ZTNA & VPN – better, together
During the peak of the Covid-19 pandemic, there was an immediate need for the entire workforce to work remotely. Although the pandemic appears to be gradually subsiding, the office landscape may be changed forever. Some workers will return to the physical office, some will work on a hybrid model, and a large number will work remotely indefinitely.
As we move into this new normal, it is becoming increasingly clear that a remote workforce requires secure access to its organization’s LAN. Today, many companies use VPNs for this purpose to provide external users a secure remote connection to the organization’s internal network.
The times they are a ‘changing
VPNs were invented when most network traffic came from enterprise users who had company-owned computers connected to the corporate network. There was a perimeter or a clear separation between users inside and outside the trusted network.
Statically defined network perimeters no longer implement best practices for today’s distributed architectures which now span multiple data centers. Users need secure remote access to multiple locations in addition to on-premises and cloud-based applications. Organizations also must enable access for BYOD (Bring Your own Device) and IoT devices.
VPNs: a hacker’s new best friend
VPNs have recently become a very attractive target for hackers. A cybercriminal who acquires a user’s VPN login credentials or breaches the company’s VPN server can enter the network and cause enormous havoc.
During the past year, several major corporates using leading VPN vendor solutions such as Pulse Secure, Fortinet, and Palo Alto Networks experienced major data breaches even though these vendors are considered market leaders. Cybercriminals hacking these systems were able to exploit VPN software bugs that gave them access to backend servers.
Transitioning from VPNs to ZTNA
As a result of changing remote work needs and a new understanding of the security risks that VPNs may present in this new context, many CIOs and CISOs are examining trends in architectural improvements and considering whether to implement a Zero Trust Network Access solution. Additionally, to enforce the trend, there are a growing number of government regulations that require organizations to now implement ZTNA.
An example of this is the recent US Government Executive Order 14028 which was issued on May 12, 2021, by US President Biden in a bid to “Improve the Nation’s Cybersecurity”.
In short – for government-related organizations, implementing a Zero Trust architecture is now required by law. That’s a big deal.
According to Gartner Research:
“There is strong interest in zero-trust network access (ZTNA). Gartner inquiries on this topic have grown 127% in the first four months of 2021, as compared with the same period in 2020.” 
Gartner further adds:
“Although there is a lot of excitement over the benefits of ZTNA, end-user organizations lack experience in implementing it.” 
Safe-T’s Best Practices for ZTNA
To support both the need and the trend, Safe-T has put together a list of best practices for ZTNA:
1. Trust no one by default
Implement a security approach that focuses on not trusting any users inside or outside of an organization. If a user is in the LAN, there should be no assumption of trust.
Ensure users are successfully authenticated for a specific application before there is any visibility or access to that back-end service. ZTNA incrementally opens access to users while continuously evaluating risk.
2. Grant least privilege access
Ensure users grant access only to business applications and resources required to perform authorized tasks. Access should be granted on a “need-to-know” least-privileged basis defined by granular policies. Group policies connect authorized users to narrowly defined back-end services.
3. Implement micro-segmentation
Separate security perimeters into small zones governed by separate access rules to keep data secure by reducing the size of a system’s attack surface.
4. Implement VPNs & ZTNA side by side
Hackers consider third parties easy targets to breach. Third parties such as contractors, partners, and vendors can be security risks because they might not be aware of the organization’s security rules or may not pay close attention to them.
Third parties usually do not need full access to an organization’s network. They need access only to specific back-end applications to perform their jobs.
The solution for this is to use VPNs and ZTNA side by side. Internal users such as employees can use the existing VPN system. For these users there is no need to change the IT infrastructure and the user experience remains the same.
Third parties such as contractors would use the Safe-T Authentication Gateway which grants “need-to-know” least-privileged access.
5. Achieve IT regulatory compliance
Implement strict user access controls and policies to protect the organization’s internal networks and servers to help secure the network and meet IT compliance law requirements.
When transitioning to ZTNA, there will be some inevitable growing pains, but in the end, it’s clear that the benefits far outweigh any initial bumps in the road. Safe-T’s ZoneZero® provides secure ZTNA access enabling organizations to enforce a Zero Trust Network Access without the constraints required by traditional methods.
 Gartner, “Best Practices for Implementing Zero Trust Network Access”, Lawrence Orans, John Watts, Neil MacDonald, 10 June 2021.