IS THERE A BETTER WAY FOR CONNECTING REMOTE USERS THAN A VPN?
We all know VPNs and SSL-VPNs, for better and for worse, this is the way we make remote connections to internal apps and resources – Virtual Private Networks.
Since the goal is to achieve connection to an application, or a resource, why then are we connecting users to the entire network? Just to access an app…
Most critical business applications today, such as Office productivity (365,Gmail), CRM (Salesforce), Unified communications, and more are in the cloud, so a technology which routes users into the corporate network just to send it back out, simply does not make sense anymore.
TYPICAL USER-VPN FLOW
- A user needs access to company resources, so it uses the corporate VPN client to connect to the local VPN concentrator.
- Once connected, traffic must pass through additional security appliances, such as firewalls, intrusion-prevention systems, internal load balancers, and more.
- The user gains full network access to company resources, which poses potential security risks and could have regulatory implications.
- If the user connected to a remote office, the session must pass over the WAN to the data center, and then out to the Internet.
- The user is finally able to connect to Office 365, Amazon Web Services, or other cloud service required.
- That entire sequence then takes place in reverse when sending the data back to the user.
VPN IN A NUTSHELL
- Places users on-network which increases risk
- Poor end user experience
- Inbound connections exposes for DDoS attacks
- Requires appliances, ACLs and FW policies
- No ability to provide application segmentation
- Lack of visibility into app-related activity
A BETTER WAY – ZERO TRUST SECURITY
Applications are being migrated to cloud and users moved off the network. This new world cannot be secured by legacy technologies. It requires zero-trust security, leading to enterprise adoption of the software-defined perimeter.
Software-Defined-Perimeter, is a network security method that stemmed from work of the Defense Information Systems Agency (DISA) in 2007. As such, this is a completely different network security method than the traditional DMZ. It provides zero-trust access to internal applications using software—on a need-to-know basis—by looking at two criteria: User device and User identity.
ZSCALER PRIVATE ACCESS
Zscaler Private Access (ZPA) delivers policy-based, secure access to private applications and assets without the cost, hassle, or security risks of a traditional VPN. ZPA provides all off the benefits of a traditional VPN but without any of its downsides and headaches.
With ZPA, when a mobile user attempts to access an internal application while on the road, their experience is completely seamless, and they never have to login to a VPN in order to access an application.
ZPA is very very much like SD-WAN in that instead of software defining the company network it’s applying the “SD” principals to access.
HOW DOES IT WORK?
We use our cloud to create a brokered connection between an authorized user and an internal application. Our Z-app agent connects the user to the Zscaler Security Cloud, without placing it on internal network. We then verify that user has appropriate level of access to application via zero-trust access policies set by IT admins, and securely stitch together the application to user connection within the cloud itself.
This solution is 100% software-based and requires no firewalls or appliances for the service to secure access to an app.
- Connect users to applications without placing users on the network
- Never expose applications to unauthorized users
- Enable app segmentation without network segmentation
- Provide secure remote access without using VPN appliances
- Provide in-depth visibility into the corporate application environment
For years, VPNs is a frustrating pain for both IT and Users. Businesses use them because there was no other way of enabling workers to connect when off the company premises.
Zscaler has built ZPA from the ground up to connect workers to resources in a cloud- first world. ZPA is the first remote access technology able to finally put an end to legacy VPNs.
There is a better way for connecting users to internal applications. Zero-Trust access is a better way. Zscaler Private Access (ZPA) not only makes end-users life easier, but it also simplifies management aspects for IT, Increases security, and with no hardware required, it also saves on CAPEX and OPEX.