Think ZTNA and VPNs are incompatible? Think again.
Publié le 25/5/2023
Author: François Bonnet, Head of Product & Alliances
The huge upsurge in working from home and other remote working practices (31% of employees in France work remotely to some degree, according to the corporate insurance provider Malakoff Humanis), and the scattering to the four winds of information systems, are a huge challenge for CISOs when it comes to remote access security (only available in French). According to the latest cybersecurity survey published by CESIN (a French cybersecurity trade body), two out of five businesses are currently experimenting with the latest flavor of security model for information systems, known as Zero Trust.
However, the Gartner-backed ZTNA approach to defense derived from this model is often said to entail doing away with VPNs and giving up on securing communication networks. And yet, Zero Trust models rely on two principles, i.e. authentication and authorization. TheGreenBow VPN Clients can apply both and still provide robust encryption for communication, which is why we believe there are definite benefits to combining ZTNA and use of VPNs.
The cloud causes trust issues
The slogan for the 2023 edition of the International Cybersecurity Forum in Lille (northern France) was “In Cloud we trust?”—and that’s the key question. Can the cloud, presented for a number of years now as the inevitable engine room of digital transformation, be trusted? In widespread use in American businesses, Europe does still seem more cautious with “only” 40% adopting the public cloud, probably because European firms are aware of the risks. Those risks include vendor lock-in, i.e. being inescapably dependent on American hyperscalers, and the risk of extraterritorial legislation blowing a hole in any semblance of confidentiality. It should be noted that 70% of European data is already stored and processed outside Europe, and mainly by these hyperscalers.
In France, the annual CESIN survey shows that, among polled companies, 50% of corporate ISs are cloud-hosted. The main two risk factors that emerge from the survey are the lack of control over the hoster’s subcontractor chain, and the hoster’s administrators’ own lack of control over data access. This boils down to having to settle for trusting them by default.
Lastly, physical security shouldn’t be left off any list of cloud-related risks. The fire at OVH’s Strasbourg data center (2021), and the one in April this year at Global Switch in Clichy that disrupted Google Cloud services, serve to remind us of that.
It is by no means certain or inevitable that all or most IT resources are destined to be migrated to the cloud, as American analysts so insistently predict. Critical operators, known as Operators of Vital Importance (OVIs) in France, or organizations identified as essential and important entities under the EU’s NIS Directive, for example, cannot take this path.
False accusations against VPNs
Purveyors of ZTNA solutions are in the habit of explaining that using a VPN isn’t compatible with a zero-trust approach, and that deploying ZTNA means doing away with VPNs. They justify this stance by casting aspersions on VPNs that do not hold true for all of them at all. One of the commonest such allegations is security failings, with fingers pointed at the vulnerabilities regularly uncovered in VPN software. That vulnerabilities exist is undeniable. However, they always involve VPNs using the SSL protocol and TLS (see our blog post). IPsec VPNs are far more robust and rarely fail.
Another specious argument often heard is that VPNs are an entry point giving access to the entire corporate network and the applications found there. This is not really true. A VPN can be configured so that access is limited to just part of the network, or it can offer users a number of tunnels on the basis of their profile and those parts of the network they are allowed to use. TheGreenBow’s VPN client can consequently handle various use cases, so a network administrator who needs to protect his administration traffic will set up a specific tunnel, a sales engineer working remotely who needs access to resources stored on a restricted information system will set up an IPsec DR (Restricted) tunnel meeting ANSSI’s recommendation for secure networks, staff on the move who connect to a Wi-Fi network at one of the company’s locations will open a secure connection…
Another criticism leveled at VPNs is network performance. It is true that during the pandemic, many firms were forced to rapidly increase the number of people working from home with no time to adjust the capacity of their gateways accordingly. A degree of network saturation was frequently the result, but businesses have now corrected matters and resized their network equipment. VPNs can also be configured such that a connection to a cloud-hosted application, such as Teams or Salesforce, does not have to go through a VPN tunnel.
Another drawback highlighted by ZTNA solution suppliers is the administration involved in running a set of VPN clients (installation, license activation, and deploying a configuration that complies with the corporate security policy). This argument completely overlooks administration tools such as TheGreenBow’s Connection Management Center, a console used for easy license activation, and to quickly build and deploy configurations.
In summary, while ZTNA works perfectly well under the SaaS model, a zero trust VPN is the answer for modern corporate networks.
ZTNA and VPN: a match made in heaven
Not all businesses are going to host their whole IS in the cloud; hybrid and mainly on-premise set-ups will remain. Moreover, man-in-the-middle attacks are still a fact of life, so where’s the sense in doing away with the encryption aspect of a connection? Or at least, why rely on a TLS-encrypted connection generated by a browser when we know it is far less robust than an IPsec tunnel?
The ZTNA approach is obviously interesting in terms of increasing security, and we think that a VPN has a role to play in such an approach. Combining it with the principles behind ZTNA offers greater protection, including as regards compliance with new European regulations such as NIS 2 and DORA.
With this in mind, TheGreenBow has developed a number of ZTNA functionalities for its VPN clients, the main idea being to add additional checkpoints when identifying a person requesting an encrypted connection, plus to confirm that opening a tunnel is the appropriate action to take, before doing so.
Our first example of functionality following this new product strategy is GINA mode which, once enabled, sets up a VPN tunnel before logging on to Windows, and in so doing authenticates the user wanting to open a tunnel.
Another example is multi-factor authentication, one of the key principles in ZTNA. TheGreenBow Windows VPN Clients allow for two-factor authentication, using a password and a certificate stored on a token such as a smart card.
Our latest development in this area is checking a workstation’s health before opening a tunnel, a feature that is in operation now. In future, the Connection Management Center will also apply rules, including checking a workstation’s compliance before opening particular tunnels.
Enhancing user authorization and authentication before they even open a tunnel is a powerful driving force behind TheGreenBow’s product development—and in doing so we apply the precepts of Zero Trust Network Access. Feel free to ask TheGreenBow for a demo of how to open ZTNA tunnels.