ZTNA, NAC, SDP, RDP, VPN: Making sense of the remote access alphabet soup.
Zero Trust Security is a hot topic and with good reason. But what does it really mean in practice, when applied to solving remote access security challenges? In this post we provide an introduction on Zero Trust Security as it applies to Network Access (ZTNA) to help sort it out.
Before Zero Trust, a user or device was validated as having the correct credentials and the right to access the network. Once that step was complete the user or device had a wide open path to the network and resources. To mitigate the risk that a valid user would access systems they weren’t supposed to, role-based access control (or RBAC) was implemented. In theory this worked in conjunction with least-privileged access (the Principle of Least Privilege or PoLP) so that users were only granted access to the resources they needed and nothing more.
VPNs – Virtual Private Networks – are the ubiquitous technology for providing remote users access to enterprise resources. However, they are a network-layer technology, meaning that once the user is validated and logged in, the user’s device now has an open network connection to the corporate network. To mitigate the security risk of this open pipe, in addition to RBAC and PoLP, enterprises deploy Network Access Control (NAC) to verify first that a given device has the correct security posture – is the device allowed, independent of the user? Does the device have up to date AV running and passed a scan? And so forth.
Once a user logged in to the VPN client, and his device passed the NAC security check, one of the most common resources accessed are remote desktops, most often with Remote Desktop Protocol or RDP. Although it is a proprietary Microsoft protocol, it does have cross-platform support for non-Windows devices.
That in essence is the technology stack most widely deployed in enterprises today to enable remote access: VPN clients where devices are validated by NACs. Users are granted access based on RBAC, PoLP to resources, including remote desktops over RDP.
Zero Trust Network Access (ZTNA) offers a simpler, more secure alternate vision. ZTNA turns the existing paradigm on its head – rather than open up a wide open pipe and then retroactively find ways to narrow it down, ZTNA assumes no device or user should be trusted, and no access granted by default except that explicitly required only for the duration required.
This is critical in a world where there is no fixed perimeter any more, but rather a software-defined perimeter (SDP).
TransientAccess takes ZTNA and SDP a step further, delivering true app-to-app connectivity over disposable networks. That is, there is never a device to device connection, nor is a user validated for anything more than what the user needs access to for the time the user is accessing it.
TransientX has a unique approach to Zero Trust Network Access (ZTNA):
- A lightweight agent, creating a disposable virtual network connecting the local app to the enterprise resource on-prem or in the cloud.
- A “Transient Virtual App Network”
This approach means TransientX can deliver on the promise of truly secure remote access for an organization’s workforce and business partners. Learn more in our intro video, contact us to get TransientAccess now or scroll below for further reading:
For users, a consistent UX across all platforms and devices
TransientAccess provides a consistent user experience across all platforms: Windows, Mac, iPad, Android and iPhone. We’ve produced a short video showing how TransientAccess delivers radically simple Zero Trust Network Access (ZTNA) with the same UX across all devices and platforms, whether the devices are managed or unmanaged.
Ease of use, simplicity, performance and consistency are security factors. Nothing will motivate end users faster to bypass security controls than poor UX or degraded performance. With the TransientAccess user experience, the user sees no performance degradation vs VPN and has no learning curve as they switch platforms and devices.
See more here and contact us if you’re ready to try for yourself:
TransientAccess delivers true Zero Trust Network Access for the Fenerbahce Sports Club
With over 5000 employees and more than 300,000 members,
Fenerbahce is one of the largest multi-sport clubs in Turkey and is a
major retailer in its own right.
With their dedicated fan bases, legal and illegal betting riding on game results and big revenue streams, professional sports clubs are among the most targeted companies by hackers. Successful attacks can have devastating effects on company operations and reputation.
An organization’s viability can be imperiled because of damage caused by IP loss. For an organization like Fenerbahçe, SAP is the most important digital asset to defend. Protecting such a high value asset means going beyond traditional security paradigms. Most organizations deploy multiple security layers to protect SAP data, such as NGFWs, AV, MFA along with robust IT security policies. Yet all these steps can still leave holes that
need to be closed.
FC Fenerbahce relies heavily on SAP for all business-critical processes. The executives and security teams are responsible for carrying out this process knowing that their business revolves around this information. However, they are also aware of hidden dangers such as user accesses, file downloads, and data leaks that can occur due to data streaming. It therefore became critical to implement solutions that monitor and prevent such leaks.
“After a detailed product assessment, in-depth presentations and a pilot
project to measure performance in our company’s environment,
TransientAccess demonstrated reliability and effectively demonstrated its
value in providing SAP access and data security.”
– Bülent Kaçmaz, CTO, FC
Securing remote access for SAP with ZTNA
TransientAccess is able to proactively eliminate threats such as data loss and ransomware attacks by providing users with an operational convenience they have not experienced before.
As a result, TransientAccess provides proactive protection against commercial damage by ensuring data protection and facilitating secure operational processes. Thanks to the micro-segmentation feature of TransientAccess, only relevant users are authorized to access company data in the relevant SAP modules. IT Managers can now see ‘who’ can access ‘which’ data from the SAP system and make sure that this data is securely encrypted, even outside the company.
While security is the prime consideration when moving from VPN to ZTNA, another important factor is performance. Not only do VPNs have a broad attack surface, they can impact dramatically network speeds for the endpoint. That’s why TransientAccess ZTNA’s performance vs traditional VPN clients like Open VPN is crucial.
Performance degradation in effect becomes a security issue, as the degraded user experience pushes users to avoid using VPNs and the already-limited security they provide. Shadow IT emerges and IT security teams get pressure to loosen controls.
Instead, with a Zero Trust Network Access (ZTNA) approach like TransientAccess, there’s no performance degradation. That’s in addition to the inherent security advantages of app to app security provided only when needed as needed on transient, disposable networks.
ZTNA Performance vs Open VPN
We’ve made a short video here showing the real-world performance hit of TransientAccess ZTNA vs a VPN client (in this example, Open VPN):
Whether remote access is via a mobile client or desktop, and whether it’s OpenVPN or a commercial VPN client, performance degradation will always be an issue. Contact us to compare for yourself.