From Symantec’s ZTNA Team: Planning to Replace Your VPN?

The data shows that the pandemic might be finally subsiding. So, maybe you are evaluating your remote worker policy and how effectively you are able to support future transitions between office and home work. Maybe you felt some frustration with managing your organization’s VPN and wondering if there is a better way.

The purpose of a VPN was always to allow users to remotely access corporate applications and data that were kept inside the traditional corporate network. Originally this was designed with an assumption: It was intended to only be used by a few users whose situations placed them outside of the office and the corporate network.

Then came Covid. Overnight the world flipped upside down and suddenly, everyone was using the VPN. And no surprise: the resulting user and admin experience was – terrible.

It’s no secret that VPNs are notoriously inefficient. Since they were intended for a small percentage of users, it was never really designed for security that could scale. It was hard to imagine the problems that would ensue by forcing massive numbers of VPN users to go through traffic backhaul backflips for security.

VPNs need to provide validation. Users trying to access a corporate app over a VPN must send their user credentials to the network and then back out again. It’s a clumsy process that creates frustration and begs some users to look for a workaround. The inconvenience invites subversion and opens the enterprise to a potential security lapse. Many believe that by moving to Zero Trust Network Access (ZTNA) they can solve all of that. They would be wrong.

The ZTNA basics

As many know, ZTNA sits in the middle of the transaction between users and their applications. With ZTNA, users never access the network but go directly to their applications. As we discussed in a previous blog, ZTNA solutions, such as Symantec Secure Access Cloud, provide an alternative security model that removes the need to backhaul traffic between remote users and the core network’s data center, addressing major pain points such as:

• Unmanaged devices. ZTNA provides the alternative to a VPN agent that allows access without exposing the core data center for possible mischief or allowing unauthorized access to other parts of the network.
• Attack surface reduction. Enterprise CISO’s want to eliminate reliance on the corporate VPN for remote access to internal applications. ZTNA microsegmentation ensures that cloaking capability.
• Mergers and acquisitions. Enterprises involved in M&A activity want a swift migration and not have to wait for lengthy IT integrations for users from the involved companies to reach each other’s applications.
• User experience (UX). If going through a VPN to access corporate apps becomes too onerous, that inconvenience will almost inevitably lead some users to look for workarounds that open potential security lapses.

Why enterprises need more than ZTNA

ZTNA is certainly the cornerstone for migrating off VPN: it delivers the key use case most end users employ with a VPN, accessing their private business applications. That is not, however, the only use case today for corporate VPN.

The majority of organizations are depending on their VPN to backhaul traffic to the data center to apply their traditional security stack that the majority of their workers were protected by before they went remote. By allowing users to go directly to the web and cloud services, users bypass traditional on-premise security controls, like threat protection, data loss prevention, and web filtering. It also means security teams lose visibility on what they need to be protecting. But backhauling traffic leads to poor performance, dependency on a vulnerable protocol, and ultimately recognizing less value from the cloud transformation investments that have been made by the business.

Enterprises need to consider how they can transform their security controls in general to align with the cloud transformation strategy they’ve established. The industry is adopting this strategy of Secure Access Service Edge (SASE), and more specifically, data-centric, hybrid SASE. By pushing security controls to the cloud, you get the benefits of scale, availability, and ease of management – while also improving the user experience by securing them anywhere, without having to be on the corporate network – either physically or virtually.

Enterprises need more than ZTNA to provide truly effective security in the emerging hybrid cloud landscape. They require a platform, such as Symantec Web Protection, built on the Google Cloud Platform (GCP) that provides many of these core components. 

We believe it IS time for enterprises to replace their VPN’s. ZTNA is the right way to go. But keep in mind that there’s more to consider for truly effective security in a borderless, software-defined perimeter world.

To learn more, join us at our webinar on March 3rd to discuss how ZTNA can help you. Register now and bring your questions for Symantec’s ZTNA experts: Alan Hall, Jeremy Follis, and Kyle Black.