VPN vs. Zero Trust Network Access: What’s the difference?

The past two years changed how organizations around the world conduct business. Across countries and industries, employees quit their jobs, leaving organizations vulnerable in their absence. Everyone else had to start working remotely with little to no notice, creating secure access headaches for IT security teams.

Since then, organizations have settled into a culture of hybrid work, where some employees are in the office but many more are working from remote locations. During this transition, organizations have found limitations in how well VPNs can provide secure remote access. This is unsurprising, given that VPNs were developed to mimic the experience of being in the office. Once you’re in, you have broad access to everything.

Zero Trust Network Access taking over

To move beyond those limitations, an increasing number of organizations are turning to Zero Trust Remote Access (ZTNA), where the idea is to “trust nothing, verify everything”. ZTNA is based on the principle that any connection to your network should be treated as hostile until it’s been authenticated, authorized, and granted access to resources.

A recent CyberRisk Alliance study on Zero Trust challenges found that ransomware attacks and remote worker risks are driving current and planned zero trust strategies. Specifically, 55% said an increase in ransomware is a motivating factor, 53% point to the increased risks from remote workers, and 32% are driven to implement zero trust out of concern for potential supply-chain attacks. While only 36% of participants had implemented zero trust at that point, another 47% planned to adopt it in the next 12 months.

How Zero Trust Network Access differs from VPNs

To successfully make the transition, it’s important to first understand how VPNs differ from ZTNA.

With remote access VPN, users are implicitly trusted with broad access to resources, which can create serious security risks. ZTNA treats each user and device individually so that only the resources that user and device are allowed to access are made available. Instead of granting users complete freedom of movement on the network, individual tunnels are established between the user and the specific gateway for the application they’re authorized to access – and nothing more.

Added device security

As security company Sophos put it in a recent blog post about the differences between VPN and ZTNA, remote access VPN has no awareness of the health state of a connecting device. If a compromised device connects via VPN, it could affect the rest of the network. ZTNA, on the other hand, integrates device compliance and health into access policies, giving organizations the option to exclude non-compliant, infected, or compromised systems from accessing corporate applications and data. This greatly reduces the risk of data theft or leakage.

To gain a complete understanding of the differences and better understand the steps organizations must take to transition from VPNs to ZTNA, Sophos recently held a webcast in which Rob Andrews, the company’s senior product director for network security, delved deep into the pillars of ZTNA and how to implement it.

Watch it here for the full picture.

Bill Brenner

InfoSec content strategist, researcher, director, tech writer, blogger and community builder. Senior Vice President of Audience Content Strategy at CyberRisk Alliance.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.