While some in the industry are making the argument that enterprises don’t need VPNs anymore (principally vendors that don’t offer VPN solutions), nothing could be further from the truth. To mangle Mark Twain’s famous quote, press reports of the death of VPN are greatly exaggerated.

VPNs remain the proven and reliable method of providing protected remote access to datacenter resources. And those on-premises applications aren’t going anywhere.

In a recent survey conducted by IDG Connect for Pulse Secure, every single respondent reported using a combination of on-premise data center and some form of cloud delivery capability. The network perimeter of today is more elastic and flexible than in the past, but the notion that it no longer exists is quite wrong.

A hybrid secure access architecture for a hybrid IT world

VPNs remain an essential component of a secure access architecture. They enable remote workers and trusted third parties, such as partners, clients and contractors, to access the trusted enterprise network and datacenter applications — on premises or in the cloud — from a wide range of endpoints, including BYOD mobile.

Extra marks go to VPN providers that offer options for tailoring a solution to accommodate this diverse set of users, such as agent or agentless access, and a single-client approach that supports all operating systems and device types.

But VPNs need not be the only component of secure access. Today’s hybrid IT world requires a hybrid secure access architecture that can protect data center applications from malicious insiders connected via LAN or WAN as well as malicious outsiders who might find their way into the enterprise network using stolen credentials.

The solution is Zero Trust, a concept first proposed by Forrester Research that pivots from the “you’re in so you’re trusted” approach of the network perimeter to a “trust no one until proven otherwise” approach that operates at the application level. Zero Trust ensures that only authenticated users with compliant devices can connect to authorized applications over any network.

In a hybrid secure access architecture, this Zero Trust capability is accomplished via network access control (NAC) technology, which provides continuous visibility, endpoint and IoT access control, and automated threat mitigation. NAC enables a “comply to connect” strategy that uses strong endpoint authentication, host checking, conditional access and guest management as well as IoT security and threat response capabilities.

Add SDP to the hybrid secure access architecture

Software defined perimeter (SDP) is a newer approach to securing access to applications residing in the cloud or data center. SDP offers an alternative to routing traffic through VPNs and complements NAC security resources by addressing identity-based security at a higher level in the stack. By granting secure verified user and device access to only specifically authorized applications, SDP helps reduce exposure to advanced threats while simplifying connectivity and improving the user experience.

With SDP, the attack surface is reduced through per-application network segmentation and allowing only direct access to authorized applications; other applications are hidden from discovery. Extensive multi-factor authentication and authorization ensure that users, their devices and the applications they access are continuously verified.

“Where and when,” not “either/or”

You can have VPN where you need it for remote access to datacenter and cloud applications, combined with NAC for granular control over which classes of users can access which applications. The result is a Zero Trust solution for secure access to corporate data that leverages existing security technology investments. Layer in SDP where it makes sense as a Zero Trust solution for IaaS or SaaS application access, using it for external and internal users, working remotely or onsite.

Integration and single-pane-of-glass management

Research shows management complexity is also important to enterprises. Security application suites offer an alternative to individual VPN, NAC and SDP solutions. Vendors offering integrated suites ideally provide a single client that supports all technologies in the Zero Trust stack, with access via VPN or SDP depending on the locations of the application. Integration should also deliver a single-pane-of-glass for access management and operational visibility across on-premise and cloud environments.