Name: VPN Patching. The Job Security You Never Wanted. Time for ZTNA.
Uploaded: 2025-04-29T09:50:09.943Z
Duration: 34 min 4 s
Description: VPN Patching. The Job Security You Never Wanted. Time for ZTNA.

Transcript for "VPN Patching. The Job Security You Never Wanted. Time for ZTNA.": Welcome, everyone. Now today, we are addressing one of the critical challenges for many IT teams, and that is what can feel like the pretty endless cycle of VPN security vulnerabilities that need patching. Now I'm Rich Beckett, and joining me today, I have Humza Ismaiel. And over the next thirty minutes, we're gonna dive into why VPNs have really become the job security that none of us ask for. Right? They are keeping us very busy with patching, but we really wanna be breaking free of that. Now through the session, we'll explore how zero trust network access or zTNA can simplify your security. It can help boost performance, and it can improve the user experience. And, ultimately, you know, we wanna be setting you free of patching those vulnerabilities to focus on other modernization projects that you wanna be focused on. Now through the session, there is a q and a panel to the right of your screen. Please feel free to add any questions you've got in there through the session, and we can answer those at the close. So with that, let's get started. Now imagine you have, you know, a leaky roof like this. Like, every rainfall, new leaks are appearing. You patch one, but each fix is temporary. Right? And soon enough, another leak emerges. And that's gonna leave you in this endless cycle of maintenance. Well, that's become the the stark reality of VPNs. It's exactly like that leaky roof. Right? Organizations would keep applying these patches, but with each update, another vulnerability surfaces. And that's led us to the point now where in a recent study, fifty four percent of organizations have experienced a VPN related security incident in the last year. Now VPNs are deliberately targeted like this by attackers because they know that these systems frequently fall behind in terms of security patches. And so this constant state of catch up for IT teams and security teams, it just drains resource. Right? It dramatically increases organizational risk, and it's just not sustainable. So what are those challenges of a legacy VPN? Well, if we use this to the the the good old analogy of a castle and moat here, we were in this situation where our applications and our data, they're in the data center, and our users, they're in the office. Right? But that's no longer the case. It hasn't been for a little while now. And today, we've got our users, our data, our applications spread across everywhere. We've got very distributed environment. We've got many different platforms that we're using, and we no longer have the control we used to have with the legacy VPN. After all, you know, it was great for admins to be able to log in, access everything, and fix issues. Not so good in terms of users. Now some of those challenges, what are they in terms of that we have with a legacy VPN solution? Well, first off, we've got our castle here built out of stone, needing to be repaired over time. VPNs are the same. They require the regular firmware updates, which, unfortunately, are often neglected. So it's gonna create this persistent vulnerability for your organization. Next, you got this poor user experience. You know? So whenever those user wherever those users are based geographically with a VPN, you still have to backhaul that traffic to your data center to get access to your applications. And next, we have that visibility element. Like, with a traditional VPN, because it's connecting your devices to networks, we just don't have the the granular visibility that you, as a security practitioner are gonna need to understand the applications that those users are accessing. And then we have things like the networking component here. Right? So which can lead to many different challenges, like routing, like dealing with different routing protocols, dealing with different point product solutions, having to manage, acquisitions that need to be onboarded into the infrastructure, which can lead to, you you know, challenges in terms of IP, renumbering, overlapping IP addresses, and just huge complexity from a networking point of view. And then finally, come back full circle to security here. So VPNs typically grant broad network access. It is an all or nothing kind of situation here, and that is enabling lateral movement if those credentials are compromised to the applications, the data sitting within them. It's generally just kind of too permissive, if you like. So we have this weak security posture as a result. Now we can see that in recent examples. We saw this one recently of a traditional, VPN solution that was targeted in a huge cyber attack. And the reasons for this was pretty simple. It was because the users that were using that that solution at the point, they are able to access anything in the network, and they have free reign to effectively anything they wanted. And there was no visibility in there in terms of what they are accessing and the data that they are. Now if we do a side by side comparison of VPNs and zero trust network access, you can start to see the value that it brings for the organization. Now we wanna release you from that pretty endless cycle of VPN patching, but VPNs require you to perform regular updates. And as we saw in the threat stats a little earlier on, those patches are often neglected, leading to a weakness in your security posture. Now coming clean for a minute, VPN is sorry. Zero trust network access is still software. Right? So it's never gonna completely disappear there. But being cloud delivered, ZTNA solutions benefit from much more rapid updates and continuous patching and automated security policy enforcement. And that's gonna eliminate the dependency on specific hardware