Denise Dubie
Senior Editor

VPN vs. ZTNA: Cisco tackles pros and cons

Analysis
Feb 11, 20256 mins
Network SecurityVPNZero Trust

Modernizing remote access from VPN to ZTNA provides more granular controls, improved security, and a better user experience, says Cisco, which warns of pitfalls to avoid.

Conceptual image of a network labeled 'Zero Trust.'
Credit: Olivier Le Moal / Shutterstock

It’s no secret that more modern approaches to remote access have been usurping VPNs as organizations adapt to the realities of a distributed workforce, cloud-based applications, and heightened security threats. Gartner predicted that by 2025, up to 70% of new remote access deployments will rely on zero trust network access (ZTNA) rather than VPN technology. ZTNA offers a granular, identity-centric model of access control, providing organizations with the flexibility, scalability, and security features needed to support distributed environments.

Stronger authentication methods and encryption protocols are part of the appeal of ZTNA. Unlike VPNs, which grant full network access once connected, ZTNA verifies user identity and only provides access to the specific applications and data needed for their role, minimizing the attack surface. By only granting access to necessary resources, modern solutions can often provide faster connection speeds compared to VPNs, which might need to route all traffic through a single tunnel. Designed to scale, ZTNA can accommodate a larger number of users and devices—without compromising security.

Recently, Cisco hosted a webinar on the topic of modernizing VPNs to ZTNA, sharing both reasons to transition and pitfalls to avoid.

“VPNs originally were soft of a castle-moat kind of concept in which if somebody provides the right credentials they get into our whole network, and that can be very dangerous,” said David Gormley, a product marketing leader for Cisco Cloud Security, during the webinar. “Many companies are starting a zero-trust journey and laying out some requirements that typically include least privilege, and that’s a major part of moving to a more sophisticated remote access program. It’s really access to an individual resource or application instead of a whole network segment.”

Reasons to replace VPN now

Among the many reasons cited during this webinar, the risk of over-privileged access to company resources topped the list of reasons to modernize remote access. The idea that once inside an environment, a bad actor could navigate wherever it desired to perform malicious acts is in the past.

ZTNA limits access to only necessary applications or resources, making it nearly impossible for hackers to conduct lateral attacks once they clear the VPN. ZTNA technologies provide fine-tuned access controls, enabling administrators to define exactly what a user can access on the network based on their role, location, and device. This approach will provide better protection against identity-based attacks and lateral movement by attackers, preventing attackers from moving freely across the network once they gain initial access with compromised credentials.

Performance is another reason enterprises consider transitioning from VPN to ZTNA. With more remote workers and distributed workforces, latency and throughput can become a source of frustration. While VPNs create a broad tunnel to the entire network, ZTNA uses distributed gateways closer to the end users access cloud-based applications. This reduces latency and avoids to need to route all traffic through a single centralized VPN. ZTNA aims to solve for latency and throughput performance problems with remote application access, which are common pain points with legacy VPN technologies.

Another motivation to move from VPN to ZTNA is future-proofing an environment. ZTNA offers more flexibility to scale up or down and supports more devices and locations. Often build on cloud platforms, ZTNA allows for easier scalability and flexibility to accommodate changing user needs and locations. ZTNA can also integrate with other advanced security measures such as multi-factor authentication, threat detection, and encryption. By taking an identity-centric approach to remote access, ZTNA can better position organizations to adapt to evolving security threats and workforce needs over time.

Pitfalls to avoid with modern remote access

Transitioning from VPN to ZTNA isn’t without its challenges, according to this webinar. There are a few pitfalls enterprise organizations should look out for when modernizing their approach to remote access.

To start, be sure that applications can use ZTNA technology for connection. If not, organizations might have to maintain the old VPN product along with the new ZTNA technology. Cisco’s Gormley explained in the webinar that certain types of applications, such as multi-threaded apps or those that rely on server-initiated communication protocols such as RDP or FTP are not well-suited for the ZTNA model.

“It adds to user frustration if they have to maintain their old VPN and they have the new ZTNA. It’s also confusing to the user when to use what,” Gormley said.

Another challenge can arise with too many specialized point products that cover different remote access scenarios. Secure access service edge (SASE) and security service edge (SSE) platforms try to address the complexity of having too many point products to manage, and enterprise organizations should consider a unified approach when moving to ZTNA.

“It’s everything from the contracts with the vendors to the deployment and maintenance and different policy engines. It just ends up being way too complex so you want convergence and that’s where the SSE and SASE approaches come in,” Gormley explained.

Lastly, integration with other security tools and visibility into end-user experience can represent a pitfall when moving from VPN to ZTNA. There are SSE and SASE solutions that include ZTNA and provide a converged approach that is fully integrated, and enterprise organizations should strive for that level of integration. For end-user experience, it is critical to have visibility across tools to understand the source of performance issues when they do arise.

“If you have a distributed workforce, they’re going to connect from a variety of devices and you want to be able to see when there’s a performance issue and what’s causing it,” he said.

By embracing this architectural shift toward ZTNA from VPN, enterprise organizations can better secure their environments, support a distributed workforce, and create a more flexible, scalable remote connectivity infrastructure that will carry them into the future, according to the Cisco webinar.

“Zero trust is not a product, zero trust is an architecture. It’s about identity, access, and response,” said Jack Klecha, senior director for information security at Cisco, during the webinar.

Exit mobile version