Jamf Blog
April 18, 2022 by Jesus Vigo

macOS Security Basics: The One About Being the Best (VPN vs ZTNA)

In this edition of the macOS Security Basics series, we dive headfirst into the battle between Virtual Private Networking (VPN) and Zero Trust Network Access (ZTNA) to determine which of the two technologies is best suited to securing your network communications across your entire device fleet based on how they function, their features and capabilities at keeping traffic safe from bad actors.

There’s a prevailing wisdom in computer security, a foundational tenet that identifies three core areas that lie at the heart of trying to protect any device, user or piece of data. This is known as the CIA triad, short for Confidentiality, Integrity and Availability. In brief, it stipulates that any object to be secured, should be protected in the following ways to ensure that the object is safeguarded against multiple threat types:

  • Confidentiality: The first principle refers to the safeguarding of the object itself, so that only those that are authorized to access it may do so – all others should not be able to.
  • Integrity: The second principle deals with safeguarding contents of the object, more to the point, the ability to modify it. This too should be limited to only those that are authorized to do so and further limited to only what permissions are necessary for the authorized user – nothing more.
  • Availability: The third principle governs safeguarding the ability of the object being secured to be accessed by authorized users. Not to be confused with the confidentiality, availability only concerns the ability for users to access the objects – not whether they are permitted to perform actions on the object or modify its contents.

There are subsets to the three tenets listed above that apply to some or all objects being secured. For example, a subset of confidentiality is data at rest and data in motion. The former pertains to data objects physically stored on drives, such as in your computer or on a server’s storage array. The latter pertains only to data when it is being transmitted, such as via email or when uploading/downloading files from a remote location.

Depending on your specific use case, one or both may apply in addition to the CIA triad. In the case of securing communications, all three tenets apply, alongside data in motion. When discussing our primary topic of VPN vs ZTNA, both offer great protection in securing network connections, but only the latter offers protections to overcome the variety of obstacles present in modern day computing.

Before we delve into the features of each technology and their respective pros and cons, let’s take a brief look at their history.

Ivan “The Siberian Express” Drago

Introduced in 1996, Peer-to-Peer Tunneling Protocol (PPTP) was developed by Microsoft and is widely regarded as the precursor to the VPN protocol that is known today. The benefits of utilizing VPN were immediately apparent for businesses that required a way to seemingly extend their private network over existing, public or untrusted networks.

VPN adheres to the CIA triad by encrypting data sent/received (confidentiality), provides integrity checking to detect instances of tampering while in transit (integrity), and utilizes authentication to not only prevent unauthorized access, but also provide high availability to network resources (availability). Additionally, VPN can provide the following safeguards:

  • Create a point-to-point tunnel that serves to securely connect together two or more physically separate hosts.
  • Establish a Wide-Area Network (WAN) between connected networks.
  • Enhance privacy by encrypting traffic through a tunnel, making it difficult to decrypt even if intercepted, while protecting a user’s identity, including hiding your actual IP address and physical location.
  • Provide secure remote access to corporate resources for employees working in remote or hybrid work environments.
  • Permit access to geo-restricted websites or content that is restricted to certain countries only, such as bypassing censorship blocks imposed by nation states to restrict the flow of information.

Rocky “The Italian Stallion” Balboa

The earliest mention of the term “zero trust” occurred in 1994 as part of a doctoral thesis on computer security by Stephen Paul Marsh. Throughout the years, the concept continued to develop, inching further toward becoming reality until 2018 when NIST published their technical document titled SP 800-207, Zero Trust Architecture, which laid out “a collection of concepts and ideas designed to reduce the uncertainty in enforcing accurate, per-request access decisions in information systems and services in the face of a network viewed as compromised.” This evolved enterprise security by creating a“cyber security plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies.” In lay terms, this eliminated the concept of “implicit trust” from security frameworks, applications and workflows used to implement and manage endpoint security, while mitigating threat risks, by requiring that all components involved in the security paradigm be verified before access to a protected resource is granted.

ZTNA shares a lot in common with its forebearer given its ability to perform every function that VPN is capable of, but that’s where the similarities end. ZTNA provides a whole host of new and updated features that make it the clear choice to protect your modern computing environment:

  • Relies on cloud-based architecture, extending support to all modern operating systems and device types.
  • Software-Defined Perimeter eliminates the need to procure, manage and support expensive hardware or configure complex configurations.
  • Application-based microtunnels are generated per resource requested, enforcing least privilege and preventing lateral network movement in the event of compromise.
  • Integration with Identity Providers (IdP) means only authorized users are granted access to business applications while extending Single Sign-On (SSO) capability.
  • Enforcement of security and compliance is made possible through risk-aware access policies which leverage regular health checks to determine if devices and user accounts have been compromised.
  • For devices that do not meet the minimum requirements set forth by administrators for access, workflows quarantine devices – effectively preventing access to requested resources – until automated remediation is completed, when the device is rechecked to ensure compliance before being granted access.
  • Given its cloud-based design, policies are unified, spanning across all hosting locations, such as on-premises, private and public clouds, and Software as a service (SaaS) applications.
  • Split tunneling capability is enhanced, routing non-business resources directly to the Internet while keeping business resources protected.
  • Lightweight service operates either with an agent or agent less, with minimal impact to battery life and the user experience by operating silently in the background.

“You can get with this, or you can get with that”

A quick takeaway of the similarities and differences between ZTNA and VPN is presented below, allowing careful examination of the capabilities of each technology. As you compare both sets of features to the unique needs of your remote or hybrid work environment, try to answer the question, can ZTNA replace my VPN?

VPN

Architecture: On-premises

Network Support: Point-to-Point

Access Type: Always trust

Authentication: Local account

Reporting: Simple

Administration: ASL-based access assignment and no application declaration

Agent: Required

Health Check: None

Access Control Policies: None

Support: Depends on the developer/provider

ZTNA

Architecture: Cloud-based

Network Support: Application/resource

Access Type: Never trust, always verify

Authentication: Cloud-based IdP

Reporting: Granular

Administration: Application declaration and fast access assignment

Agent: Optional

Health Check: Hardware and/or software

Access Control Policies: Yes

Support: All modern device and OS types

The choice is yours. But luckily, you’re not alone – Jamf Private Access has your back, front and sides!

Contact Jamf, or your preferred sales representative today to discuss how to protect your device fleet with Zero Trust Network Access technology. Your devices and users will love you for it!

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.