Virtual private networks (VPNs) are the established choice for IT and security personnel when it comes to granting remote network access. But traditional VPNs have become outdated – they are no longer able to offer the scalability and flexibility to serve modern hybrid workforces, or adequately cope with sophisticated contemporary cyber threats.
Zero trust network access (ZTNA) is the natural successor to corporate VPN usage, offering many advantages over its traditional counterpart including reduced up-front architectural requirements, easier global deployment, improved user experience, accommodation of both remote and on-premises access, better overall performance, easier integration/scalability, and a much narrower attack surface for malicious actors to attempt to compromise.
Recent research commissioned by Banyan Security shows that of all IT and security personnel approached to participate in this survey, 14% are in the early stages of ZTNA adoption and an additional 17% have begun to roll it out.
This is despite the adoption of a zero trust model being viewed as a priority for 97% of organizations that we spoke to. So, what accounts for the hesitation?
What’s the delay with adopting ZTNA?
It’s definitely not due to a lack of pressure faced by organizations. Our research findings also show that in a post-pandemic working landscape where hybrid working is prevalent, 51% of workers use a combination of personal and corporate devices to connect to business applications and resources. For larger companies (between 1,001-5,000 employees) this figure rises to 59%.
This wide range of devices (with varying levels of security between BYOD and company-owned devices) regularly accessing corporate networks means there’s clear potential for ZTNA solutions to improve both security and the user experience, whilst making the lives of the IT and security teams easier. Both device identity and device security posture can be assured via policy, thus reducing risk normally associated with BYOD.
Some troubling data also surfaced. It seems that overall satisfaction with existing systems and solutions is high: 92% of respondents were confident their remote access solution adequately protects the organization from unauthorized access to applications and resources. This statistic is especially worrying given that VPNs grant overly-broad network access, and threats like ransomware use this lateral movement freedom to shut down organizations for illicit profit.
A further 92% are satisfied with the admin user experience for their existing secure remote access solution, while 88% are satisfied with the end user experience. Given the clear advantages that ZTNA offers over traditional VPNs, it seems likely that this confidence is also misplaced – particularly when it comes to data security.
ZTNA is popular with those in the know
Whilst IT and security personnel who are currently using VPNs remain relatively satisfied with the solutions, there is a clear impetus to switch to ZTNA amongst those who are aware of the benefits it offers. Of the IT and security personnel that are aware of both VPNs and ZTNA, adopting a zero trust model is a priority for almost all (97%) organizations.
Across the board, those sticking with VPNs or transitioning to ZTNA are planning to spend money on improvements: over 9 in 10 (93%) of organizations have a committed budget to enhance their VPN or move toward ZTNA for this year or the following year.
Why is ZTNA viewed as a priority amongst those who have chosen to adopt it? Secure remote access (48%), improving the end user experience (34%) and eliminating exposure to VPN vulnerabilities (34%) were key drivers in the decision to choose ZTNA for IT and security personnel – all of which align with easing the pressures that contemporary organizations face.
Whilst most of those who are aware of ZTNA understand its advantages, and those who remain satisfied with VPNs are likely to be so due to a lack of awareness about alternatives, IT and security personnel did also highlight some perceived issues with migrating to ZTNA that are relatively straightforward to address.
Myth-busting ZTNA adoption
For some, ZTNA may be considered to be tricky to adopt. Over two thirds of current VPN users (69%) believe implementing a ZTNA strategy would be a large undertaking. If there is a belief within the organization that current remote access solutions offer adequate protection and end user experience (as our research suggests) the underlying issue could be one of complacency and misplaced confidence.
It is unlikely that IT and security personnel with this attitude would have suffered a recent security breach. A single instance of malicious actors gaining access and being able to move laterally through the network due to VPN vulnerabilities or compromised credentials would certainly give them cause to think again – but by then, the damage would be done.
More education around the risks associated with relying on outdated remote access technologies could have huge preventative value for this particular cohort. This is further evidenced by the 13% of VPN owners who claimed that zero trust is ‘confusing’ and that they don’t know where to start.
Even amongst those who understand ZTNA, there is a fear that complexity could be a problem – 30% of VPN users believe it is difficult to implement ZTNA infrastructure in their current security environment. But this is not necessarily the case. The best ZTNA solutions are cloud-native by nature, and designed to integrate seamlessly with existing security solutions.
Time considerations can also be a factor for those concerned about ZTNA adoption. Organizations rolling out zero trust solutions took 11.5 months on average to implement ZTNA. This is undeniably a significant undertaking, but pales by comparison to the timescales involved with migration away from other legacy systems towards SaaS and cloud-based architectures.
And as always, cost is also a factor in an organization’s decision to adopt new technologies. 62% of VPN users claim that cost/budget constraints are the key barrier to ZTNA adoption. But when weighed against the potential cost to an organization of a serious data breach, an investment in ZTNA is minimal and extremely worthwhile. So, avoiding ZTNA for financial reasons should be considered risky and short-sighted.
Become a ZTNA evangelist
How can IT and Security personnel who understand the value that ZTNA offers their business convince decision makers that adoption is the way forward? Overcoming potential objections such as the ones outlined above will be key to winning the battle for hearts and minds.
Our research shows that 82% of VPN users would likely implement ZTNA if there were an easily deployable, inexpensive option. Three quarters (75%) of IT and security personnel also said they often make use of “freemium” or “try before you buy” options when making decisions about technology solutions – so seeking out providers that offer these models can really help convince the risk-averse.
Overall, better understanding of the benefits that ZTNA offers, as well as the risks that it negates are the most compelling arguments for adoption. Legacy VPN systems are becoming more outdated with each passing day – the time to future-proof your workforce’s ability to easily and securely access resources now.
About the research
The survey contacted 1,025 respondents but continued the interview amongst 410 Senior Decision Makers who are responsible for IT or security and aware of both VPN and ZTNA, as they fitted the criteria of being aware.
Respondents worked in organizations that employ 500 to 5,000 employees. The survey took place across the USA (357) and Canada (53).
At an overall level, results are accurate to ± 4.8% at 95% confidence limits assuming a result of 50%.
The interviews were conducted online by Sapio Research in April 2022 using an email invitation and an online survey.