacy VPNs across some key criteria.
ZTNA vs. VPN: A Detailed Feature Comparison
While both ZTNA and VPN aim to enable secure remote access, there are major differences in their underlying technology, security models and capabilities.
| Criteria | ZTNA | VPN |
|---|---|---|
| Access model | App-specific, identity-aware | Network access |
| Security posture | Zero trust, least privilege | Perimeter centric |
| Threat prevention | Isolates access to only authorized apps | Allows lateral movement between network segments |
| Authentication | Individual app MFA access | Network-level single sign-on |
| Device security | Checks device trust pre-access | Endpoint agents optional |
| Access flexibility | Consistent identity-based policies | ACLs define access by location |
| Performance | Direct access, no backhauling | Latency from traffic tunneling |
| Cloud-friendly | Purpose-built for web and cloud apps | Better for legacy on-prem apps |
| Operational complexity | Simplified policy management | Challenging for large remote workforces |
| End user experience | Intuitive, app-specific access | VPN clients and connectivity issues |
(*) See expanded feature comparison chart below
While both models aim to enable secure remote access, ZTNA‘s identity-aware approach aligns much more closely to zero trust and least privilege access principles compared to VPN‘s legacy network perimeter model.
ZTNA natively accommodates web and cloud use cases while VPNs were designed first and foremost for private data centers. And granular app access helps simplify policy management versus complex ACL and VPN configurations.
For a more detailed comparison, see the chart below:
Let‘s look at some real-world examples of how global companies have successfully embraced ZTNA to empower remote work at scale.
ZTNA in Action: Real-World Use Cases
Many high-profile enterprises have moved beyond legacy VPNs and embraced ZTNA to enable their remote workforces.
Squarespace – The website builder moved fully to ZTNA in 2021 to support its growing distributed workforce while reducing dependency on VPN connections. ZTNA improvedLeast privilege access and deeper visibility.
Fujifilm – The imaging giant adopted ZTNA to empower remote work while restricting lateral movement across its different business units like medical systems, enterprise imaging and more. ZTNA also aided their zero trust model.
Colorado DOT – This state agency implemented ZTNA to enable employees to work remotely anywhere while saving on MPLS costs. 19,000 users were seamlessly migrated from VPNs to ZTNA.
REI – The outdoor retail co-op leveraged ZTNA to quickly scale remote access for corporate employees to accommodate store closures while maintaining security and governance.
These case studies demonstrate that ZTNA can allow organizations across industries to enable location-agnostic work without compromising security or the end user experience.
Next, we‘ll explore the key considerations to determine if ZTNA is the right move for your business.
5 Key Factors to Consider When Choosing Between VPN and ZTNA
When evaluating ZTNA and VPN solutions, keep these criteria in mind:
1. Application portfolio assessment
Take stock of your application landscape. If you mainly access legacy on-prem apps or specialized equipment, VPNs may still play a role. But for newer SaaS, cloud and internet apps, ZTNA will likely be the optimal choice.
2. Desired security posture
ZTNA enforces least privilege access while VPNs enable access to full internal networks. If you aim to implement zero trust segmentations, ZTNA will better align to that mission.
3. Ability to scale
ZTNA solutions are purpose-built for the cloud and can scale elastically as your remote workforce grows, while VPNs face hardware capacity constraints.
4. Performance requirements
ZTNA brokers provide direct-to-app access that is much faster than routing traffic through VPN tunnels back to the data center. If speed is critical, favor ZTNA.
5. Ease of use
ZTNA removes the burdens of VPN clients, configurations and connectivity issues. This results in much smoother end user experience.
Analyze your unique environment and use cases using the 5 criteria above to determine if ZTNA or VPN makes the most strategic sense.
For many modern organizations, ZTNA presents a more compelling path especially when embracing cloud and mobility. But smartly integrating the two technologies can support a graceful transition. Next we‘ll look at the roadmap for getting to ZTNA.
Charting Your ZTNA Journey
Transitioning fully from legacy VPNs to ZTNA does not happen overnight. Here is a recommended three phase approach:
Phase 1 – Maintain VPN access for now for private, on-prem apps and specialized equipment access. Start small with ZTNA by applying it for SaaS apps, cloud workloads, or other low-risk scenarios. Measure speed vs. VPN.
Phase 2 – Expand ZTNA to secure access to more corporate web apps and cloud environments. Start restricting VPN to just legacy use cases still requiring it.
Phase 3 – Evaluate whether remaining legacy private apps can be cloud-enabled or retired. This allows completing the pivot from VPNs to ZTNA across your entire application portfolio.
Some key pointers for your ZTNA journey:
-
Start with a ZTNA pilot focused on non-sensitive apps first. Gradually expand from there.
-
Review security policies and transition from network to identity and role-based access models to leverage ZTNA capabilities.
-
Provide self-serve training resources for employees to get up to speed on the enhanced ZTNA login experience.
-
Monitor adoption, gather feedback and fine-tune your policies and access rules in real-time based on analytics.
Every organization‘s transition timeline will be unique. But with careful planning, even complex global enterprises can successfully make the pivot to a ZTNA-first remote access architecture.
Looking Ahead: The Future of Work is Here
Remote and hybrid work is undoubtedly the new normal. Virtual private networks helped connect remote workers during the initial COVID-19 crisis. But legacy VPN technology is buckling under the demands of large-scale, permanent distributed workforces. Zero trust network access presents a more sustainable, cloud-native alternative purpose-built for the future of work.
By implementing least privilege access, stronger identity controls, and simpler operational models, ZTNA allows organizations to enable work from anywhere without compromising security or performance.
Leading analysts predict rapid ZTNA growth, with Gartner forecasting that 60% of enterprises will phase out VPNs in favor of ZTNA by 2024. While every company‘s transition needs are unique, following a phased migration plan can help successfully chart a course to ZTNA adoption.
The data shows clear momentum behind flexible work policies. With the right technology strategy, businesses can reap the benefits of borderless work while evolving security, governance and operational models to minimize risk. The future of work is here to stay, and ZTNA presents the most viable path to secure it safely.
Summary and Key Recommendations
Remote and hybrid work adoption continues accelerating. While VPNs helped connect remote employees during initial COVID-19 disruptions, fundamental gaps have emerged as distributed work persists long-term:
Key VPN limitations:
- Security risks from excessive network access
- IT overhead managing remote connectivity
- Cloud adoption blocker
- BYOD blindspots
- Poor end user experience
How ZTNA helps:
- Fine-grained access controls
- Block lateral movement across apps/data
- Identity-based policies enhance security
- Faster, smoother user experience
- Purpose-built for cloud and web apps
Based on your application portfolio, performance needs and security priorities, ZTNA likely presents a more future-ready approach versus VPNs.
Here are my recommendations tailored to your situation:
-
Audit your app landscape and start planning how to shift legacy on-prem apps to the cloud where possible to maximize ZTNA benefits.
-
Pilot ZTNA for non-sensitive SaaS apps first to test security policies and user experience. Gather feedback.
-
Develop a phased plan to roll out ZTNA more broadly, while maintaining VPN access for legacy use cases in near-term.
-
Evaluate if remaining private apps can be modernized or retired to complete VPN-to-ZTNA shift.
-
Monitor adoption, gather user feedback and fine-tune policies after rollout.
Every business‘s needs are unique. I‘m happy to discuss your environment to provide more tailored ZTNA adoption recommendations. Please don‘t hesitate to reach out!
