Wondering what everyone’s thoughts are on best security practices for remote access when deciding to choose ZTNA or VDI or VPN.
Our medical facility is currently looking into providing our employees with remote access to internal applications, such as EMR and SAP. This would be via their devices (unmanaged).
We’ve been eyeing ZTNA and SASE solutions, specifically Palo Alto Prisma, Zscaler to Fortinet
Or
Does the organization still rely on solutions like Citrix XenApp/VDI for such requirements? If yes, why ZTNA solutions exist?
We don’t prefer Traditional SSL VPN clients to internal resources, especially when using personal devices.
Business objectives
-
Access to our internal medical applications for our employees.
-
Vendors should be able to remotely access our internal servers (using RDP) for support.
Any recommendations would be greatly appreciated. Thanks in advance!
VDI would my only option if you’re looking at unmanaged devices.
ZTNA still requires management of the client device in some manner where VDI typically only requires a plugin or a compatible browser.
Navigating the best security practices for remote access, especially in a medical facility where data sensitivity is paramount, requires a balanced approach between security, usability, and manageability. Given your requirements—remote access to internal applications like EMR and SAP, and vendor access for RDP support—alongside the preference to move away from traditional SSL VPN due to personal device usage, the debate typically falls between Zero Trust Network Access (ZTNA), Virtual Desktop Infrastructure (VDI), and VPN solutions.
Given your scenario, it sounds like you’re leaning towards modern, secure, and flexible solutions that can cater to both employee and vendor needs without compromising on security. Here’s where Cato SASE Cloud shines and could be an excellent fit for your medical facility’s requirements.
Why Cato SASE Cloud Over Traditional Solutions?
- Integrated Security and Access Control: Cato SASE Cloud combines ZTNA’s principle of “never trust, always verify” with a global, cloud-native architecture. This means you can provide secure access to your internal applications without the complexities and vulnerabilities associated with traditional VPNs. The integration of security and access in a single platform simplifies management and enhances protection against threats.
- Support for Unmanaged Devices: Cato’s approach is particularly suited for scenarios where employees and vendors access resources from personal or unmanaged devices. With Cato, you can enforce robust security policies that scrutinize every access request, ensuring that only authenticated and authorized users can access your critical internal applications, regardless of their device’s management status.
- Ease of Use and Deployment: Unlike solutions that require extensive on-premise hardware or complex configurations, Cato SASE Cloud is designed for simplicity and scalability. It’s a cloud-native service, meaning deployment can be swift, and scaling up (or down) doesn’t require additional physical infrastructure. This ease of use extends to the end-user experience as well, with seamless access to applications without the need for cumbersome VPN clients.
- Vendor Access with RDP Support: For scenarios where vendors need to access your internal servers via RDP for support, Cato SASE Cloud can securely facilitate this. By leveraging ZTNA principles, you can grant access on a need-to-know basis, ensuring vendors can only connect to the systems they’re authorized to, thus minimizing the risk of lateral movement within your network.
Why Not VDI or Traditional VPN?
- VDI, while offering a layer of isolation by providing a virtualized desktop environment, can be overkill for simply accessing specific applications and tends to come with higher costs and complexity in terms of deployment and maintenance. It’s a robust solution but might not offer the flexibility and scalability you’re looking for, especially when dealing with external vendors.
- Traditional VPNs often provide a broader network access than necessary, increasing the risk of lateral movement in case of a compromise. They also struggle to offer granular access controls and can introduce significant security risks, particularly with unmanaged devices.
EMR and personal devices? Pfftt. This idea is bad from the start.
Of the options only VDI is even somewhat defensible to auditors IMHO.
From what I heard it’s a technology on the decline, with an increasing number of companies moving away from it.
ZTNA still requires management of the client device in some manner
Generally speaking, this isn’t true.
It’s not possible to give company-owned devices to 300+ employees. Any other suggestions?
Depends on your applications. For anything where you can make it work, put applications behind your ZTNA gateway. It’s simple and clean, and all you have to do is entitle your users to whatever apps they’re allowed to use. Basically any modern application will work in this way.
VDI can be used for horrible legacy stuff that’s not amenable to working from behind an app gateway, which you’ll have for almost any enterprise with substantial on-prem resources running legacy applications (manufacturing, healthcare etc). Throw your terrible apps into VDI instead of directly running them from end user compute, and control it so those VDI don’t get to things they aren’t supposed to. Legacy applications are always the headache. You can then bind these VDI to your ZTNA gateway since those will work through a browser, eliminating the need to expose your VDI interface directly.
Straight up direct VPN access for users is generally dangerous and should be avoided.
Companies that no longer have anything on-prem can have anything accessing cloud-based, browser-accessed stuff. My take is that massive liabilities are opened up both ways if you’ve got unmanaged devices coming into the corporate network, not to mention much greater possibilities for data exfil.
You add healthcare or critical infrastructure into the mix and it’s that much more of an issue waiting to happen…
Yeah you can do ZTNA setups 100% BYOD. You can restrict access to resources via profiling a company machine with an agent, but it’s not required.
Don’t have those people accessing PHI from devices that likely don’t meet the compliance regulations (HIPAA for the US for example)
Our PHI Apps are web-based. Does ZTNA provide controls for DLP like disabling clipboard, downloading files from the application?
Our apps are not SaaS or cloud based, they hosted on-premises
Protecting PHI is of paramount importance to us, especially in the context of compliance regulations like HIPAA.
I believe ZTNA with BYOD cybersecurity strategy can create a secure access allows employees to use their personal devices for work without compromising security.
ZTNA can do user and device verification before allowing access to resources by making sure devices have up-to-date security patches, anti-malware protection installed, 2FA authentication, web browser access, risk monitoring, and integrating with MDM.
I would appreciate and welcome any additional suggestions and advice you might have.
I know Zscaler and Palo Alto do. I’d assume most/all of the others would as well.
Make sure that your employees know that their kids using those computes to download sketchy porn puts their parent’s jobs on the line. If you can’t afford 300 computes, not sure how you can afford the associated fines for disclosure.