Best practices for using ZTNA as an alternative to VPN

With private applications moving to cloud and users working remotely, enterprises need a service that can ensure private apps are accessed securely while delivering a frictionless user experience. Even with the buzz around zero trust security some enterprises attempt to use incumbent network-centric architectures, which rely on next-gen firewalls built for access to the network, as a way to now limit user connectivity to applications. These incumbent architectures are a mismatch for today’s needs and were not designed to connect authorized users to specific apps. They force users to be placed on-net and often lead to risk of lateral movement to other apps, and IP addresses exposed to the internet and DDoS attacks via VPN concentrators that sit at the edge of the network and listen for inbound pings.

Many enterprises are considering zero trust network access (ZTNA) services as an alternative to VPN. In fact, Gartner believes that by 2021, 60% of enterprises will phase out their existing VPN for a ZTNA service. But, the reality is that in any large (global) organization even a small change in how users access applications can become a huge task. This document will help you understand where to begin so that you can embrace ZTNA, quickly, and without disruption to the business.

Within this guide we will cover the following:

  • Architectural differences between incumbent access technology and ZTNA
  • A look at a reference architecture for deploying ZTNA
  • The three phases to consider when adopting ZTNA within your company
  • Pro-tips and considerations for getting the most out of your ZTNA deployment

Before we begin, please take a few moments to read “Mitigating Risk via the Software-defined Perimeter.” The blog provides an initial overview of zero trust network access services.

Now, it’s time to explore the ZTNA architecture as means of connecting authorized users to specific private applications, without ever placing them on the network.

Where are you today? – Taking a look at VPN within the enterprise

The architecture we are finding to be very common across many organizations can be depicted in this high level diagram. Yes, I realize the number and location of data centers, routers, firewalls, VPN concentrators, and MPLS network will not be identical to the diagram but believe it provides a close-enough depiction of the components. There are many other network and security devices organizations have deployed, including inline proxy, sandboxes, L7 firewalls, AV and DLP solutions, etc. For sake of simplicity I have consolidated the entire internet-bound security concept as Security Stack in the diagrams.

To read full download the whitepaper:

The Network Architect’s Guide to Adopting a Zero Trust Network Access Service

Leave a Reply

Your email address will not be published. Required fields are marked *