SSL VPNs are available as stand-alone appliances, as part of next-gen firewalls (NGFWs) and other
            security products like Hillstone Networks’ solutions, and as cloud services. Early in the pandemic, when
            governments  attempted  to  lock  down  their  populations  to  prevent  the  spread  of  COVID-19,  many
            corporate IT teams turned to SSL VPNs to support workers who suddenly needed to work from home.


            Now, however, the distributed workforce has become a reality rather than a phenomenon, and the need
            to support remote workers in large numbers has brought certain issues and limitations of SSL VPN to the
            fore, including:

            Common Vulnerabilities: Over the years, numerous vulnerabilities in enterprise-class VPNs have become
            apparent, raising red flags for many cybersecurity professionals. In 2021, for example, multiple U.S.
            federal civilian organizations faced the potential of data breaches via the Pulse Connect Secure VPN
            vulnerability. Two years earlier, in response to active exploitations of certain VPNs, the U.S. National
            Security Agency issued an advisory.

            Licensing Costs and Expansion Limitations: Usually, commercial SSL VPNs are licensed per-user and
            per-capacity,  meaning  that  scaling  to  support  additional  remote  workers  can  be  expensive  both  in
            purchase of licenses as well as in IT staff labor. Physical SSL VPN appliances might also require the
            purchase of additional modules in order to expand capacity.

            User Authentication: Visibility into users and devices that are connected to the network is one of the
            bedrock principles of cybersecurity. A typical enterprise VPN will perform authentication just once, on
            initial login and set-up of the VPN tunnel, and then access is granted for all the network resources for
            which the user is pre-approved.  This can create a security risk if, for example, user credentials are stolen
            by an attacker.


            As mentioned, SSL VPNs are in broad use; the market in 2021 was estimated at nearly $5b USD. There’s
            a cost connected with a forklift upgrade to a new secure remote access technology, but with the issues
            and concerns raised above, many security teams are considering ZTNA as another option.



            ZTNA: Basic Definition

            At its most basic, the mantra of ZTNA is ‘never trust, always verify.’ To expand upon that, ZTNA is
            intended  to  abolish  absolute  trust  of  devices  and  users  and  to  allow  only  the  minimum  access  and
            authorization based on user role, position or other factor. Under ZTNA, authentication is constant and
            ongoing – a change in the user’s or device’s security posture can result in revocation of access, for
            example. If it’s executed well, ZTNA can deliver extremely fine-grained visibility and control with improved
            scalability, flexibility and reliability.

            From a technological viewpoint, ZTNA employs a user-to-application approach, rather than the traditional
            network-centric focus, which completely inverts the concept of authentication.  With ZTNA, users and
            devices are examined at a deeper level – encompassing identity as well as the context of network and
            application resources being requested.








            Cyber Defense eMagazine – September 2022 Edition                                                                                                                                                                                                         155
            Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.