Zero Trust Network Access: VPN Successor or Hype?

VPNs were the standard for secure remote access for 20 years. However, VPNs trust the entire network once the connection is established – a paradigm that no longer works in a cloud-first world. Zero Trust Network Access (ZTNA) replaces “network access” with “application access” and verifies each request individually.

TL;DR

Gartner: By 2025, 70 percent of companies will replace VPNs with ZTNA
VPN vulnerabilities: 56 percent increase in reported CVEs in VPN products (2022)
ZTNA principle: Never trust the network – always verify identity, device, and context
Market leaders: Zscaler, Cloudflare, Palo Alto Prisma Access, Netskope

The VPN Problem

A VPN establishes an encrypted tunnel and then grants the user access to the entire corporate network. This is like giving every visitor who checks in at the reception the master key to all offices. Once inside, lateral movement is trivial.

Operational issues also arise: VPN concentrators as single points of failure, performance bottlenecks during remote work peaks, and an expanding attack surface due to VPN vulnerabilities. Fortinet, Pulse Secure, and Citrix VPNs were targets of numerous zero-day attacks in 2022-2023.

How ZTNA Works

ZTNA turns the model around: Instead of network access, it grants access to individual applications – after verifying identity (who?), device status (patched? managed?), context (location? time?), and risk assessment (anomalies?).

Technically, ZTNA relies on a broker between the user and the application. The user never connects directly to the network. Applications are invisible from the internet – no open port, no DNS entry. Only authenticated, authorized requests are allowed through.

Migration: From VPN to ZTNA

The migration doesn’t have to be a big bang. Recommended roadmap: Phase 1: Use ZTNA for new cloud applications (no VPN tunnel to SaaS needed). Phase 2: Make web-based internal applications accessible via ZTNA broker. Phase 3: Gradually migrate legacy applications that require network access or connect them via app connector.

VPN and ZTNA can run in parallel for months. This reduces risk and gives the team time to gain experience with the new model.

ZTNA Is Not a Panacea

Critical limitations: ZTNA protects application access, not the application itself. A SQL injection still works through a ZTNA broker. ZTNA does not replace a web application firewall, input validation, or patch management.

Additionally: ZTNA solutions are themselves targets of attacks. A compromised ZTNA broker has access to everything it mediates. Vendor security is critical – check audit reports (SOC 2), penetration test results, and the incident history of the provider.

Key Facts

Adoption: Gartner: 70 percent ZTNA adoption by 2025 (from under 10 percent in 2021)

VPN CVEs: 56 percent more reported vulnerabilities in VPN products in 2022

Latency: ZTNA typically has 20-40 percent less latency than VPN (no backhauling)

Frequently Asked Questions

Can ZTNA replace all VPN use cases?

Almost all. The exception: applications that require genuine Layer-3 network access (certain legacy protocols, network drives via SMB). For these cases, ZTNA providers offer app connectors or a private network mode.

How expensive is the transition?

ZTNA licenses typically cost 5-15 EUR/user/month. On the other hand: saved VPN concentrator hardware, reduced maintenance effort, and lower bandwidth costs (no backhauling). The TCO is usually lower than with VPN.

Do I need ZTNA if I already implement Zero Trust?

ZTNA is a component of Zero Trust – not the whole thing. Zero Trust also includes identity governance, micro-segmentation, endpoint security, and data protection. ZTNA specifically solves the problem of secure application access.

About the author: Benedikt Langer

Read article

Cloud-Sicherheit

Zero Trust