Is It Time to Ditch the VPN for ZTNA?

As ZTNA matures, VPNs may fade into the background, ushering in a new era of network security. The transition, however, isn’t without challenges.

Karen D. Schwartz, Contributor

November 14, 2023

7 Min Read
3D illustration of the text zero trust over black background with padlock shapes in relief

Little by little, the venerable VPN might be going the way of the Netflix DVD. Despite being the de facto standard for network security over the past three decades, several factors have diminished the effectiveness of VPNs, especially when compared to alternatives like zero trust network access.

A virtual private network establishes a secure connection between end users’ devices and a corporate server by routing them through an encrypted tunnel over a public internet connection. Within this tunnel, only users and network administrators can monitor user activities, providing complete access to the corporate network. However, this also means that anyone tapping into the session, including malicious actors, internet service providers, or VPN providers, can see user activities within that connection.

Although that level of security was once considered sufficient for corporate America, it has become outdated. As users increasingly browse the web and, as a result, expose their devices to all sorts of malware, VPNs are showing their age. Today, 90% of organizations express concerns about unauthorized access to networks through VPNs, according to Zscaler.

The Rise of ZTNA

Enter zero trust network access (ZTNA) — the concept that users should undergo continuous assessment and validation to achieve the highest level of security without compromising usability. The goal of ZTNA is to provide granular access to applications based on user identities and the context of their connection. While VPNs attempted to achieve this to some extent through firewall filtering, it fell short.

Related:Implementing Zero Trust Across Industries, From Finance to Healthcare

“Companies began to realize that they may be giving too much permission to users on their devices to connect to the 'castle’,” explained Chalan Aras, a cybersecurity leader at Deloitte. The solution is to provide visibility and access only to the areas that users legitimately need and nothing beyond that. “So, you come to the gate of the castle and have a soldier who escorts you to the room you need to get to. You’re not allowed to even know there are other rooms, let alone go there, unless you’re explicitly permitted to do so.”

That concept of ensuring secure access to applications based on roles, while keeping those applications entirely hidden from the internet, is very appealing to companies, said Charlie Winckless, a senior director analyst at Gartner.

“There must be a continuous assessment of the state of the connection,” Winckless said. “Did the user start behaving differently four hours into her connection? Is she downloading an unusually large amount of information?”

Not all ZTNA products offer this type of continuous assessment (some only do so during connection times) but Winckless recommended making sure to insist on this feature.

ZTNA is ideal for various scenarios, including internal workforce remote access, extended workforce remote access, BYOD, and privileged remote access, Winckless noted. Additionally, it can be useful for on-premises access, controlling access to resources within the same local or wide area network for endpoints connected to the local access switch.

The ability to shield applications from the internet is a critical aspect of the ZTNA concept. While some vendors offer acceptable alternatives by using their own firewall products in their ZTNA solutions, the majority are best engineered to require some type of encrypted technology or a cloud gateway, Winckless said.

ZTNA vs. VPN Models

There are a few other important distinctions between the ZTNA vs. VPNs models. Unlike VPNs, which operate at the network level, ZTNA works at the application level. That means that while admins can set up rules governing accessible parts of the network, these rules are limited because VPNs lack full visibility into the applications that users access. ZTNA allows users access only to the applications they are authorized to use, not the entire network.

Authentication is another area of differentiation. VPNs typically rely on a username and password for connection, granting users full network access once connected. ZTNA, by contract, has continuous checks to verify users’ identifications and qualifications at every stage, ensuring they are who they claim to be and are entitled to access the requested resources.

Because of these considerations, most experts say you should probably replace your VPN with ZTNA if possible. Businesses are increasingly following this recommendation. Gartner reports that ZTNA is the fastest-growing segment in network security, projected to grow 31% in 2023. That’s up from less than 10% at the end of 2021.

ZTNA Isn’t Always an Option

While ZTNA might be the preferred choice today, there are cases where its adoption might not be feasible. This could be due to ZTNA’s early stage of development, lacking certain functionalities. For example, some employees in an enterprise, such as highly privileged administrators or security leaders, might require unrestricted access and should not be confined by the principle of least privilege.

Nevertheless, there is a fix, Aras suggested. By granting full privileges to those enterprise employees, ZTNA can function like a VPN, providing access to everything inside the network while still maintaining its identity verification protocols.

Still, there are situations where a VPN may still be necessary, such as when an organization hasn’t modernized its identity systems. With older identity systems, users logging in can’t be appropriately classified based on their roles, which is required for ZTNA to assign privileges.

Real-World Transition: The Wine Group’s Experience

In the case of The Wine Group, the problem stemmed from legacy machinery and software that were too expensive to replace and slow to adapt to changes. The company, with about 4,000 corporate employees and many more in production across multiple continents, is committed to improving its network security.

In fact, the company is about 90% through its transition from VPNs to ZTNA for existing internal web-based applications like Office 365. With fully remote employees, ZTNA provides secure access to those applications.

According to Ben Wiesner, senior network engineer at The Wine Group, the next step involves migrating more internal applications online so the company can apply ZTNA to those, as well. Wiesner is responsible for all network operations globally as well as network security.

“ZTNA means we don’t care who you are – we don’t trust you – and in this threat landscape, it needed to happen,” Wiesner said. “It isolates people and the authentication accessing those applications, and with the shift to cloud-native applications, it scales better.”

However, a problem arises with legacy devices like SCADA systems, balling lines (a system for measuring sugar content in grapes), and programmable logic controllers that are critical for The Wine Group’s production processes. These systems cannot currently operate with ZTNA. For instance, offsite engineers need access to on-premises systems at each facility, which requires the continued use of traditional VPNs for these functions.

This results in a hybrid environment. To make management easier, Wiesner’s team chose to outsource its secure access service edge (SASE) platform. The platform provides a unified interface for VPNs, network management, and ZTNA.

Embracing the Zero Trust Future

As ZTNA continues to mature, reducing complexity and adding functionality, VPNs will fade further into the background. However, for the time being, deciding between VPN vs. ZTNA remains a complex task. One reason, Winckless said, is that setting up a ZTNA policy can be a lot of work.

“You need to understand your groups of users and which applications they need to talk to,” Winckless said. “If you’re not willing to do that work, buying a ZTNA is basically like paying more for the same VPN you already had.”

winckless quote

winckless quote

Additionally, changing processes takes time. Users might resist restricted access to applications they are accustomed to, even if that access isn’t essential for their job. Compared with ZTNA, VPNs are also familiar and easy to use.

Cost is another consideration. Today, ZTNA tends to be more expensive than VPNs. VPNs are often free, bundled with other networking infrastructure like firewalls.

But ZTNA will mature. Vendors are actively removing complexity and exploring innovative solutions. For example, some firewall vendors, traditionally focused on VPNs, now integrate ZTNA into their systems. ZTNA is also increasingly becoming a component of SASE offerings and web gateways.

Over the next three to five years, Aras expects a substantial increase in the adoption of ZTNA by enterprises and even small businesses. The ZTNA they implement may take the form of either an independent solution or as part of a broader SASE offering, leading to the decommissioning of VPNs.

“The change is worth the effort because it can significantly reduce security risks compared to existing VPNs,” Aras said.

About the Author(s)

Karen D. Schwartz


Karen D. Schwartz is a technology and business writer with more than 20 years of experience. She has written on a broad range of technology topics for publications including CIO, InformationWeek, GCN, FCW, FedTech, BizTech, eWeek and Government Executive

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like