TMC's Advisor

The Advisor is published by TMC

Zero Trust Network vs. VPN

Traditionally organizations have relied on VPNs to provide access to remote workers to let them operate securely, as though they were working at their desk in the office. More and more, this is considered to be insufficient from a security perspective, and the move is towards zero-trust network access (ZTNA) solutions, even for local access at the corporate office.

By Ellen Koskinen-Dodgson

Ellen Koskinen-Dodgson is President and Managing Partner of TMC IT and Telecom Consulting Inc. She is an IT and Telecommunications Management Consultant, electrical engineer, author, speaker, media resource and Expert Witness.

No One Is Trusted

According to the Government of Canada GCWiki, Zero Trust Network is a holistic approach to network security that assumes that no one is trusted by default. This added layer of security requires strict identity verification regardless of whether a person or a device is inside or outside the network perimeter before they try to gain access to vulnerable resources.

How It Works

Since it denies access by default, even if someone can get into your network, the ZTN design will prevent or limit exfiltration of sensitive data and greatly improve your ability to defend against modern cyber threats.

The set-up is much more complex than with a normal network. The ZTN provides specific access to only those applications, data, services and systems that have been predefined as needed to do their jobs.

This means that someone needs to go through the security exercise of identifying these specific, limited authorizations.

There are two approaches:

allowed access via a gateway that initiates a session.

It’s Not Trivial

Forrester suggests looking at it as 3 pillars to simplify adoption:

Control People

This pillar focuses on making sure users and their devices can be trusted as they access systems, regardless of location. This pillar is the one that we tend to think of when discussing Zero Trust.

Control Applications This pillar focuses on preventing unauthorized access within application environments irrespective

Control Devices

This pillar focuses on securing access to the network and for any and all devices (including IoT) that connect to enterprise networks.

The US CISA (cyber and infrastructure security agency) suggests 5 pillars: Identity, Device, Network, Application Workload, and Data.

Moving Forward

As it’s a philosophy/strategy rather than an architecture, technology or product, implementing zero trust can be challenging and complex. Some legacy applications don’t work well with Zero trust and it’s easy to miss things.

Experts suggest conducting a pilot or single use case project that can be completed reasonably quickly and where the scope would be manageable. The most important goal is to have a successful outcome. The process will also allow you to identify those planning and implementation processes that work and those that don’t.

If you’d like to comment on this article or explore these ideas further, contact me at .

This article was published in the November 2022 edition of The TMC Advisor
- ISSN 2369-663X Volume:9 Issue:6

©2022 TMC Consulting