Technology Now

In this episode we are looking at why people are moving away from Virtual Private Networks, or VPNs, and are navigating towards Zero Trust Network Access, or ZTNAs.

VPNs have largely been unchallenged as the go-to cyber security option for organisations since they first came about in the mid-1990s. However, they do have security flaws which have been exploited by hackers and cyber criminals, leading many to ask whether there’s a more secure solution.

Joining us to discuss why ZTNA is becoming a more popular security option for organisations is Jaye Tillson, HPE’s Director of Strategy in Cyber Security.

This is Technology Now, a weekly show from Hewlett Packard Enterprise. Every week we look at a story that's been making headlines, take a look at the technology behind it, and explain why it matters to organizations and what we can learn from it.

Do you have a question for the expert? Ask it here using this Google form:

About the expert:

Sources and statistics cited in this episode:
No more Chewy Cnetres:
Revenue generated by the virtual private network (VPN) market worldwide:
Statistics on ZTNA market share:
Forbes report on VPN data leaks:
ICS2 report on users’ cloud security fears:
“String Quartet No. 1, 'Polar Energy Budget.”:
Composing music from climate data:

Creators & Guests

Aubrey Lovell
Michael Bird

What is Technology Now?

HPE news. Tech insights. World-class innovations. We take you straight to the source — interviewing tech's foremost thought leaders and change-makers that are propelling businesses and industries forward.

Aubrey Lovell (00:10):
Hello and welcome back to Technology Now, a weekly show from Hewlett Packard Enterprise, where we take what's happening in the world and explore how it's changing the way organizations are using technology. I'm your host, Aubrey Lovell, and I have some news. Michael's not around today because he just welcomed a new baby to the family. Congratulations, Michael. We're so happy for you and we will do our best to hold on the fort while you're away.

In this episode, we are looking at why people are moving away from virtual private networks or VPNs and are navigating towards Zero Trust network access, ZTNAs. So VPNs have largely been unchallenged as the go-to cybersecurity option for organizations since they first came about in the mid-nineteen nineties. However, there have been challengers. In 2009, John Kindervag published a research paper called, No More Chewy Centers: Introducing the Zero Trust Model of Information Security. The idea of zero trust network access that came from it has been in the background ever since. That is, until now. So why is ZTNA becoming more popular? Why has it been ignored until now? And what can it do that VPN doesn't do already?

Well, that's what today's episode is all about. So if you're the kind of person who needs to know why what's going on in the world matters to your organization, this podcast is for you. And if you haven't yet, subscribe to your podcast app of choice so you don't miss out. All right, let's get into it.

A ten-year forecast released in 2022 and shared by research company Statista showed that the global spend on VPN would increase significantly from $45 billion in that year to a predicted 350 billion a decade later in 2032. And figures from KuppingerCole Analysts predict that zero trust network access market won't come close to that, reaching just $7.34 billion in 2025. But when you consider that number is more than double what it was at the start of the decade, you can see which way ZTNA's popularity is heading and there's a good reason.

Whereas VPN verifies a user in order to protect them from cyber threats by masking their IP address, which is useful when using unsecured Wi-Fi, ZTNA has a never trust, always verify way of making sure access is safe. In other words, it doesn't trust anything inside or outside of an organization's technology. And that can make a difference. A report published in Forbes Magazine highlighted the vulnerability of VPN, especially free VPN providers. Between seven of them, leaks of 1.2 terabytes of data were reported when account logins were listed for sale on the dark web in 2021. And with more businesses migrating to Cloud-based storage, ISC2 report that more than two-third of users have serious concerns about cloud security. Which is where today's guests can help us better understand why ZTNA is becoming a more popular security option for organizations. Jaye Tillson is HPE's director of strategy in cybersecurity. So Jaye, VPNs are pretty ubiquitous as a business security tool. What's wrong with them?

Jaye Tillson (03:36):
So I think the issue with VPNs, at least personally, in my opinion is people connect to them over the internet, so therefore they're on the internet, which means they can be compromised from the internet. So you've got that massive attack surface. And also when people are connected, they can pretty much go anywhere on your network. They can go east-west, they can move laterally. So if those VPNs happen to be compromised or the user's machine gets compromised, you have an open network and it's really hard to see what's happening on a VPN.

