Request Demo
Get Elisity Free
Go to my account
Request Demo
Get Elisity Free

Five Best Practices for a Successful VPN Replacement with ZTNA

July 12 2021

The accelerated adoption of ZTNA (Zero Trust Network Access) has been driven largely by the effects of the COVID-19 pandemic, which resulted in a major transformation of the workspace across all industries. The hybrid workspace is here to stay, and what was called the “new normal” became the “now normal.” With the workforce and third-party vendors working from home more often than ever before, the risk of successful breaches that lead to ransomware attacks, sabotage, and data exfiltration has only increased exponentially. The need to secure remote access to applications in the data center and the cloud has always been present. Still, the surge in users accessing enterprise resources remotely from managed and unmanaged devices has put a strain on traditional VPNs’ network performance and scalability. 

In this blog, we go through the findings by Gartner’s analysts Lawrence Orans, John Watts, and Neil McDonald after their discussions with early adopters of ZTNA that informed the recently published research notes titled "Best Practices for Implementing Zero Trust Network Access".

The limitations of VPN

The limitations of VPNs could be summarized as follows:

  • Inefficient traffic patterns that either drag everything back to your data center (hair-pinning) or split tunnel and lose visibility and control
  • Inefficient traffic path for SaaS and other cloud services
  • Poor user experience due to login requirements or latency
  • Inability to limit access control after authentication and no continuous verification (east-west, north-south traffic)
  • Challenges deploying user- and group-based policy
  • No ability to scale on demand
  • Has user context only: no data, app, or cloud context, and only if user-context is implemented
  • VPN concentrator requires IPsec tunneling, which traditional VPN cannot scale
  • Performance degrades as users move to new locations (i.e., further away from the VPN location)

ZTNA overcomes those limitations, and therefore VPN replacement has quickly become the first step in an enterprise's journey towards zero trust. ZTNA solves for more than user-to-app macro, micro, and nano segmentation on-prem and offsite (the needs of the hybrid workforce). For example, it addresses workload-to-workload segmentation. But VPN replacement is typically the use case that drives early adopters to start the journey to a zero trust architecture.

A ZTNA deployment can be quick and straightforward when there’s a strong identity foundation in place and by choosing the right solution. But regardless of the capabilities of the selected ZTNA platform and the robustness of the identity system, there’s always room for deployment mistakes and missed opportunities if there’s no proper prep work ahead of the rollout. Like one of our early customers always says (he quotes Seneca): “Luck happens when opportunity meets preparation.” So, without further ado, these are the five best practices to get lucky when the opportunity (and need) of replacing traditional VPNs shows up.

1. Do not implement ZTNA like you would a traditional VPN solution

To fully realize the benefits of zero trust, you should not grant users access to all applications like a VPN deployment would. VPNs grant excessive trust and were designed under the old implicit trust model. To explicitly grant just-in-time right-sized access to the right users or user groups to the right applications, ZTNA solutions like Elisity® Cognitive Trust® for Workforce Anywhere enable macro, micro, and nano-segmentation from the start. Before turning on the lights on the ZTNA deployment, you can already draft the contextual policies to protect mission-critical applications and data from unauthorized access. Identify your crown jewels, and build policies to ensure that only the right identities within the right context can access them. 

2. Document existing identity federations and application usage ahead of deployment

Also, it is a best practice reported by early adopters to study and document the existing relationships between users and applications ahead of deployment. While you will be able to enter observation mode after you turn on the lights on the ZTNA platform by leveraging the discovery and analytics tools providedthey recommend starting early to identify which users need access to which applications. To stay ahead of the curve, you will need to interview business leaders of each department to gain knowledge and understanding of those user-to-app relationship needs. Having that conversation also enables those teams to embrace the zero trust mindset and progress more rapidly with the ZTNA deployment. 

3. Update (or clean up) users and groups access to applications

While you are at it, interviewing the heads of departments and documenting application usage ahead of a ZTNA deployment, clean up access and update access rights. Take the opportunity to get ahead and hit the ground running when you turn the ZTNA lights on. You will likely discover that users have moved departments, left the organization altogether, or that third parties (suppliers, contractors) no longer have a business relationship with the company. Change or eliminate those access privileges ahead of time, as it will accelerate the journey to the ideal zero trust architecture when your ZTNA platform goes operational. Minimizing risk should not wait. When you reach ZTNA D-Day, you will have an easier, smoother, and faster path ahead. Or, if more practical (depending on your risk tolerance), you can wait and implement those changes through the ZTNA platform on D-Day.

4. Continually adapt policies

Once you’ve gone live with the ZTNA solution, the work is not over. On the contrary, this is when you start operationalizing zero trust. While you may have hit the ground running and saved a lot of time with good preparation, ZTNA is not a “set and forget” approach to access policies. Instead, there’s a constant need to fine-tune remote access policies as the business needs evolve: users leave the organization, move to different teams, new suppliers require access to the network, new applications are deployed or discovered, and so on. The good news is that the work is easy: much easier than dealing with firewall rules or VPN configurations.

With a platform like Elisity Cognitive Trust for Workforce Anywhere, policies follow usersThe user access privileges change by just moving a user to a different group in the IDP source (i.e., in Okta or Active Directory) without even touching the ZTNA policy orchestratorIn the same way, if an application moves (i.e., to the cloud or a different server), the users would still have access (depending on the policy configuration, of course). Furthermore, with AI-based policy alerts and recommendations, the workflow is simplified and productivity enhanced. With the visibility and control empowered by the ZTNA platform and AI assistance, you will always be a step ahead in reducing the attack surface and minimizing risk with each new policy created. 

5. Overcome leadership and user objections

There may be a few user experience hiccups here and there when implementing ZTNA. Objections can be prevented during preparation work, but you must be prepared to address them correctly and effectively if they do arise. You will need to advise leaders and users that the ZTNA model allows for greater flexibility than traditional VPNs. User experience only becomes better over time, much better than what VPN would ever be, and all the while improving the organization’s security posture. There are bypasses to constant identity verification that, thanks to contextual attributes, enable skipping re-authentication. For example, multi-factor authentication (MFA) can be skipped to access a mission-critical resource from a corporate-owned and managed device, from the usual location, usual time, and when the device’s health meets policy requirements.

The key lesson learned by early adopters

The main lesson shared by early adopters could be described as follows: “Learn how to drive before you buy your first car, and do not start your journey without knowing where you’re going.” Design a strategy, secure buy-in, prepare by visualizing and understanding the current state and the ideal state, select your ZTNA platform, and start your journey towards zero trust nirvana with confidence.

About Elisity

Elisity Cognitive Trust is a new security paradigm that combines Zero Trust Network Access and an AI-enabled Software Defined Perimeter. With this transformational approach, enterprises can proactively protect their data and assets while ensuring access without compromise to any application, data, or device, by any user, anywhere.

Check out Elisity Cognitive Trust for Workforce Anywhere and learn how it can help you or your MSP start the zero trust journey in your organization.

You May Also Like

These Stories on Blog