Note: I am very new to Reddit so please pardon if I’m in the incorrect channel. If so please point me in right direction.
I am looking to replace our old VPN/Terminal Services appliance “Ivanti Connect Secure” (Formerly known as Pulse Connect secure) and was curious if anyone has switcher over from VPN to ZTNA. If so any vendor recommendations and did you do a full ZTNA adoptions for internal network users and users connecting from public internet or only ZTNA as VPN replacement? Thank you.
There’s no particular reason one needs a vendor for “zero trust” architectures, because it’s a paradigm, not a product. NIST 800-207 says this:
ZT is not a single architecture but a set of guiding principles for workflow, system design and operations that can be used to improve the security posture of any classification or sensitivity level. Transitioning to ZTA is a journey concerning how an organization evaluates
risk in its mission and cannot simply be accomplished with a wholesale replacement of technology. That said, many organizations already have elements of a ZTA in their enterprise infrastructure today. Organizations should seek to incrementally implement zero trust principles, process changes, and technology solutions that protect their data assets and business functions by use case. Most enterprise infrastructures will operate in a hybrid zero trust/perimeter-based mode while continuing to invest in IT modernization initiatives and improve organization business processes.
The high-level summary is: use encrypted protocols, and multifactor authentication to services, preferably with SSO by using an identity provider service (which you can host yourself with something like Authentik, Keycloak or Gluu, or leverage an outside IdP service).
Probably begin with the infrastructure that has been using the network, the firewall, or IP addresses as access control. You’re no longer going to trust just the “internal” network to protect your assets. You’ve had clients roaming outside the corporate network for a long time – which is why you use a VPN in the first place, in an attempt to extend the “trusted perimeter” outside of the actual corporate network.
Definitely read SP800-207 before considering the DOD’s document. The latter has been pruned from three times as long to twice as long, but NIST is still far more readable.
Disclaimer, I sell/implement/support this product:
Todyl SGN is a fantastic platform that can do ZTNA/SASE and so much more, Inclusing cloud SIEM, MxDR with 24/7 SOC, EDR and Governance Risk and Compliance.
I would be happy to show it to you, if you want, but as I stated up front, we are a partner of theirs and I do make money from it
I have other customers happy with Perimeter 81 too, might be worth a look.
ZTNA is a fancy marketing term so I’m sure it gets a ton of eye rolls, but it is a legit step up improvement to VPN.
When figuring out what solution you want to replace with, you should first figure out what problem you’re trying to solve. Typically you have a few things you want to solve:
easier management
better remote access experience for users
more granular controls on what users can access (Eg specific hosts/ports vs whole networks)
internet security filtering
Depending on what combination matters to you, you can find lots of options that hit some of those elements.
FWIW, I’ve deployed Twingate in several companies now and it’s been the best blend of ease of use and better security. Plus the users I’ve migrated from VPN say it’s much faster.
I’ve also looked at cloudflare’s product (kinda complicated), zscaler’s VPN product (complicated & expensive), perimeter81 (slow and sometimes unreliable), and some others. YMMV and would suggest you just take a few demos and kick the tires. Many of these ZTNA vendors even have free tiers so you can play around with it yourself (Twingate is ahead of the game on this dimension IMO).
It’s not a single product, but some provide many underlying primitives. For example, I work on the open source OpenZiti project (https://github.com/openziti), which provides identity (CA/PKI, ability to work with external providers too), encrypted protocols/tunnels, device posture checks (incl. TOTP MFA), outbound only connectivity (simplifies FW rules and reduces attack surface), micro segmentation, least privilege, attribute-based-access control, software-defined-perimeter, and more.
