VPN vs ZTNA - Based on the Customer Interactions

Customer Interactions are mostly Cull the Noise and Find the Signal moments.

A few weeks back, I was pitching the benefits of ZTNA over VPN to a CIO/CISO and how it can result in a Multi-fold reduction in attack surface, thereby hugely mitigating the risk of data breach and ransomware attacks.

I quantified the reduction in the critical network access attack surface of up to 80% to 93% compared to traditional VPN.

But, the CISO quipped on how this is possibly achieved. Then I talked about

• Least privileged access
• Micro Segmentation
• Device trust
• Location
• Time
• Dynamic evaluation, etc

based on the security context for the Allow/Deny decision. Then, I realized that my explanation was not convincing enough.

Back, I started looking for a simple model that can help easily compare traditional VPN/remote access with ZTNA. Then I came across the Kipley Policy Method that's referred to in Zero Trust Architecture resources, which is well structured.

I applied Kipley’s Method for this use case as shown below,

where one could see manifold improvement in the security of ZTNA over traditional VPN.