appliances, for instance. It's also gonna significantly decrease the risk and create much more operational efficiencies within the team because you're not tied up in those regular kind of break fix scenarios. Now if we look at some of the other points here, some of the other challenges around VPNs, it's all about putting connectivity first at the forefront and security as the afterthought. Right? VPNs will connect the user first, and they will provide the authentication later. But VPNs will also have very coarse grained access, which effectively is a like a call or nothing situation. So when the user is connected to the VPN, they will have access to anything on that network or nothing at all, and there's no middle ground to differentiate that. It's gonna kinda open up many different ports as well, being visible to external and external threats. And it's all about connecting the devices to the network itself. So if we can if we, compare that to ZTNA, well, ZTNA just flips this whole approach. Right? It is all about authentication first so security can be at the forefront of that conversation and providing the connection afterwards. It's providing very granular visibility and granular access controls to constrain that lateral movement. That is a real key point of ZTNA. And it's using an inside out architecture. So with VPN, it's providing both the inbound and the outbound connection. With zTNA, it's only providing an outbound connection to the actual zTNA platform itself. So it's hiding, though, any, any of those assets that you may have, within your infrastructure. But most importantly, you know, zTNA is about providing connectivities to specific users to specific applications at that moment. And, ultimately, it's providing it's, you know, it's still providing, should I say, remote access. It's not taking anything away from VPN from that point of view that you may have in place today, but it's instead just enhancing that level of security that this solution can bring. Now in terms of, connectivity, it's a full end to end it's fully end to end encrypted. So when the user connects to the application, due to the architecture that a zTNA platform is gonna, that that it will use, all of those connections are encrypted, and it makes it impossible for a man in the middle attack to occur. So kind of all this said, you know, as organizations move forward, they are moving increasingly. They are accelerating away from VPN to zero trust network access. Either that might be as a standalone solution or as part of a secure access service edge, so SASE, or a security services edge and SSE platform. Right? So it's enabling and by doing that, it's enabling you to align to data security solutions within that stack, zero trust principles across your network and security services. And this is what the Netskope One platform can give you. Right? So Nesco Private Access, which is our zTNA solution, is a foundational component of our security services. So we offer security, network, and analytics services all as part of this single SaaS platform we call Netskope One. And so wherever those users are, whether they're based, wherever they're based geographically, whether they are based remotely outside of the office or whether you're still looking at securing, the connection from branch offices, those connections are gonna be passed through our global new edge network infrastructure. So and then its core there, you have the zero trust engine. And what that's doing is enforcing least privilege access that's continually collecting and verifying signals and context that may require kind of adapting trust levels. So we've talked about using the context as part of this BTNA solution. This is allowing you to identify identity, location, device health risks, and a whole bunch more to provide that very specific in the moment access from a user to an application. And by using this, we can provide that that secure zero trust access to all those applications, be those hosted in the public cloud, the private cloud, or still in your own infrastructure, in your own data centers. So the transition here to zTNA is not just about replacing VPNs. It's about adopting a fundamentally and a more secure, adaptive, efficient approach to access security, one that aligns with the the realities, if you like, of a modern dispersed workforce and those cloud first IT strategies that you're gonna have in place. Now to get you thinking about some of the potential, benefits for your business, here are sort of our top six use cases that we talk to customers most about. Now given the time today, we're just gonna focus on one. So I'll pick on mergers and acquisitions because this tends to be a a really important one for a lot of organizations. Now we all know, you know, onboarding large groups of users, to any environment is a is a balancing act. Right? And it that access, to those environments, to those applications is often correlated to the success of the program and how, you know, quickly it can be done. So ZTNA enables user security team to provide a quick, cautious access on your own terms. And terms that can then be refined with increasing granularity is is the requirements and your understanding of those new employee groups becomes better understood. Okay? So you can provide day one access. So you got that immediate time to value benefit as this new group of users come online. You can then eliminate some of the complexity of combining networks or setting up new VPN infrastructure as access can then be enabled for the specific application with specific policies for specific users. And that would have previously been based on, like, implicit trust. So, believe me, IP address of the user's, network location. Now that's replaced with explicit trust or explicit adaptive trust, if you like. So looking in the moment at the context of that user's identity, their device, the hygiene of that device, and a lot of other different, facets