What's the difference between a CASB, ZTNA, SDP and VPN, and when do you need them?

After months of coping with a decentralized workforce, IT teams today face an interesting dilemma. Do they wait for office workers to slowly return to the office, or do they bite the bullet and upgrade their networks to cater to the demands of remote access? And if they choose to upgrade, what solution is best?

It’s completely understandable that for the first few months of this year IT and security teams played the wait-and-see game out of necessity, using duct tape, band-aids and a few prayers to hold their networks together while VPN usage spiked. By this point, however, most companies realize that the remote working environment is here to stay. As the rubber starts to meet the road, the most popular options are to expand VPN usage, to adopt a CASB solution or to invest in an SDP product based on a zero trust architecture. Let’s look at each of them, one-by-one.

Legacy VPNs aren’t the answer

Let’s come right out and say it. Legacy, hardware-based VPNs have passed their prime. They were designed for an age when only a small percentage of employees worked remotely.

As the pandemic forced offices to shut down around the world, any organizations using legacy VPNs quickly discovered that they just couldn’t scale quickly enough to meet demand. The only way to effectively increase capacity was to add equipment, which in most cases is proprietary, expensive, and requires ancillary hardware such as load balancers and other redundancies.

Apart from the cost, there are a couple of real disadvantages of legacy VPNs. Firstly, they just aren’t smart. Rather than knowing when data can go directly to the cloud, they are either on or off, requiring everything to be tunneled, even when some users only need access to cloud-based applications and data. Again, this adds to the cost and complexity of the network, and puts an unnecessary strain on already taxed bandwidth. This can quickly degrade the user experience for all users.

The second major disadvantage is related to security. A bad actor who is able to steal someone’s VPN credentials may have carte blanche to navigate through an organization’s sensitive data – including intellectual property and customer information. The addition of multi-factor authentication has helped, but even then the risk of lateral movement is enormous.

As we found in our recent SDP survey, 97% of IT and security experts believe that remote workers face more risks online than their office counterparts. So, shutting off the VPN and losing encryption or remote access to data simply isn’t an option. There has to be a better way.

CASB to the rescue?

Cloud Access Security Brokers (CASB) tools have been on the market since around 2015. They allow IT administrators to manage any applications and data that the enterprise has hosted or stored in the cloud – often on large cloud services such as Azure, AWS or Google Cloud Platform.

The advantage of adopting a CASB is that it can monitor cloud service usage and help IT teams establish cloud-related policy controls, enable regulatory compliance and threat protection.

These advantages have allowed CASB solutions to fill the gap left by legacy VPNs. For example, unlike VPNs, which don’t provide visibility into networks not owned by the organization, CASB tools deliver much better edge-to-edge visibility, giving IT teams more information about what’s happening on a network, as well as control over general device and application usage.

CASB caveat

But there is a caveat when it comes to CASB solutions. A CASB will help to secure any cloud resources stored in the public cloud by an organization, but they do nothing to protect on-premise applications and data. According to a recent article in CIO Dive, a staggering 98% of companies in 2019 were still operating on-premise servers, which CASB solutions cannot protect.

In order to find out whether a CASB may be right for your organization, ask yourself a simple question – where are the enterprise applications and data stored? If the organization uses 100% SaaS applications hosted on the public web, then a CASB may be the perfect contender for the job. However, for the majority of companies, a CASB solution simply doesn’t go far enough.

A picture containing clock

Description automatically generated — *Source: Gartner “Solving the Challenges of Modern Remote Access,” 25 March 2020, Rob Smith, Steve Riley, Nathan Hill, Jeremy D’Hoinne*

SDP and ZTNA cover all the bases

Software-defined perimeter (SDP) and zero trust network access (ZTNA) solutions are relatively new on the stage. Designed to create multiple, on-demand micro connections between a user’s device and the specific resources that they need, SDPs greatly reduce the risk of lateral movement that plagues VPNs.

By default, SDPs apply the principles of a zero trust architecture, meaning that access is denied until a user can adequately their prove identity. SDPs use a controller (typically on the device) that gathers a variety of data, such as the application being used, the location of the device, the device’s operating system, the Wi-Fi or cellular network it is connected to, and dozens more. This realtime data is used to build a risk assessment for each request, determining whether the user can access the resource or not.

Using these kinds of tools, it’s very easy for an IT or security team to customize and automate access based on an individual’s role and needs within the organization. Privileged or sensitive data can be kept secure, while access to data and applications remains seamless and invisible, regardless of their location on-prem or in the cloud.

So as network, IT and security teams work together to decide how quickly digital transformation needs to take place, many of them may find the logical answer is to invest in an SDP or ZTNA solution. Hopefully, they will also discover that these transformations don’t need to be immediate, disruptive or costly. But they can and should be very effective.