The Rise of Zero Trust Network Access

An alternative to VPN built out of necessity

The pitfalls of corporate VPN

The global pandemic has accelerated a dramatic shift in the way we work, creating a higher demand for faster, more secure, and more reliable access to internal corporate applications and data. A May 2020 survey of U.S.-based employers shows that 53% of full-time employees are now working from home as a direct result of COVID-19. This is a seven-fold increase over 2019. And post-pandemic, 22% expect to continue working remotely. This global explosion of remote work revealed the flaws in Virtual Private Networks (VPNs). Corporate VPNs are slow, work poorly on mobile, and are prone to compromise.

A VPN allows users to access an internal network by linking a VPN client (software installed on the user’s computer or device) to a network access server (a dedicated server or software installed on a shared server) that sits on premises behind a VPN gate or in the cloud in the case of cloud-based VPNs. A VPN works by establishing encrypted connections to protect assets and manage user access to an internal network. All devices that connect to the VPN are set up with encryption keys, and these keys are used to encode and decode all information sent between them and the network access server. This process adds a small amount of latency to network connections that will slow down network traffic.

Overall, VPN performance can, in fact, be downright exasperating, often impacting productivity and the user experience. Employees are required to use a separate set of credentials to log on to devices, which can interrupt workflows. Connecting to applications is slow, reducing efficiency and when the VPN is down, work comes to an abrupt halt. Users experience performance degradation and latency if a VPN is located far away from the user and the server the user is trying to access. For instance, if a user in San Francisco is trying to access a website on a server in the same city, but the VPN service is in Japan, the user’s request has to travel halfway around the world and back before connecting to the local server. In the case of a cloud-based VPN, the network access server sits in a different data center than a company’s internal network. This extra step can add additional latency to every single request between users and the network.

The proliferation of mobile devices introduces another challenge with the sheer volume of devices that must be managed, including employees' personal devices accessing the network. For traveling workers, network access at times can be impacted by mobile VPN clients and the distance between the device and the home office. And even when a secure connection is established, the experience can be slow and unreliable. Ultimately, businesses and their employees suffer from latency, login complications, and decreased productivity.

VPNs aren’t ideal for managing secure user access at the level of granularity demanded by today’s globally dispersed work environment and introduce significant security vulnerabilities. While attackers can’t see or intercept VPN traffic from the outside, if they can get past the VPN gate and compromise one set of account credentials or a device, they can endanger the entire corporate network, causing a serious data breach. This is an even more serious concern today, as attackers exploit the pandemic.

Today, many business applications are hosted in the cloud or delivered as Software-as-a-Service (SaaS), making them incompatible with VPNs. Such applications typically employ their own security tools and protocols to provide secure access. But IT teams cannot fully control those tools and protocols, and this can create obstacles to understanding who is accessing applications.

Zero Trust Approach

VPNs weren’t built to efficiently deploy and manage such a granular level of secure user access for today’s globally distributed workforce. Zero Trust Security is a much more attractive alternative and requires strict identity verification for every person and device trying to access resources on a private network, regardless of whether they are sitting within or outside of the network perimeter. No single specific technology is associated with Zero Trust architecture; it is a holistic approach to network security that incorporates several different principles and technologies. To meaningfully reduce your security risks with Zero Trust Network Access (ZTNA), you’ll need to hide applications from public view and implement a mechanism to verify every request—ideally on a highly performant, global network.

Cloudflare Access delivers ZTNA on a massive network that is cloud-agnostic and truly global, spanning 200 cities and 100 countries replacing corporate VPN with an identity-aware protection layer that sits in front of internal resources and checks for employees’ single sign-on (SSO) credentials instead of a VPN client. Rather than routing traffic through a network VPN appliance, employees accessing internal applications are connected to the data center nearest them. Authentication takes place at the network’s edge—only 100 milliseconds from anyone or anything connected to the Internet—speeding authentication and secure access.

The proximity of Cloudflare data centers allows Access to authenticate users more rapidly without the use of a VPN, while protecting internal applications and the network with the fastest, most secure authentication mechanisms. Network latency penalties are erased. The arduous process of managing user controls is eased. Remote access is secure, scalable, and global. And you no longer have to place internal applications and resources on a private network. Rather, you can safely deploy them anywhere—in an on-premises, hybrid, or multi-cloud environment.

Want to dive deeper on this topic? Get the Gartner Market Guide for Zero Trust Network Access 2020.

This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.

Seguir el blog de Cloudflare

La información que proporciones a Cloudflare se rige por los términos de nuestra Política de privacidad.

success logo

Subscription Confirmed

Thank you for subscribing!