Last week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive requiring U. S. federal agencies to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks. The directive was in response to several vulnerabilities in Ivanti’s products that have been exploited by threat actors. Now, there are reports of another exploitation.

We recommend that those who use Ivanti’s affected solutions follow CISA’s guidance, even if they are not a federal agency. Notably, CISA’s directive indicates that organizations should disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products. But this begs a broader question – should organizations move from traditional Virtual Private Networks (VPN) solutions to Zero Trust Network Access (ZTNA) solutions to safeguard their networks and data in today’s ever-evolving threat landscape?

VPNs are no longer sufficient

VPNs have long been the cornerstone of network security, providing remote users with encrypted connections to internal networks over the internet. However, the increasing sophistication of cyber threats and the shift towards more dynamic, cloud-based, and distributed work environments have exposed limitations in the VPN framework. Gartner notes that VPN “is an aging technology as organizations shift to more cloud-based services.”

VPNs, by design, offer a broad level of access to network resources, which can create significant vulnerabilities. Once a threat actor breaches a VPN, they can access an entire network, leading to data breaches, ransomware attacks, and more. What’s more, VPNs are not efficiently scalable for a remote or hybrid workforce, and network performance is a common complaint among users.

Long Live Zero Trust Network Access

ZTNA emerges as a modern solution to these challenges, aligning with the Zero Trust principle of "never trust, always verify." While both VPN and ZTNA technologies enable secure remote access to organizational resources, there are some important differences when it comes to approach, architecture, and security principles.

  • Trust model: With ZTNA, each access request must be authenticated, authorized, and continuously validated. VPNs, on the other hand, establish a secure tunnel to the organization's network, and once a user is connected, they are often granted broad access to resources.
  • Access control: ZTNA enables access based on factors such as user identity, device, and device posture, and this access is limited to specific applications or services. Conversely, VPNs provide network-level access, which can potentially expose a larger attack surface to unauthorized users or malware.
  • Lateral movement: Organizations using ZTNA can limit access to only required resources. Using a VPN allows users to connect to the entire internal network, increasing the risk of lateral movement.
  • User experience: While VPNs can be cumbersome and slow to connect users to the network, ZTNA provides a more seamless user experience because it can grant access to specific applications without the need for a full network connection.
  • Scalability and performance: ZTNA solutions tend to be more scalable and can handle many users and connections more efficiently than traditional VPNs. This is particularly important for organizations with cloud-based or distributed environments, where traffic patterns and user locations can change rapidly.

CISA’s emergency directive serves as an important reminder for organizations to reassess their cybersecurity frameworks in light of modern threats. For most organizations, moving from a VPN to a ZTNA solution represents a strategic move to enhance security, efficiency, and adaptability in today's complex digital landscape. By understanding the benefits of ZTNA and following best practices for migration, organizations can position themselves to better protect their critical assets and ensure business continuity in the face of evolving cyber threats.

To learn more about migrating from VPN to ZTNA, contact us.