We're seeing in the press all the time that a lot of these legacy VPN vendors are being compromised on a regular basis now. And I think that's really, really concerning all round. Unfortunately, we have the tools out there to break down that door and that opens everyone up to attack. I'm definitely seeing people wanting to move away from VPNs really, really quickly. So I was speaking at an event last week and I asked the audience to put their hand up if they were using a VPN in their workplace, and like 99% of people put their hand up and I said, "Put your hand up if you view it as a risk," and everybody put their hand up again.

Aubrey Lovell (04:41):
So what is ZTNA and how does it overcome these challenges?

Jaye Tillson (04:45):
I don't like necessarily call it a new VPN, I prefer to refer to it as remote access, but it is what it says, really. I mean it's zero trust access, specifically to applications or services from the user. So many of the Zero Trust network access vendors work in a similar way. They have a connector on-prem that publishes applications or services outbound. Many of them have that in the cloud as well so that you can publish services outbound. So that removes the threat of the VPN concentrator or firewall being attackable from outside, kind of being on the internet. And what they do is they connect users into those services and just to those services and nothing else. So the users not put on the network.

And that for me, is where we are seeing people move. And that's where most people are starting their SSE journey. And I know SSE is a whole wider topic, but people are starting that kind of journey to SASE and SSE with ZTNA because of the risks of VPN that we've just talked about.

Aubrey Lovell (05:44):
Jaye, are there any use cases where a VPN is still the best option?

Jaye Tillson (05:48):
There are a number of vendors out there that cannot meet all of the VPN use cases, so therefore in some cases you will be having to keep your VPN. And I refer to those as kind of the 1.0 vendors. They were born before zero trust became a thing and before the pandemic came along. So the use cases they were built to fulfill have changed. So yes, unfortunately in some cases such as third party and contractor access or anything to do with server initiated flows like patching machines or remote control from within the premises or some legacy protocols, they can't do that.

We can fulfill all of those use cases because we were born in an era where things were different. So we understood we needed to be architected differently and we understood what the use cases were around zero trust access and around the pandemic causing a shift in our workforce. But unfortunately in some cases, no. If you've chosen to go down a 1.0 vendor path, you will be encouraged by them to keep your VPN.

Aubrey Lovell (06:52):
Is ZTNA inherently more secure?

Jaye Tillson (06:55):
You've asked a great question. The basis really, is to connect the user just to the application or service. So most of them have what we call a connector, and that connector will sit on the premises of the customer or in the cloud of the customer, and that connector is responsible for creating an outbound connection to the cloud, and then the user will connect from their device to the cloud and then the two will get tied together. That's generally how they most of them work, which means there is no VPN concentrate or a firewall sat there being attacked from the internet, and it doesn't give users access to the full network just to a server or service.

What is slightly different across the vendors is posture checking. For instance, we do a lot of posture checking in the cloud. We can do anything from, is there a certificate on the machine? To, is the disk encrypted? Et cetera, to make sure that you trust the device or can build a profile around the device and you know where the user's connecting from. The user will then go through an IDP because we posture check every minute. If anything changes within the posture, we can change the level of access. And obviously once the posture checking is fulfilled and user has gone through their MFA process, they are then given access to the things that have been published and only the things that they should get access to.

Aubrey Lovell (08:19):
Can you give us examples of where ZTNA offers clear benefits?

Jaye Tillson (08:23):
So what we've done within the HP Aruba network and SSC platform is we see those other core elements of that architecture as features. They're not independent products. You don't go one place to give access to SaaS and one place to give access to the internet and one place to give access to on-prem. We do it all in a single user interface, single code base on top of a single data lake. So what that means is, for instance, a user like me that's accessing a multiple array of different services can just use one tool, one look and feel. The IT team can get visibility into what that user is doing and control that access.

So being able to control what you can do within a particular SaaS application, whether you can upload, download, read, write, et cetera. Being able to give access to cloud-based services, infrastructure as a service, platform as a service, et cetera. Being able to control that. Being able to give access to on-prem services all in one UI. And what that also means is we have a number of customers that have approached us that are doing a cloud migration, that have used us to help that cloud migration because what they've done is within our tool, they've given access to an on-prem service and then they've migrated that service to the cloud and it's just a configuration change for the IT team. The users don't know that service has even been moved.

So I've kind of digressed a little bit in answering your question, but it's because we see those other access requirements is features and those core architecture elements of SSC as features, it's very simple.

