ZTNA vs. NAC vs. VPN: What is your best option to build a solid Secure Access Service Edge (SASE) framework?
It is obvious that network security has a crucial role in the digital transformation adoption pace. Today’s modern enterprises can choose between network security solutions, including Zero Trust Network Access (ZTNA), Network Access Control (NAC), VPN and Secure Access Service Edge (SASE). While these solutions are geared towards protecting an organization’s network assets and share some similarities, they have various capabilities and function differently. This article will investigate the differences between ZTNA and NAC, offer insights on the better security solution to enforce, and share how organizations can consolidate their SASE framework.
Understanding ZTNA and NAC
NAC is a specific product category that controls and restricts the user and device's access to a local area network (LAN). Think of NAC as a bouncer at the airport who will give you access to the whole terminal where your plane's boarding gate is, in the same way as all the other passengers in the terminal.
On the other hand, ZTNA is a model (also defined as a framework) that controls access to applications and resources, considering that the access is from anywhere to anywhere. The Zero Trust approach relies on a trust architecture where a user or device is only granted specific access to the resources needed per-task. Think of ZTNA as a personal bodyguard in the airport who will accompany the user up to its dedicated plane’s boarding gate.
In this sense, ZTNA goes further in terms of security.
Explicit vs. Implicit Authorization
Both ZTNA and NAC are intrinsically different and operate on separate models. While the former functions with explicit authorization, the latter depends on implicit authorization.
The NAC solution is based on the “trust but verify” model. The NAC trusts every user who wants to access network resources. The next step is typically an implicit authorization to a network or networks, which is exactly what zero trust security tries to avoid.
On the other hand, ZTNA implements a “verify then trust” model which provides a more granular and extensive approach in terms of identification and authentication of the users and devices. This step is key in the ZTNA explicit approach as it binds the user and device identity to the ability to control resource access up through the application layer with specific security policies based on user's profile and device's category.
ZTNA vs. NAC: Enforcement point
ZTNA and NAC both operate at different layers of the OSI model, concluding in different enforcement points which differentiates their scope of operation.
Network Access Control (NAC) operates on the OSI Model’s lower layers (layers 2 and 3). So at its best, NAC can identify and authenticate a device and/or user and then grant them some level of access at network layers 2 or 3 which is the Virtual Local Area Networks (VLANs) and subnets level.
All users and devices lying on the same network segments, VLAN or subnet are granted the same access privileges and rights.
This approach falls short when it comes to differentiating and bringing granularity to each user and device accessing different resources. Micro-segmentation technique tries to overcome this challenge, but still with mitigated results.
ZTNA operates primarily at the application layer (Layer 4 and up) of the OSI model. This provides a wider range in terms of granularity as it offers the ability to define per-user and per-device access based on contextual elements. This follows the trust model introduced before where a user or a device only has specific access to the resources needed per-task. As a consequence, ZTNA treats application access separately from network access. And unlike NAC, connecting to a network does not automatically grant a user the right to access an application
ZTNA enables network segmentation by creating a software-defined security perimeter around each part of your corporate network. This segmentation is done by breaking down the network into smaller, manageable parts, each with its own security policies and access controls.
ZTNA prevents lateral movement within the network. If an attacker manages to breach one segment, they won't automatically have access to the others. This significantly reduces the attack surface and helps to contain potential threats.
ZTNA vs. NAC: Service-Based Feature
One of the other differences between ZTNA and NAC is the way it is deployed.
The NAC technology is agent-based which means that it requires the installation of an agent, typically a software application, on all endpoints devices in the network. This includes servers, devices, routers, and IoT devices. The agent ensures that the devices are authorized, protected, and known. to defend them. This approach doesn't enable cloud security and has scaling limits as IT administrators are required to add devices and firewall rules for networks with large amounts of diverse users and devices that constantly change. Last but not least, this limits NAC solutions to only protect the endpoint devices on existing network segmentation or VLANs with no ability to provide fine-grained least privilege access.
