This will be the first of a three-part series that aims to compare ZTNA against SSL VPN and Wide Area Network (WAN).
Firstly, what is “Zero Trust”?
Zero Trust (ZT) was first coined by Forrester Wave back in 2009. It involves abandoning the principle of implicit trust, adopting the concept of “Never Trust, Always Verify” when it comes to matters related to security.
For the IT network savvy, think of it as using a deny-by-default rule in a network firewall implementation as opposed to a default-allow approach.
Any network admin who is worth his salt will tell you that a deny by default is tedious to set up as it requires the organization to map out all the parties that it trusts.
And the work doesn’t just end there. Whenever a new employee joins the organization, he shall be twiddling thumbs at his desk, until his network identity has been added to the allowed list by the sysadmin.
“Zero Trust Network Access” (ZTNA) is the application of the ZT concept to the provisioning of shared IT resources – aka corporate applications.
In today’s increasingly work from home and cloud-based IT landscape, ZTNA has been gaining popularity because the scales have been tipping towards the right in this equation:
{ The cost of keeping a legitimate user out } vs. { The risk of letting an intruder in }
The reason for this shift is the greatly increased surface area of attack when we move to cloud-based applications.
With the Cloud, employees can work from anywhere as long as they have an Internet connection. But this also means the traditional physical perimeter defense has disappeared.
Every “employee” is a potential intruder or hacker.
Wide Area Network
Next, we look at Wide Area Network (WAN) which encompasses Local Area Network (LAN) as well as Wireless Local Area Network (WLAN), for the sake of this discussion.
WAN denotes the traditional office network, whereby the user reports physically to work and sits in front of a desktop or laptop which is connected to the local area network.
The WAN provides network access to anyone connected within the office or one of the branches. Typically there is no additional authentication once he manages to walk into his cubicle. Getting past the main door and the receptionist is all that it takes to be trusted.
Think of a theme park whereby one can visit any attraction, after purchasing a ticket at the main entrance.
WAN is viable if employees are to work only from the office, an increasingly rare arrangement for today’s knowledge economy.
SSL VPN
Organizations have been turning to SSL VPN to allow the roaming portion of their workforce to dial back to the corporate network.
More secure than WAN, SSL VPN authenticates each user before establishing the connection.
But SSL VPN authenticates based on only one-half of the picture. i.e. who you are. Once the user-supplied the correct credentials, they are connected to the entire network, allowing them to roam freely.
Think of a theme park whereby one can visit any attraction, after purchasing a ticket at the main entrance. During the purchase, one needs to flash his ID, because not all attractions are suitable for all ages.
Zero Trust
ZTNA goes beyond the initial authentication.
Not only does the user has to be authenticated, but he also needs to be authorized for each of the application that he is trying to access.
Further to the idea of a theme park, a ticket will only get you to pass the main entrance. Each attraction now checks your ID, in addition to the ticket, to satisfy the age limit.
The biggest selling point of ZTNA is that it enables fine-grained access control using a many-to-many trust relationship that laid out exactly which user has access to which application(s).
We call this Identity and Access Management (IAM).
IAM calls for handing out the least amount of access for the user or staff to perform his or her job but not more.
Because:
Too much power in the wrong hands is worse than too little power in the right hands.
MFA
With these fundamental differences out of the way, we look at support for Multi-Factor Authentication (MFA) among the three.
Besides asking for something that you know (username and password), MFA authentication requires something that you have or you are.
Research shows that a MFA protected account is much less likely to be compromised by scripting and phishing attacks, although the level of protection varies among the type of MFA deployed which we intend to cover in a future blog.
Most, if not all ZTA vendor supports MFA, while SSL VPN support is increasingly common. The only laggard here is WAN which does not support MFA out of the box due to limitations with the 8021.x protocol.
Conditional Access
Next, we look at Conditional Access (CA), which is an integral part of ZTNA but is not a new concept by itself.
By CA, a user that attempts to authenticate from Eastern Europe is not the same as a user from the same country where the organization is registered (assuming in Singapore).
The level of suspicion from such login attempts should the same as phone calls originating from Africa.
Some SSL VPN solutions have CA features, but they tend to be the exceptions rather than the norm.
The old-schooled sysadmin may point out that WAN-based 802.1x authentication can be done via trusted certs, but we do not consider that as CA. It is just an alternative authentication method.
Traceability is key when it comes to answering the 5 ‘W’s and 1’H’ (Who, When, Where, Why, What, and How). Cyber security managers want to see who accessed what application from where and when in a timely manner, hoping to spot a security incident before it happens or perform an incident response after one has occurred.
ZTNA is naturally the winner here as it has the full picture when it comes to user activities i.e. application and user visibility. WAN scores the worst with SSL being the borderline pass with partial visibility on user login details, but no visibility to where they went or connected to after login.
With that, we sum up our comparison of ZTNA vs SSL VPN vs WAN, with ZTNA winning almost hands down in every aspect when it comes to security.
In upcoming blogs, we shall look at the cost ( both from capital and operational ) and the utility of each networking approach.
Stay tuned!
Check out JumpCloud Open Directory, Identity and Device Management Platform. Register for a free trial or a demo