in terms of context to define who can access what and when. But these are the use cases. Right? How does this actually work? Now for that, I'm gonna hand over to Humza, who's gonna explain how this looks. Well, thank you very much, Rich. And, again, thank you all for joining today's webinar. We are pleased to have you here. So I'll be speaking to you about how zDNA works from an architect perspective. With zero network access, there are two main fundamental components to the architecture. First, the zDNA gateway, otherwise known as the the Netskope publisher, and the second is known as the zDNA broker with what we call the Netskope New Edge Network. Now as an administrator who is, administering the infrastructure, when you associate your private applications with the zDNA gateway, the zDNA gateway will then communicate out to the zDNA broker in order to provide that connectivity between the user to your private applications. And from an end user perspective, there are two main things that we need to validate. Number one is the identity, ensuring that the user is authenticated via an identity provider. And number two is the posture of the device that they are coming from. As long as we can validate those two elements, then we can allow the user to successfully connect to the private applications via the zDNA broker and the zDNA gateway, thus achieving three main things, shrinking the attack surface, limiting the lateral movement, and ultimately improving the end user experience. Now with Netskope One private access, we can bring many benefits. Number one, we can provide a high satisfaction rate for hybrid workers. We can reduce the risk of users choosing less secure options for performance, and we we can reduce the need to rely on legacy VPN technologies by providing a direct to net connectivity model. So with this architecture here as an example, the Netskope One client will speak to the new edge network where where we have, 75 regions global globally distributed. And from there on, the user can successfully connect to any endpoint initiated applications either using a web protocol or a non web protocol and even connect into server initiated applications, the likes of VoIP platform or remote assistant software where a user in the head office may want to connect to the user base remotely. Now looking more deeper into the Netskope one private access architecture, we have three different use cases. Number one, we have our remote and campus users, and for that, they will be using the Netskope One client. And we also have bring your own device users or contractors that could either be coming from the enterprise browser or reverse proxy technologies. Once the users are connected into the Netskope New Edge network, the gateway and the stitcher will then connect the end user to the private applications, whether that's hosted in the public cloud or hosted in a corporate data center. And the responsibility of the Stitcher is to manage the load between the publishers and to achieve high availability and redundancy for those failover scenarios. So let's see how this works. So from an administrator's perspective, inside your Netskope tenant, we have the client configuration. And inside the client configuration, we have a option available to upgrade the clients automatically to the latest release. This immediately addresses the challenges that we have for VPN patching today. By being able to automatically upgrade the clients to the latest software version, this then reduces the need for the administrators to manually manage those different versions available. So here, we have the options to either upgrade the client to the latest release, the latest golden release, or a specific golden release if we are running a n minus one or n minus two, upgrade method. We also have the option to show an upgrade notification to inform the users of when the client will go under an upgrade, and we have the ability to set a time and frequency for the upgrade itself. The other point on how we can address the challenges with, patching today is by being able to automatically upgrade the publishers as well. So once the publishers are deployed in your environment, we can also enable a auto update profile. So we can see one here as an example. We have set the publishers to upgrade to the latest release on a every Saturday at 10AM. And, of course, you can, create multiple profiles for different regions or different locations depending on where the publishers are hosted, and that allows you to easily and flexibly apply upgrades automatically to the publishers and, again, reduces the need for administrators to manage those different versions. Once the publishers have are in place and we've configured the Netskope client, we can then start creating your private applications. So private applications can be anything across servers. It could be across any different type of application that you are hosting in your environment. And we have a really powerful way of discovering your applications. With that discovery, when you specify your domain that you are using in your, environment, we can then associate this domain with the publisher and tie it down to specific users for best practice. Once this has been enabled and configured, the publisher will receive any new connections based upon the domain that you specified here and will automatically discover those applications and, build those into your Netskope tenant for a smooth and easy onboarding. Once those applications have been discovered, we can start creating these applications as an actual private app. So here, we can specify the name of an application. If we want to access this via a browser or, as I mentioned, an enterprise browser, You can specify an IP address, an FQDN, or a domain, and we can even allow the administrator to select which protocol do we want this application to be accessed on in the browser. Is it gonna be based on web or