El acceso remoto seguro impulsa la productividad y reduce la carga de TI, pero sigue siendo un reto para muchas organizaciones.
Las VPN, útiles en un inicio para conectar usuarios de forma temporal, hoy muestran limitaciones: bajo rendimiento, riesgos de seguridad y problemas de escalabilidad.
Por eso, cada vez más empresas migran hacia ZTNA (Zero Trust Network Access), que restringe el acceso según identidad y contexto, reemplazando el modelo abierto de las VPN.
En 2020, solo el 5% del acceso remoto usaba ZTNA y para 2024, se espera que alcance el 40%.
VPN vs Zero Trust Security
VPN Security
Although VPN offers basic privacy for remote users, it was not designed for security or scalability. Traditionally, organizations have used VPN to connect some remote users to the corporate network for short periods of time. However, issues around VPN are beginning to multiply:
- Users experience slow performance. If the VPN infrastructure lacks the capacity to handle the traffic performance and simultaneous connections created for the workforce, users experience slower Internet connection.
- Corporate networks become vulnerable to attacks. VPN often uses a castle-and-moat model, where the user has limitless access to all corporate resources once they connect to the network.
Zero Trust Security
Zero Trust Security avoids several of the challenges inherent to VPN. It relies on the principle that you cannot preemptively trust in any user or device inside or outside of your network..
With the aim of reducing risk and impact of data leaks, internal attacks and other threats, a zero trust approach:
- Authenticates and logs every log-in and request,
- Requires strict verification of all users and devices,
- Limits information accessible by each user and device base on identity and context,
- Adds end-to-end encryption to isolate applications and data within the network.
Ways of configuring ZTNA
- Clientless ZTNA (or service based) uses an existing browser in lieu of a client to create a safe connection and authenticate users’ devices. Traditionally, clientless ZTNA has been limited to applications with HTTP/HTTPS protocols, but compatibility is evolving rapidly.
- Client Based ZTNA (or end-point based) installs the software on each of the user’s devices before they can establish an encrypted connection between the control agent and authorized applications.
Challenges to Implementing ZTNA
Si bien ZTNA brinda claras ventajas sobre las VPN tradicionales, no es un enfoque perfecto para asegurar el acceso a la red para usuarios remotos.
Durante la adopción de Zero Trust puedes encontrarte con uno o más de los siguientes desafíos:
1. Solutions are not truly cloud native.
2. Providers may not offer client-based or clientless ZTNA options.
3. Set up may be complex and time-consuming.
Cloudflare Approach for Remote Workers
Ensuring and scaling remote access should be a fluid process that doesn’t overlap rigid security solutions, generate performance compensations or unnecessary costs. Cloudflare empowers teams to handle each remote access use case, with the following benefits:
- Simple and risk-free onboarding for users and administrators. Cloudflare easily integrates with existing identity providers and endpoint protection platforms to enforce zero trust policies that limit access to corporate applications and resources.
- Flexibility for client-based and clientless ZTNA deployments. Cloudflare provides clientless support for connections to web applications, SSH, VNC (and soon, RDP), and client-based support for non-HTTP applications and private routing to internal IP addresses.
How Does Cloudflare Approach Remote Access Challenges?
Problem | Solution | CloudFlare implementation |
Scalability Challenges | Global perimeter network | Cloudflare's global Anycast network not only makes user connections faster than a VPN, but also ensures that remote workforces of any size can connect securely and quickly to corporate resources. |
Low compatibility with mobile devices. | Light client | Cloudflare's WARP client uses the state-of-the-art Wireguard protocol, running in user space to support a broader set of operating system options with a faster user experience than traditional options. Cloudflare's WARP client can be configured on Windows, MacOS, iOS, Android and, soon, Linux devices. |
Non-existent or weak integrated DDoS protection | Integrated industry-leading DDoS protection | Cloudflare's 67+ Tbps network provides integrated DDoS protection for any ZTNA mode, protecting networks against the largest volumetric attacks. |
Protocol Limitations | Web Application Support | Mode support: Clientless ZTNA for SSH/VNC applications; client-based ZTNA for all other non-web applications. |
No integrated network firewall | Built-in network firewall | Cloudflare enables administrators to enforce network firewall policies at the perimeter, giving them fine-grained control over what data can enter and leave their network and improving visibility into how traffic flows through it. |
Lack of detailed control | Integrated Secure Web Gateway (SWG | By combining ZTNA with SWG, Cloudflare enables administrators to exercise more granular control over user and device access rights within applications. |
Accede sin hacer concesiones en el soporte de protocolo o la funcionalidad. La ruta de migración recomendada varía según las prioridades comerciales que impulsan tu proyecto:
- If faster connectivity to applications is your priority, first implement client-based ZTNA for non-web applications. conectividad más rápida a las aplicaciones
- If improving the security of your application access rules is more important, start with web applications.
- Replacing your VPN is just the first step in a complete network transformation. Because the transition to a SASE model can be overwhelming, we've broken down a common path to Zero Trust security based on the approach our customers have taken.
La transición de una VPN tradicional a una arquitectura Zero Trust con ZTNA no solo mejora la seguridad, sino que también impulsa la productividad y la experiencia del usuario remoto.
Si tu organización está evaluando modernizar su acceso remoto, nuestro equipo puede ayudarte a diseñar e implementar la solución ideal para tus necesidades.
Contáctanos hoy y da el primer paso hacia un acceso seguro, escalable y sin interrupciones.
