Until just recently, there was really just one secure remote access method – Virtual Private Network, or VPN. But in the last few years, there are two new remote access methods you’ve heard of or will shortly – ZTNA and SASE.
A quick overview of these access methods (For the purist, I know this is an oversimplification; that these are conceptually different systems with overlaps and varying configuration options. But I’m laying out how these are commonly used today.):
VPN allows you to remotely access your corporate network by establishing a tunnel into your corporate firewall, that then allows access to resources on that network. To use this, you typically launch a VPN client, and then enter a username/password (i.e. authenticate) to gain access.
ZTNA, or Zero Trust Network Architecture, is an always on system that allows you to access corporate resources when you are remote without having to directly login with remote access software. ZTNA typically uses much finer grain access rules than VPN, so it’s much more common to only be able to access selected systems when you are remote.
Perhaps the biggest difference between VPN and ZTNA is their initial approach. A VPN starts with full access to the destination network, and you sinch it down from there. ZTNA starts with zero access until you add specific access rules, often on an individual or group basis.
SASE, or Secure Access Service Edge, combines using ZTNA with moving to the cloud, with some extra reliability and performance enhancements possibly thrown in. Rather than accessing your corporate firewall for remote access, you use a cloud-based firewall to access all your corporate resources, including on-premises and cloud/SaaS services and resources.
So which one is best for you? Depends on your situation.
If you are a small business, with all or most of your IT resources on your local network, then VPN may still be the best for you. VPNs are supported by all business firewalls, are simple to configure, and usually have little to no additional cost associated with them.
If you have a modern firewall and have a dozen or more staff, and most of your resources on your local network, then ZTNA is likely a good choice for you. It will require software on your remote computers, takes a little more configuration, and generally requires an additional subscription, but it is much easier for users because they don’t have to login to a VPN to access resources; they are always available regardless if they are inside or outside the corporate network. It does that by authenticating the user using other methods, so it looks to that user like the resources are always available; but an unauthorized user is locked out just like the general internet.
If you are a larger or entirely cloud based organization, then SASE is likely the way to go. This is also a great model for a company that is geographically distributed with a lot of home-based workers, as it pushes high security to the tunnel between the home/remote user and the cloud firewall.
At SpotLink, our cyber security engineers are constantly working with companies of all sizes and structures to implement new and better security via a model of continuous improvement. If you would like to investigate ZTNA or SASE for your company, please give us a call.
Robert Hood
CEO & Founder
SpotLink