RDP or even SSH? Otherwise, again, you can enter a specific IP address FQDN or domain in the host field. You can select the protocol and port number. And then once you've selected the publisher, we would then, specify if DNS resolution is to be provided on the publisher side or on the client side. And we also support taggings for private applications to, allow a smoother way and a streamlined way of managing and operating your, ZTNA policies. Now in terms of how we validate the device that the users are connecting from, we have device classification. So with device classification, we support custom labels. And with these custom labels, this can allow the administrator to easily identify the risk level of a particular endpoint. So as an example here, we we have configured three different labels, one for high risk, one for medium risk, and one for low risk. Within high risk as an example, what we're looking for are a few different parameters. First of all, does the endpoint have BitLocker encryption enabled? Secondly, does the endpoint have the latest version of Microsoft Defender running? And is there a minimum OS edition available on the system? Once you've configured all of this, we can now move over to our real time protection policies, where you'll actually bring all of this together and enable the users to connect to those private applications using our zero trust engine platform. So we've got a few different use cases here. Number one, if a user from a high risk device attempts to connect to a specific private application, that action will be blocked and the user will be notified with a user notification message. Secondly, if a user attempts to access one of our applications and their device is seen as low risk, due to that, we are, of course, going to allow the user to successfully connect to that particular private app. And thirdly, if a user using the enterprise browser or if they're using a browser access reverse proxy method is attempting to connect to one of our private applications based on SSH or RDP, again, that connection will be allowed. And all of these activities are recorded in real time within the Netskope platform. So let's take this endpoint as an example. Right now, the endpoint has the Netskope client running. And inside the client configuration, we can see the current status of this device is seen as high risk. So if this user attempts to access a particular application hosted in the data center, we can see that the access has been denied. The user is provided with a user coaching message, and we can see that this device is rendered as noncompliant due to the high risk status, and we need to contact the IT support team for further assistance. Now, of course, this message can be customized. You can add your own corporate logo in there. You can change the text, and you can add your own hyperlinks if you wanna redirect users to certain pages. But here, we can immediately see that we've implemented zero trust network access by monitoring the identity and, the posture of the device when they are trying to access a private application. However, if we now come to a different endpoint and we look at the status of, this particular machine, we can see within the Netskope client configuration, the current device classification status is seen as low risk. So if that user now attempts to access that particular server that we tried on the previous endpoint, We can see now the connection has been allowed, and the user has successful connectivity into this application using SSH. And in this case, we are actually connected into our Netskope publisher that we're hosting in our data center. Another use case that we have is using the enterprise browser. So if I now disable the Netskope client, we can now emulate the user that could be a contractor or it could be a user bringing bringing their own device into the business, and they do not have a Netskope client installed. However, they are running the Netskope Enterprise browser, and this browser is a hardened Chromium browser providing easy and secure access into your environment and applications. This is essentially a thin client where where all the traffic is being steered through to the New Edge network, and, all of the traffic is egressing out using one of our Netskope RB addresses. So the scenario here is that a user, that does not have a Netskope client installed, has the enterprise browser running, and now they want to connect to a particular machine hosted within your data center. And in this case here, they're connecting to a server running on SSH. And, again, within the browser, they can interact with it normally, as they would, and it allows the user to easily and securely connect to your infrastructure without the need of any type of agent running on their endpoint. So, hopefully, you were able to get some useful insights on how Netskope one private access works in your environment, and now I'll hand it over back to Rich. Thank you, Humza. I think that's really helpful, obviously, to see it in real life. So thank you so much for taking us through that. Right. So in terms of wrapping up, I just wanted to really touch sort of wrap things up with a little touch on the benefits of ZTNA for everyone in terms of kind of what it can really what a ZTNA solution can really offer you, and your organization. Now, firstly, I think proactive security is one of the big things here. So those those VPN concentrators sitting in a server room, you know, behind the firewall with vulnerabilities that maybe haven't been patched in a in a fair while, they create the open door to attackers to compromise, you know, not only the appliance itself, but potentially the entire network, the the applications and the data sitting behind it. So on the other hand, you know, cloud based CTNA solutions benefit from that customizable automated patching schedules that Humza has just taken us through. They eliminate the dependence on