To VPN or to SDP? This article takes a closer look at the shifting remote access space. It showcases why most organizations will likely need to make the transition over a period of years rather than months
There has been a lot of recent hype about software-defined perimeters (SDP), also known as zero trust network access (ZTNA). NetMotion are partly to blame for this hype too, having launched a new platform with powerful SDP capabilities in early July 2020.
A walk around RSA Conference earlier this year – among the largest cybersecurity events in the world – and you would barely be able to move without bumping into another zero trust vendor, or a startup proclaiming the death of VPN. Days later the world would enter an unprecedented lockdown, instantly altering the narrative in security just as it did in almost every other domain. IDC research in May 2020 evaluated which areas of investment in technology were the most affected by COVID-19. The area of biggest impact? Remote access.
Shaking up remote access
There’s no doubt that remote access is changing. The technologies being implemented today are unlike those being adopted several years ago. The traditional model of ‘one to all’ is considered by many to be too risky for a workforce that is more likely to be operating remotely than ever before. Put another way, the idea of using user credentials and nothing more to grant access to the entire corporate network is no longer considered a sensible approach.
Instead, step forward the software-defined perimeter, or ZTNA. This technology instead uses a contextual analysis to continually assess each user. The conditions of each request – from location, to network conditions to application – are inspected before access is granted. Even once it has been verified as legitimate and low risk, the user only gets access to a single resource, not the entire network. This prevents lateral movement and significantly reduces the attack surface when compared to legacy VPN options. Additionally, ZTNA products are engineered for the cloud, offering a smarter way of managing access to SaaS and private cloud applications.
To understand these trends in a more precise manner, NetMotion surveyed 633 professionals employed in IT, network and security professions across the US, UK and Australia. This study, which was conducted in June 2020, found that 87% of organizations continue to make use of a corporate VPN today. This number is expected to shrink to 45% over the next three years, instead being entirely replaced by either CASB or SDP/ZTNA solutions.
Who should migrate?
The migration to alternative solutions is taking place for a variety of reasons. The Verizon Mobile Security Index 2020 suggests that 84% of enterprises are increasing their reliance on the cloud. VPN technologies were originally designed for the era of on-prem applications and data. They provide a way for remote workers to reach business resources when not physically connected to the corporate network. Both CASB and SDP offer a more intelligent way of protecting enterprise data from unapproved access in the cloud, presenting a more attractive option for IT leaders than legacy VPNs. The questions for many organizations is not if to implement new remote access solutions but rather when and how.
The Gartner research “Solving the Challenges of Modern Remote Access” by Rob Smith, Steve Riley, Nathan Hill and Jeremy D’Hoinne provides a framework for organizations seeking to move away from VPN and towards these new alternatives. It offers guidance for network professionals in selecting a new solution. It also includes advice on how best to gather requirements and to test capabilities. The decision trees are exhaustive. They cover topics such as virtualization, but can be distilled into a simple summary for remote access.
- If your organization accesses data through SaaS applications, consider implementing a CASB solution
- If your organization uses a combination of both cloud and SaaS, consider a ZTNA (SDP) solution
- If your organization employs a blend of cloud/SaaS and on-premise resources, consider using both a VPN and a ZTNA (SDP) solution
“On-premises and IaaS-hosted applications might require a combination of on-premises VPN and ZTNA or cloud-hosted VPN gateway.”Solving the Challenges of Modern Remote Access by Rob Smith, Steve Riley, Nathan Hill and Jeremy D’Hoinne, Gartner 2020
Needing both a VPN and an SDP
The reality is that the overwhelming majority of companies will need a combination of both VPN and SDP in the medium term. On-premises servers were still in place at 98% of organizations in 2019, according to Spiceworks. The June 2020 NetMotion survey found the exact same figure to be true in 2020. It also reveals that 75% of organizations had at least four on-premise applications in place. Requiring both a VPN and an SDP/ZTNA for the next few years is a sentiment repeated widely across the industry. Quadrant Knowledge Solutions puts it succinctly in its paper Market Insights: Software Defined Perimeter (SDP) for Zero Trust Network Security, stating that “over the near-term, the majority of SDP deployments will co-exist with VPN to provide end to end access security.”
“Although VPN replacement is a common driver for its adoption, ZTNAs rarely replace VPN completely.”Market Guide for Zero Trust Network Access (ZTNA) by Steve Riley, Neil MacDonald and Lawrence Orans
It is clear that any organization still using a blend of different hosting options for its enterprise resources should use both a VPN and an SDP solution. Making the transition to cloud is difficult. IT departments need solutions that fit the business’ requirements today with the ability to scale and meet the increasingly zero-trust oriented needs of tomorrow.
Using two disparate solutions for SDP and VPN can be potentially problematic. Gartner highlights these problems as creating “policy duplication” or “technology overlaps.” To avoid this kind of unnecessary duplication and complication, IT and security leaders should look to vendors that can provide a single, cohesive platform for both solutions. The goal should be to eliminate the impact of these concerns and transition towards zero trust in a seamless way.
Want to learn more about remote access trends? Here are other interesting results from the NetMotion survey from June 2020. If you want a deeper look into what zero trust is and what it means, check out our blog post on it. Lastly, if you want to know more about a single platform that provides both SDP and VPN solutions, read an overview of the new NetMotion platform, which includes software-defined perimeter (SDP) capabilities and much more.