VPN vs ZTNA Since the democratization of Internet at the end of the 1990s, the VPNVirtual Private Network. VPN is a technology that simulates a local area network between two trusted networks. In practice this allows two elements (workstations, servers, printers, etc.) to communicate with each other even though they are not physically located in the same computer network. Since communication between these two networks passes through a public network in most cases, VPNs incorporate security mechanisms to ensure that communication between the two networks cannot be intercepted by a third party to ensure confidentiality. This technology is very practical in the context of companies deployed in several locations that need to share computer resources, such as file sharing. For ease of use, this technology has been adopted by IT departments in cases where teleworking is used by considering the remote user's workstation as an extension of the company's computer network even though this workstation is not part of a trusted network.... (Virtual Private Network) has been used by companies to provide their employees with private and secure remote access to their information systems. Nowadays deployed in many organizations, the VPN still presents some risks to the integrity of information systems. To overcome this issue, ZTNAZero Trust Network Access. The ZTNA is a name describing products that apply a "Zero Trust", or lesser privilege, policy in the area of external access. The objective is to provide strictly indispensable access to an external user so that he can carry out the necessary tasks within the framework of his work without giving him superfluous rights or access that could represent a risk for the security of the information system. Access policies are defined according to : the identity of the user, possibly reinforced by two-factor authentication mechanisms, its connection conditions, such as its connection location or the health of the terminal used for the connection. The ZTNA makes it possible to give very fine and granular accesses to the information system differentiated according to the user, whether he is an internal teleworker or a service provider. This approach strongly limits the risks of intrusion or infection of the information system.... (Zero Trust Network Access) solutions, which are much more secure, are gradually replacing the VPN within organizations. VPN: connecting two networks of trust The primary role of the Virtual Private Network is to make two trusted networks communicate with each other. It consists in allowing, for example, a company to connect two sites through a VPN to exchange data between their information systems. For convenience, the VPN has also traditionally been used for external access, but by definition, in this case, one site is not trusted.The operating mode of a VPN is quite simple, a user workstation authenticates itself on a VPN server; this one will check its identity on a corporate directory and once the identity is validated, it will authorize the access to a network and thus allow the access to the various resources located on it. The VPN is not a totally reliable solution, since the press regularly reports attacks based on its vulnerabilities, leading organizations to look for an alternative solution, the ZTNA. According to the Gartner, the ZTNA is expected to replace the VPN in companies and become the leading secure remote access solution by 2023. ZTNA: managing access authorization at the application level The betterWE social and community platform defines ZTNA as a security model designed to trust no one by default. It manages access authorizations at the application level and not at the network access level as does the VPN.From an architectural point of view, the ZTNA is based on two bricks; the first one being a mediation server and the second one, the gateway server(s), which will be as close as possible to the applications and resources which we want to provide access to. First, the gateway connects to the mediation server, indicating that it exists, that it can be contacted and the resources which it can give access to. The user will authenticate himself on this mediation server which will check his identity on a company directory. Once this identity is validated, the user will view a list of applications to which he can request access. When he requests access to an application, the mediation server contacts the gateway to authorize a communication flow to it and the gateway will establish the session with the application and not with the network. VPN vs ZTNA The ZTNA architecture is therefore much more secure than the VPN architecture. The VPN provides access to a network, whereas the ZTNA provides access to an application or resource, allowing a granularity of access. Concerning the traceability, the VPN allows to know who logs in but once a person is connected, there is no information about his or her actions whereas the ZTNA allows to know who logs in to which resources and possibly to go further by interconnecting in a transparent way with a PAMPrivileged Access Management. PAM is a technology for managing access and authentication of authorized users, usually information system administrators, to administrative resources or applications. The main objective is to secure the information system by removing unauthorized access to sensitive resources. This protection is based on two main axes: management of the injection and life cycle of passwords used in administered resources and administration applications, the traceability of all the actions carried out when connecting users with a power of nuisance on the information system, in the form of audit or video traces. The users with malicious power concerned by the PAM may be internal users of the information system, such as system administrators or users handling sensitive data, as well as external users such as infomanagers or remote maintenance personnel.... (Privileged Access Management) tool, which is not possible with a VPN.The ZTNA also allows to very quickly provide access to applications, declare new accesses and assign these new accesses. They can be assigned without necessarily having a local agent on the user’s workstation. The ZTNA will allow a very precise conformity check, much more granular than with a VPN. Finally, if the VPN manages the primary authenticationPrimary or secondary authentication Authentication allows a user to guarantee his or her identity before accessing a resource or service. Primary authentication will give user access to the workstation (Windows login). Several authentication modes can be made available to users: login and password, smart or contactless cards, biometrics, mobile ... To classify an authentication mode it will be enough to rely on the principles of the 3 factors: "What do I have? ", " What do I know? ", " Who am I? ». The answers provided to these questions make it possible to say for a given authentication method whether it is "simple" or "double" factor. Secondary authentication is the access of a user to an application from an open session on a workstation. The application can be of any type: web, client-server, local to the workstation or external...... (the account used to authenticate to the VPN to enter) the ZTNA will also manage the secondary authentication, i.e. the accounts that are used to access applications and resources. VPNZTNAArchitectureSimple barrierDouble barrierArchitectureMono siteMulti sitesAccessNetworkApplication/resourceTraceabilityWho logged inWho logged in to whatTraceabilityNot interconnectable with PAMTransparent interconnection with PAMAdministrationNo application declaration and complex access assignmentApplication declaration and fast access assignmentAgentNecessaryAccess possible without an agentConformity checkSimpleGranularAuthentication managementPrimary Authentication ManagementPrimary and Secondary Authentication Management Discover Systancia Gate, private network access solution “zero-trust”