VPN vs Zero Trust - which is right for you?

If you're running an organisation, you can use a VPN to allow your workers to connect to your company network remotely to access files and programs in the same way as if they were sitting at their office desk.

This sounds great in theory but in practice it can be risky. By default, VPNs allow anyone who's connected to the network full access to the entire network. If a device or password gets into the wrong hands, your data could be at risk. The problem is made even worse by the huge number of people now working from home, often using their own devices.

The Zero Trust model

ZTNA (Zero Trust Network Access) offers a different way forward. Unlike VPNs, which automatically grant access to all devices within a network, a Zero Trust system doesn't allow access from any device, unless a device has been specifically configured to be allowed access.

This is done through creating various levels of access through access policies. For example, let's say a network administrator is at home and needs to update their company's website. If they use their corporate laptop to connect to their company's web server, a Zero Trust system would check that the person has been given editing rights to the website files, as well as whether they're allowed to do so from that device.

In addition, if the system recognizes the password but the network admin is connecting from an unauthorised device it can be configured to give them read-only access, or just block the connection altogether. This is very different to a VPN's trust model, which would automatically allow full access to any device with the right passwords.

Advantages of Zero Trust

Unlike most VPN software, Zero Trust security software usually monitors users' activities in real time. For example Ping Identity, which follows a Zero Trust model, may require the system to reauthenticate a user if someone engages in risky behaviour like repeatedly trying to access files they don't have permission to read. 

This is particularly useful when people in your organisation use mobile devices, as they can easily be stolen. If you use a VPN, that means all network data could be at risk if even one device goes missing.

Other Zero Trust software like Twingate is specifically designed for securing remote access to your network, offering access to individual users or groups on a context basis. This is extremely useful if third-parties like consultants need access to your network, as whilst they may need access to some data e.g. your financial records, there may be no need for them to see your server connection logs.  

Not zero fuss

While a Zero Trust model sounds great in principle, it can actually be rather difficult to get started. Zero Trust isn't any one thing; there’s no magic program you can download and execute to transform your network overnight. 

It takes time and research to change to a Zero Trust model, especially for people in your organization who may be used to simply dialling in to the entire network via VPN without restrictions, especially if they’re being asked to reconfirm their passwords or use multi-factor authentication. It could even affect your organization's productivity. 

Authenticating users and their devices also requires much more processing power, so you need to make sure your servers and other computing equipment can handle this when adopting Zero Trust security.

Not a zero sum game

Developers of Zero Trust software may try to convince you that the best way to keep all your data safe is to ditch your business VPN and use their product instead. However, a properly configured VPN can provide many of the benefits of Zero Trust without your organization having to make a seismic shift in the software it uses.

For instance, with Zero Trust it’s easy to enforce network segmentation. This is the process of breaking up a large network into smaller more manageable segments on which you can restrict certain users from accessing specific parts of the network. However, this doesn't necessarily provide anything most VPNs cannot do. OpenVPN supports Group ACL, which can be used to create separate access policies for groups of users. For instance, employees can be granted access to the e-mail server in order to check their messages but not to the main servers which manage the network. 

Similarly OpenVPN has access control tools that can be used to manage whether or not a user can connect to another user and who can access private subnets. Further fine tuning is available through Lightweight Directory Access Protocol Active Directory (LDAP) to manage exactly who can log on, which services they can access, and when. 

If this is starting to sound familiar, consider the words of the CEO of OpenVPN, "Claiming that your VPN doesn’t offer Zero Trust network access is like claiming your car isn’t safe because it doesn't offer seat belts. The seatbelts are there  — you just have to actually use them if you want them to be effective."

Is switching worth it?

Keeping your data safe is important but can't be achieved by simply installing a Zero Trust product or setting up a VPN. Both must be set up correctly and actively maintained to stop bad actors from accessing your network.

If you're already using a VPN, take some time to research what security policies are already in place, as you may already be able to adopt a Zero Trust model without overhauling the entire network.

If you're still interested in alternatives, read through our top 5 reasons why you might want to get rid of your legacy VPN.  

TechRadar VPN disclaimer

Nate Drake is a tech journalist specializing in cybersecurity and retro tech. He broke out from his cubicle at Apple 6 years ago and now spends his days sipping Earl Grey tea & writing elegant copy.