Every organization is finally getting serious about the security controls in place around their remote access. With RDP access remaining the top initial access vector for ransomware attacks today, it’s necessary for organizations to definitely shift away from RDP – and, perhaps, even reconsider whether the current externally-facing remote access solution you have in place (instead of RDP) is secure enough. Remote access solutions (beyond that of the built-in RDP) exist today, providing organizations with a secure means of remotely accessing systems from a guest device that can exist either within the corporate network or externally across the Internet.
At the same time, organizations are looking to begin their years-long journey toward a state of zero trust – an initiative that Google has been working on since 2011 under the name BeyondCorp. For most organizations, the beginning of their zero trust journey involves implementing one aspect of zero trust – with providing remote access under the lens of zero trust as a viable first step in the form of ZTNA.
But which type of solution is right for your organization?
To answer this, let’s start with a basic definition of both remote access and ZTNA solutions, and then dive into a number of business requirements that are driving you toward the right solution to provide secure remote access.
The three steps, as with any difficult choice, are:
Defining Your Options
The two solution types, while providing a user with the ability to connect remotely to a corporate system, are very different beasts.
- Remote Access solutions are commonly considered as solutions that provide a remote user with an ability to take interactive control of an internal server’s or workstation’s desktop within the organization. Those solutions that are serious about the security of your organization employ a number of security controls around authentication, privilege escalation, and accessibility to internal systems – all in addition to all the great features provided around remote access itself.
- ZTNA solutions, according to Gartner, create “an identity- and context-based, logical access boundary around an application or set of applications” (in this case, a remote desktop). They go on to define a part of ZTNA – the broker – whose job it is to “verify the identity, context, and policy adherence of the specified participants before allowing access and prohibit lateral movement elsewhere in the network.” As you can tell, in addition to providing remote connectivity to an internal desktop or other application, ZTNA has some additional security layers of its own.
So, how do you determine which is right for your organization?
Weighing Your Options
Here are a few business requirements presented in the form of questions that can be used to help find the right answer.
Are you wanting to connect securely to both internal and cloud resources?
This is a clear case for ZTNA, as (in general) it provides secure access to both, whereas remote access solutions are designed to connect a user to an endpoint’s desktop. Now, it is possible that the desktops we’re talking about exist in the cloud (and, therefore, even a remote access solution will suffice), so it’s necessary to determine exactly what kinds of resources you want to remotely connect to securely and then compare solutions.
How much security do you actually need?
ZTNA by far will offer more security than any remote access solution on its own. Usually, there’s policy-based access, centralized (usually read as cloud) authentication, and a deeper scrutiny of the user/client combination – as well as other criteria like the presence of antivirus, an up-to-date operating system, and even disk encryption – when making the request for the remote access. While this sounds rather like music to your cybersecurity ears, all of that policy needs to be defined, managed and monitored.
How much productivity do you actually need?
Remote access solutions tend to provide features first designed to improve the user experience of connecting to and interacting with a remote desktop – whereas, ZTNA is far more focused on security features. So, if you have specific remote access needs – for example, improved graphics speed within a session, to allow engineers to work on high-end computer-aided design applications – ZTNA may not have the same performance as a remote access solution.
Do you have the security infrastructure required for ZTNA?
To make ZTNA effective, there’s usually the need for some additional aspects of your network environment to be in place, such as a cloud-based identity management service. For some organizations, this may not be feasible, making a remote access solution that can work with Active Directory (as well as cloud identity providers) a better choice for the immediate timeframe. At the same time, to get an appropriate level of security, even remote access solutions should support multifactor authentication, which would be an additional service.
Is Zero Trust even on the organization’s radar?
It’s worth asking the question. Starting down the path to Zero Trust, while necessary for every organization concerned about the state of their cybersecurity, may not be something the leadership of your organization is ready to take on. Despite only implementing a single solution, it is going to be the catalyst for much more change, which may require more resources and budget than can be allocated.
Choosing the Right Solution
The answer here isn’t entirely clear-cut. Organizations that choose to go with ZTNA are looking to first improve the security of their organization by leveraging zero trust principles in conjunction with their remote access strategy. Those that look for remote access somewhat have the perspective the other way – they are looking for remote access first, and a solution that also provides improved levels of security.
While the lines are blurring a bit across the spectrum of remote access solutions (including ZTNA) available, the right solution is going to be the one that aligns with where your organization stands when balancing the importance of remote access and cybersecurity, as well as has the features desired to improve both user productivity and the organization’s state of cybersecurity.