Credit: Photo by Jason Strull on Unsplash
SDP also makes it easier for you to block access to resources once a suspicious behavior is detected in your network, effectively isolating potential threats, minimising the damage caused in an attack, and maintaining productivity in case of a false positive, instead of fully disabling the device and making a user unable to do any meaningful work, Duarte adds.
4. Software-defined wide area networks
VPNs depend on a router-centric model to distribute the control function across the network, where routers route traffic based on the IP addresses and access-control lists (ACLs). Software-defined wide area networks (SD-WANs), however, rely on a software and centralised control function that can steer traffic across the WAN in a smarter way by handling the traffic based on priority, security, and quality of service requirements as per the organisation’s needs, Grunden says.
“SD-WAN products are designed to replace the traditional physical routers with virtualised software that can control application-level policies and offer a network overlay. Additionally, SD-WAN can automate the ongoing configuration of WAN edge routers and run traffic over a hybrid of public broadband and private MPLS links,” Grunden says. This creates an enterprise edge-level network with lower costs, less complexity, more flexibility, and better security.
5. Identity and access management and privileged access management
Solutions that incorporate a comprehensive verification process to confirm the validity of login attempts provide greater protections compared to traditional VPNs, which normally only require a password. “A security feature of IAM [identity and access management] is that session activity and access privileges are connected to the individual user, so network managers can be sure each user has authorised access and can track each network session,” says Grunden. “IAM solutions also often provide additional levels of access so that users can only access the resources they are authorised to use.”
While this VPN alternative or paired option manages identity protocols allowing for more granular activity monitoring, it does not provide additional protections for privileged credentials. To securely manage the credentials for privileged accounts, privileged access management (PAM) is needed, Grunden adds. “If identity management establishes the identity of individual users and authorises them, PAM tools focus on managing privileged credentials that access critical systems and applications with a higher level of care and scrutiny.”
Such high-level accounts must be managed and monitored closely, as they present the largest risk to security and are heavy targets for bad actors because of the administrative capabilities they allow. “The key benefits of a PAM solution include advanced credential security like the frequent rotation of complex passwords, obfuscation of passwords, systems and data access control, and user activity monitoring,” says Grunden. “These features reduce the threat of unauthorised privileged credential use and make it easier for IT managers to spot suspicious or risky operations.”
6. Unified endpoint management tools
Conditional access via unified endpoint management (UEM) tools can provide a VPN-less experience through conditional access capabilities, whereby an agent running on the device will evaluate various conditions before enabling a person to access a particular resource, says Andrew Hewitt, senior analyst at Forrester. “For example, the solution may evaluate device compliance, identity information, and user behavior to determine whether that person can indeed access enterprise data. Often, UEM providers will integrate with ZTNA providers for added protection.
7. Virtual desktop infrastructure or desktop-as-a-service
Virtual desktop infrastructure (VDI) or desktop-as-a-service solutions "essentially stream compute from the cloud (or from an on-prem server) so that nothing resides locally on the device,” explains Hewitt. Sometimes organisations will use this as an alternative to VPN, but there still needs to be checks at the device level along with user authentication to secure the access, he adds. “The benefit of this however is that no data can be copied from the virtual session onto a local client, unlike traditional VPN.”