Aubrey Lovell (09:57):
Thanks, Jaye. There are some amazing insights here and we appreciate your time. And we're going to be talking more to Jaye Tillson about the future of VPN and what ZTNA could mean for you in just a moment. So don't go anywhere.

All righty, it's time for Today I Learned, the part of the show where we take a look at something happening in the world we think you should know about. And now that Michael's not here, I have to take the helm and do this myself. So here we go. So you may think that climate data can only be used to record the state of our planet and its changes over time. Well, think again because a Japanese geo-environmental scientist has used 30 years of satellite climate data from the Arctic and Antarctic to compose a six-minute piece of music called String Quartet Number One, Polar Energy Budget.

And yes, of course we've posted a link to a performance of it in our show notes. Hiroto Nagai used a program to assign sounds to different data values known as sonification. The data was collected between 1982 and 2022 from four different polar sites. An ice core drilling site in Greenland, a satellite station in Norway and two Japanese stations based in the Antarctic. The data he used was based on monthly measurements of radiation, precipitation, cloud thickness, and surface temperature. Then he assigned the data sounds to be played by two violins, a viola and cello. Although it wasn't quite that straightforward, as he explains in his paper published in iScience, he had to manipulate the pitch of some data points and switch the instruments at points as well as adding a little rhythm himself.

As to why he did this, well, Nagai says that in contrast to graphics, music evokes emotion. And by using graphs and music together to represent climate data, it could be even more powerful.

All right, so we're heading back to our guest, Jaye Tillson, for an insight into the future of data security. So Jaye, why do you think VPN is still the top-of-mind solution in many organizations?

Jaye Tillson (12:07):
I mean, we've spent many, many years, or at least I have, and people in roles like myself, when I was on the customer side doing architecture, we spent our careers joining networks together and making it fast and efficient for users to be able to get access to services they needed. And that meant that you just gave them blanket access pretty much, to every system, and I don't mean necessarily into the actual system, but they could ping, they could traceroute, they could traverse the network. And when I look at the sins of the past, that's not the way of doing it.

Aubrey Lovell (12:38):
What would your message be to those who still either don't understand ZTNA or aren't interested for whatever reason?

Jaye Tillson (12:46):
VPNs are old technologies. Sometimes even now they're considered by the vendors as their own dead technologies. They don't patch them, they're not firmware-ing them. Therefore they're not secure. We've talked about they're being compromised on a daily basis from outside and from on the internet outside because they're sat there on the internet. And then if you even manage to get downtime to firmware your tools or to patch your tools and to keep them secure, they still then put people on the network directly. So you could spend every day of the week firmware-ing and patching a particular VPN concentrator to allow your users connect, but then those users are still going to be on your network and being able to go everywhere. So if we look at those things in combination, VPNs are just no longer secure.

Aubrey Lovell (13:36):
Thanks so much, Jaye. It's been great to talk to you. And you can find more on the topics discussed in today's episode in the show notes.

Right. Well, we're getting towards the end of the show, which means it's time for this week in history, a look at monumental events in the world of business and technology, which has changed our lives. The clue last time was it's 1886, and this invention may have been dry, but it sure had a spark. Did you get it? Well, aren't you bright? It is of course, the invention of the dry cell battery by German scientist, Dr. Carl Gassner. The dry cell battery was a revelation because unlike existing batteries, it didn't require maintenance, was completely self-contained, had no risk of leaking acid everywhere and could be used in any direction and still work.

It was the first battery design that allowed lightweight portable electronics such as flashlights, and is basically unchanged today. It was made of zinc carbon, which is still the material combination of choice for low drain devices like remotes and clocks. That's pretty cool. And the clue next week is it's 1980, let's get connected. Wonder what that could be?

That brings us to the end of Technology Now for this week. Thank you so much to our guest, Jaye Tillson, director of strategy and cybersecurity at HPE. And to you, our listeners, thank you, guys so much for joining us. This episode was produced by Sam Datta-Paulin and Al Booth with production support from Harry Morton, Zoe Anderson. Alicia Kempson. Allison Paisley, Alyssa Mitri, Camilla Patel, and Chloe Suo.

Our social editorial team is Rebecca Wissinger Judy Ann Goldman, Katie Guarino, and our social media designers are Alejandra Garcia, Carlos Alberto Suarez, and Ambar Maldonado Technology Now is a Lower Street production for Hewlett-Packard Enterprise, and we'll see you next week. Cheers.