So, taking a cursory glance at Zero Trust as a replacement for our current VPN setup. I get the security aspect and how it does more to authenticate users and devices than just saying “Oh you’re on the domain? You’re good.” However, it seems to be purely security. I don’t see how it actually connects you to the network? It looks more like something you would use in tandem with a VPN, but everyone talks about it as a one or the other type of thing.
Zero trust is more a methodology than a technology or product itself.
VPN can be part of a zero-trust architecture.
Similarly there are now VPN-less Remote access options you can use like ZPA.
Zero-trust is just a design concept where all your access networks are treated as untrusted and nothing gets access to anything without being authenticated. Essentially pushing the network security perimeter out onto the host itself rather than needing to worry about VLANs and traditional segmentation techniques.
But it’s not a black and white thing. There are many ways and many product sets you can use to achieve a zero-trust architecture.
It looks more like something you would use in tandem with a VPN, but
everyone talks about it as a one or the other type of thing.
I think you’ve got the right idea. Zero trust is a design methodology that places the authentication responsibility on the user, which can allow you to host your services on the public web.
Most of my SMB customers are 100% cloud. They don’t need a connection back to the office to access things like e-mail and file shares, so theoretically all they need is an internet connection to function. Most will use a VPN to do things like filter web traffic, enforce an outbound proxy, and firewall core services to further reduce attack surface. All of the good operational things that help secure your network.
I think you need to read it again as you are comparing completely different things.
/u/Spez has sold all that is good in reddit. – mass edited with redact.dev
The core theory of ZT is that you should not implicitly trust something and should always verify. Zero Trust is an architecture that does away with the traditional perimeter-defense approach. When there is no perimeter…the VPN loses its use-case.
What is the VPN effectively doing? It’s giving a user access … by pretending to be on said network. A VPN fundamentally operates by telling your infrastructure that a user should have access because they are within your network. This is the traditional perimeter defense: everything outside the perimeter is untrusted, and everything inside the perimeter is assumed to be “safe” because well, they’re inside.
The zero trust practitioner goes: “Wait, why am I trusting an actor just because they’re inside my perimeter?” The logical question from there then is: If I can’t trust my perimeter, what do I replace it with?
Then we get into the complications of continuous authn, context, etc.
Highly recommend reading the DoD’s Zero Trust Strategy and Roadmap or CISA’s Zero Trust Maturity Model, both of which can be found in the pinned post at /r/zerotrust. NIST’s Zero Trust Archictecture paper can also be found there.
Zero Trust is more of a set of principles as others have stated.
Regarding your “how it actually connects you to the network” comment. In VPN, you’ll most likely be put on the network, which isn’t very secure. If you have a full layer 3 tunnel (meaning you have an inside IP address), you may be able to connect/ping/nmap other systems.
With Zero Trust, you should get least privilege access and maybe go through a proxy versus actually get on a network.
In some cases, you can run a Zero Trust Network Access (ZTNA) solution with VPN and gradually move connections from the VPN to the ZTNA. For VPN, you may have had all users connecting to the network. This should go away when you go to ZTNA. You should only give users on known, compliant devices access to only the applications (server:port) and data that they should access.
I have a few blogs on this migration but you can DM for link. Don’t want to post and break any rules.
you are right. Zero trust is just a concept. Some ZTNA solutions want to replace VPN. But some solutions can work in tandem with a VPN.
That’s right. Zero trust is a methodology…an approach.
ZTNA is technically the technology that’s “promised” to be a VPN replacement.
ZTNA is a component of zero trust, but it has gaps - for one, it doesn’t control access for physical networks and is often light on post-auth risk mitigation and remediation.
Agree, Zero trust is a security model. The principle of zero trust was coined by early ZTNA vendors who had a slightly different approach from VPN. Many of the early ZTNA solutions were lacking fully controlled access to apps and once you were in you were trusted as long as your session was open. However, now you can now get ZTNA solutions that provide secure access to private apps, and public SaaS apps plus, if you really need it, network/sub net access -but not advised). Quite a few now have post-auth continuous posture assessment, and some even rotate certificates on a regular basis.
The VPN performance problem that many claimed to have fixed has come back as they go through vendor PoPs that add huge amounts of latency.
Finding a high-performance ZTNA solution seems to be a challenge.