Key Takeaways
- ZTNA and VPN have different purposes: ZTNA is for businesses, VPN is for personal use.
- ZTNA provides more layers of security compared to VPN, making it harder to move around networks.
- Setting up and maintaining ZTNA may be more complex, and thus not suitable for every business.
Over the last few years or so, a new kind of network security system has emerged. Known by the acronym ZTNA, these powerful tools can replace VPNs. Should you use a ZTNA instead of a VPN?
The answer depends on a few factors. A virtual private network (VPN) is easier to set up and provides a strong, single line of defense. It’s best for individuals and smaller businesses. A zero-trust networking access (ZTNA) application is more complicated to implement, but builds tiers of defenses that monitor for unauthorized access continuously. Larger organizations, or those working with sensitive information, are more likely to want to spend the time and resources to set these up. Let’s take a detailed look at what each tool can do.
What is a VPN?
Normally, when you make an internet connection, you go from your router, to a server run by your internet service provider (ISP), and then to the site you want to visit, How-to Geek in this case. Because of how the internet works, your ISP can see which site you’re visiting and the site you visit can see your IP address, which can potentially reveal your real-world location. VPNs work by rerouting your internet connection through another server.
By rerouting your connection through one of their own VPN servers, a VPN service lets you assume the IP address of that server rather than your own. For individual users that want to protect their privacy, this can be an issue as your IP address is an important anchor point for marketers trying to create a digital profile of you.
When looking at VPNs, those meant for personal use usually have a very different profile from proprietary ones used by businesses. Where an individual would use one to browse anonymously, a business is more likely to use them as a security tool.
VPNs in Businesses
For most businesses, though, the benefit is the other way around. When you set up a secure environment for your office, you only want people with a specific IP address (that of your office) to be able to access it. That way, anybody attempting to access your systems from outside can’t get in, keeping your resources safe.
That said, sometimes you want somebody to be able to access your network from outside, for example people working from home or from another office. In that case, having people route through a VPN can let them assume the “right” IP address and let them access the network as if they were sitting next to you.
However, that only solves one security issue. Others remain, the most important being that once you’re in, you’re in. Without additional precautions, a user would have nearly full access to everything else on the network.
Another issue is that when you use a VPN, of any kind, it knows who you are and what you’re doing. An employer could very easily keep track of what employees are doing while connected to the VPN. In an age where privacy is becoming more and more a mainstream concern, this brings some issues with it.
What is ZTNA?
The issue with VPNs boils down to trust. The business owner trusts that everybody with access to the network will behave themselves, while users trust the network admin won’t spy on them. However, there is a way to remove trust from the equation and create a system without this ambiguity: zero trust network access, or ZTNA.
ZTNA is what’s called “perimeterless security,” a fancy way of saying that there isn’t an imaginary line you need to cross to gain access like with a VPN. Instead, when using a ZTNA application there’s an ongoing process of verification which works on the zero trust model, meaning that you assume there are always threats inside and outside of a network. You always need to authenticate who has access to a program or file, even after they have accessed the network.
In practice, this means that while you are on the network, any applications or files you access will check your authorization as you go along, and each time you access them. On top of that, network administrators can set permissions for each and every application, set either by type of user or even individual users.
Layers upon Layers
This granular approach creates layers of security, meaning that even if you gain access to the network, you can’t move around at will. Since everything on the network is secured separately from network access, you’re not depending on one perimeter like a VPN does, but on constant watchfulness. This protects all applications on your network, but also secures access points, For example, if the network detects that somebody is connecting through a malware-laden laptop, it can be isolated from the network to prevent the spread of viruses and malicious software.
That said, this doesn’t mean you’re spending your workdays constantly entering passwords over and over. ZTNA systems rely on single sign-on (SSO) technology to make sure you only need to sign in once. However, constantly checking who is doing what makes it very easy to catch abnormal behavior, like if someone tries to access a restricted file multiple times in a row.
Another benefit to using ZTNA is that the strict security works both ways. The network doesn’t need to track your IP address or anything like that, it just authenticates you and that’s it. Since it works on the application layer, there’s no need for it to know anything about you besides your credentials.
VPN vs ZTNA: Which is Better?
When making the choice between using a ZTNA and a VPN, it may seem that ZTNA is the most obvious option—after all, more security is always better. However, it’s not quite that simple. A final advantage VPNs have is that they’re relatively simple to set up.
If you go for a commercial VPN (many of the best VPNs have business plans) you can be up and running in minutes. A self-built business VPN can be set up in an afternoon.
Zero trust betwork access is more complicated. It’s not only a program you set up and run, rather, it’s a philosophy of security that can be tough to set up and maintain. Also, you could argue that it’s really only necessary in large organizations; if you’re running a small or medium business, setting up a VPN and password-protecting sensitive files could very well be enough.
Though ZTNAs may be the more secure option, the added work may be more than a business can handle. Making the choice to switch between the two may not work for every business, and ZTNAs are almost definitely overkill for a home user, even if you’re willing to put in the time and effort to get one running.