Conversely, ZTNA is a cloud service rather than an endpoint app. Therefore, it doesn’t require an agent but more importantly, its cloud-centric nature means it is perfectly engineered to operate natively in the cloud and deliver scalable security. Its nature makes it much more scalable than NAC and more importantly it allows the implementation of fine-grained least privilege access. The cloud aspect is crucial in enterprises' digital transformation which will be more inclined to adopt ZTNA to protect access to their cloud resources.
Remote Access Solutions: VPN vs. SASE?
In today’s highly mobile and cloud-centric world, traditional network-based NAC solutions are increasingly falling short of meeting the needs of remote users and devices. NAC is primarily focused on controlling access to a local area network (LAN). It verifies the identity of users and devices before they can access the network and enforces security policies at the network level.
However, the way we work has changed dramatically. Today, many users are working remotely, and devices often need to be directly connected to the corporate network. Instead, they're connecting over the internet from various locations, using a mix of company-owned and personal devices. Therefore, enterprises usually utilize Virtual Private Networks (VPNs) for remote users to access the network.
Limits of enterprise VPN or Cloud VPN
Enterprise VPNs, also called cloud VPNs, provide encryption protocols for secure access to internet resources. They use site-to-site Internet Protocol (IPSec) to encrypt and route traffic to a VPN server for secure remote access. Using an enterprise VPN is like wearing an invisibility cloak: your network connection is working, but it's also inaccessible to third parties, especially malicious actors.
While VPNs are relatively easy to implement and use, they may suffer from performance issues when scaled up, as all traffic is routed through the VPN. Also, they lack the granular, application-level control provided by some other SASE tools, like Cloud Access Security Brokers (CASB) and Secure Web Gateways (SWG), which can guarantee ZTNA.
Limits with BYOD and unmanaged devices
We can see that the “all or nothing” perimeter-focused approach of VPNs doesn’t have the same visibility, authentication, and authorization principles to monitor endpoints. This is why VPNs also fall short of BYOD protection, where unmanaged devices can access enterprise networks with unsecured personal devices. ZTNA, on the other hand, doesn’t require software installation and uses micro-segmentation principles. As a result, it’s suitable for BYOD device protection.
Security professionals all agreed that ZTNA is a security framework that will replace legacy VPNs. According to Gartner, more or less 70% of new remote access implementations will be served primarily by ZTNA instead of VPN services by 2025—up from less than 10% at the end of 2021.
How to Consolidate the SASE Framework?
SASE isn’t a standalone security system. Rather, it’s an integrated solution that offers centralized visibility into the network infrastructure. ZTNA is SASE’s arsenal for managing access controls at the granular or user level.
According to Forbes, security professionals can consider ZTNA a subset of SASE. Using Zero Trust with SASE, an integrated approach can help you combine various cyber technologies simultaneously. For instance, you can use application data to verify users and encrypt connections across your corporate network. More importantly, SASE with Zero Trust can make granular authorizations to a device or user based on various contextual elements (e.g., how, who, where, when, and what).
The Verdict
In the ZTNA vs. NAC race, ZTNA offers superior secure access and more advanced features. While the NAC solution trusts everyone entering the network and verifies its authenticity, ZTNA first proves and then trusts identities, making it a more robust security architecture. ZTNA moves past the “default allow” mode of VPNs and NAC solutions — which makes them vulnerable to attacks — and ensures that organizations are protected against both external and insider threats.
“90% of organizations migrating to the cloud are adopting zero trust,” according to Zscaler’s State of Zero Trust Transformation 2023 report. 68% of the IT and security leaders who took part in the survey noted that “secure cloud transformation is not possible with legacy network security infrastructure such as firewalls and VPNs.” The respondents further added that “outdated tech stacks and implicit-trust-based architectures down to endpoints are lethal roadblocks to successful zero-trust initiatives.”
The facts are clear and show the industry’s shift to zero trust. As more organizations move their workloads to the cloud, ZTNA is the industry choice for consolidating the SASE framework and delivering secure cloud-related services.