specific hardware appliances. So they're significantly decreasing the risk, and they're significantly increasing the operational efficiencies of your team. So they've become, you know, we don't want this to be the job security that you really don't want. We wanna get you to off those tasks and into something more strategic and more forward thinking. Next, ZTNA is all about flipping this access first approach of legacy VPNs. So ZTNA is all about the authentication first, so security is at the forefront here, and it's providing the connection then afterwards. So you get much more granular visibility, granular access controls based on the context to constrain that lateral movement and connect those specific users to specific applications at that point when the trust is there. K? And then lastly but I think one of the most important as well is this frictionless user experience. Right? If you have an experience problem, you're gonna have a security problem. People are gonna switch things off. They've all we've all been there, right, whether whether it's, the VPN is switched off when the user experience is too painful, like whether that authentication, process is clunky for the end user or you've got performance issues there and they can't get their job done. We must provide, and ZTNA does this, a frictionless experience that replaces those legacy approaches of back calling all that remote user traffic to the corporate DC for security inspection. And then on top of that, obviously, your your corporate network adding latency to the whole equation as well. This just, you know, leads to help desk tickets and complaints about slow Internet access, about dropped connections, and we don't really there. But if we do a very quick example as we kinda close out, you know, imagine you're a company and you're operating in, like, multi cloud, which is pretty much every company these days. You might have some apps in AWS, some apps in Azure. Each comes with a native VPN. And your DevOps team, those users, they're having to remember, you know, which VPN to use for which different application or service. People don't wanna think about that. They just want to get their work done. They wanna be efficient, and they wanna get on with their day, just like you, just like all of us. Right? And on that note, I'll leave you with these recent figures from the total economic impact report from Forrester for Netskope, for the Netskope one platform that was recently produced. And this is all about showing the operational efficiencies, the cost savings, the experience improvements that are made possible with Netskope. So please check it out. We'll add a link in the resources section of the webinar today, And this is a fully customizable report as well. So you add your own facts and figures in there in terms of your company size, etcetera, and that'll give you bespoke results for you. K? So please check that out afterwards. And with that, I think we just wanted to say thank you very much for for joining us today. I hope it's been useful. We did mention at the start as well that we would, that you'd be able to enter questions as we ran through the session today. So I'll take just a minute pause, and I think Humza will come back on to, the screen, and we'll just, we'll just, answer any of the questions you might have. K. So at Humza, I think we've got a couple of, like, technical ones here in terms of how the platform's working there and how the solution's working. So the first one is around, how how quick how how quickly and easily is it to deploy the solution? It probably may comes back to one of the slight notions about m and a in terms of kinda, like, day one access. Yeah. Well, we just saw the demo there on the speed that you can onboard not only the publishers but also the private applications. From a publisher perspective, it is literally a a case of, deploying that using a a VM template, a virtual machine template, or, in one of our public cloud marketplaces that are available. And once the publishers are deployed, you would just need to configure some network configurations such as the DNS, so it knows how to make the, domain resolution. And then from a, Netskope client perspective, the Netskope client can be easily deployed to endpoints using one of your, identity provider solutions or your, software deployment tools. And the client can be installed in a transparent manner in a silent deployment, and will be automatically enrolling the users and activating the tunnel to the NewEdge network. So all of those things can be, distributed in a very quick and efficient way. Fantastic. And then just one more, which is more on the visibility side. So, how do you get the visibility of user performance to those private applications? Great question. So this brings in our digital experience management solution. So with DM, this allows administrators to easily identify any performance issues that are occurring in a, user's environment. So with DM support for Netskope and private access, this provides you with a end to end view of where the latency could be occurring, or where some performance challenges could be. Is it on the endpoint side due to some, device health reasons? Is it on the ISP side, or is it actually in one of our desktop data centers where there could be some challenges, or is it actually in your environment where the publishers are hosted? So So we provide you with that end to end visibility of those performance challenges, and it can easily allow you to identify the root cause and then take action from there. K. Fantastic. Thanks so much for that. I think that brings us to the end of the questions, for today. So, yeah, just leave us to say, thanks very much. I hope I hope this has been a helpful session for today. I hope we can make your jobs just that little bit more efficient so you can get things done. And, yeah, thank you very much for attending. Have a great day. Thank you, Walt.