Next Article in Journal
LGFA-MTKD: Enhancing Multi-Teacher Knowledge Distillation with Local and Global Frequency Attention
Next Article in Special Issue
Revisioning Healthcare Interoperability System for ABI Architectures: Introspection and Improvements
Previous Article in Journal
Reduced-Order Model of Coal Seam Gas Extraction Pressure Distribution Based on Deep Neural Networks and Convolutional Autoencoders
Previous Article in Special Issue
Geospatial Analysis of the Association Between Medicaid Expansion, Minimum Wage Policies, and Alzheimer’s Disease Dementia Prevalence in the United States
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Information
Volume 15
Issue 11
10.3390/info15110734
information-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles thumb_up
...
Endorse textsms
...
Comment
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Zero Trust VPN (ZT-VPN): A Systematic Literature Review and Cybersecurity Framework for Hybrid and Remote Work

by
Syed Muhammad Zohaib
1,
Syed Muhammad Sajjad
2,
Zafar Iqbal
3,
Muhammad Yousaf
4,
Muhammad Haseeb
5 and
Zia Muhammad
6,7,*
1
Department of Cyber Security, Air University, Islamabad 44230, Pakistan
2
Department of Computer Science and Cyber Security, Air University, Kharian 50090, Pakistan
3
Department of Cyber Security, National University of Computer & Emerging Sciences (NUCES), Islamabad 44230, Pakistan
4
Department of National CERT, Islamabad 44230, Pakistan
5
Department of Information Security, National University of Science and Technology, Islamabad 44000, Pakistan
6
Department of Computer Science, North Dakota State University, Fargo, ND 58102, USA
7
Department of Computer Science and Technology, University of Jamestown, Jamestown, ND 58405, USA
*
Author to whom correspondence should be addressed.
Information 2024, 15(11), 734; https://doi.org/10.3390/info15110734
Submission received: 30 September 2024 / Revised: 11 November 2024 / Accepted: 12 November 2024 / Published: 17 November 2024
(This article belongs to the Special Issue Feature Papers in Information in 2024–2025)
Browse Figures
Versions Notes

Abstract

:
Modern organizations have migrated from localized physical offices to work-from-home environments. This surge in remote work culture has exponentially increased the demand for and usage of Virtual Private Networks (VPNs), which permit remote employees to access corporate offices effectively. However, the technology raises concerns, including security threats, latency, throughput, and scalability, among others. These newer-generation threats are more complex and frequent, which makes the legacy approach to security ineffective. This research paper gives an overview of contemporary technologies used across enterprises, including the VPNs, Zero Trust Network Access (ZTNA), proxy servers, Secure Shell (SSH) tunnels, the software-defined wide area network (SD-WAN), and Secure Access Service Edge (SASE). This paper also presents a comprehensive cybersecurity framework named Zero Trust VPN (ZT-VPN), which is a VPN solution based on Zero Trust principles. The proposed framework aims to enhance IT security and privacy for modern enterprises in remote work environments and address concerns of latency, throughput, scalability, and security. Finally, this paper demonstrates the effectiveness of the proposed framework in various enterprise scenarios, highlighting its ability to prevent data leaks, manage access permissions, and provide seamless security transitions. The findings underscore the importance of adopting ZT-VPN to fortify cybersecurity frameworks, offering an effective protection tool against contemporary cyber threats. This research serves as a valuable reference for organizations aiming to enhance their security posture in an increasingly hostile threat landscape.

1. Introduction

Network infrastructures serve as the backbone of communication and information exchange. They facilitate the seamless flow of data, enabling organizations and individuals to access resources, collaborate, and conduct business efficiently [1,2]. However, the increasing reliance on networks has also attracted malicious actors who seek to exploit vulnerabilities and disrupt operations for various purposes, ranging from financial gain to espionage or activism [3]. As a result, understanding network attacks and developing effective defense mechanisms has become paramount in maintaining the security and integrity of network infrastructures [4].
Even with advancements in technology, there are many scams targeting businesses; for example, phishing remains the most common form of cyberattack, accounting for 90% of data breaches [5]. In 2023, 343,338,964 people were the targets of 2365 cyberattacks. Data breaches increased by 72% in 2023 compared to the previous record-holding year, 2021 [6,7]. Surprisingly, 96% of these phishing attacks were delivered via email. In 2023, a staggering 72.7% of organizations experienced a phishing attack [8]. Similarly, another major cyberattack is ransomware [9]. The costs associated with ransomware are expected to climb to USD 265 billion annually by 2031. In 2023, the average cost of a data breach saw a 15% rise over the previous three years, reaching USD 4.45 million on a worldwide scale [10,11]. Pay-outs were greatest in the US, at USD 5.09 million per breach [12,13,14].
Cyber insurance premiums in the US saw a 50% hike in 2022, with premiums collected amounting to USD 7.2 billion [15]. Over 75% of targeted attacks initiate from an email, with 94% of malware being delivered through this channel. Cybercrime costs are on a steep rise, expected to reach USD 10.5 trillion annually by 2025, marking a 15% yearly increase [16,17]. Cybercrime rates increased by 600% during the COVID-19 pandemic, illustrating how dangers have adjusted to new global circumstances [18]. On average, a data breach costs about USD 4.45 million. Approximately 35% of malware in 2023 was sent by email, making it the most frequent vector for malware [19,20]. Protecting an organization and understanding the motives behind these attacks is important; these help in assessing the potential impact on network security and identifying appropriate mitigation strategies [21]. It is also equally important to access the network’s devices and perform a security assessment of IT products [22]. Attacks like Denial of Service (DoS) try to block legitimate users from accessing resources or services on a network by overwhelming them [23,24]. These attacks can sabotage an organization and affect network availability [25].
Nowadays, organizations rely on remote work technology and use a variety of technologies to access their organizational networks [26]. For example, a VPN allows for the safe transfer of data and other types of information between remote locations. One or more VPN devices that the user connects to via their web browser make up an SSL VPN [27]. It uses encryption for data transfer and operates at the application layer [28]. Cryptography ensures transport-level secrecy, whereas SSL offers encrypted public keys for key management and authentication [29,30]. By encrypting data in transit, it protects the connection between the client and the resource. No data are sent over the internet or internal networks in plain text when end-to-end security is used. Every step, from the customer to the vendor, is encrypted and verified for security [31].
Despite this enormous and ubiquitous usage, VPNs come with various security challenges and performance-related issues, thereby hindering users from taking maximum advantage of this technology [32,33]. One potential downside of relying only on VPNs is that they treat all users as trustworthy and give them unrestricted access to the network. To address this concern, VPN users must choose the most secure and perfect VPN solution for the smooth functioning of daily activities [34,35]. Similarly, the traditional “castle and moat approach” of security is insufficient in light of the new age of evolving attacks along with the growing trend of working from home [36]. Therefore, VPNs are becoming fundamental in defending today’s network architectures and allowing remote access [37,38].
For a long time, VPNs have been employed to create safe and exclusive communications in a generally accessible network. VPNs comprise encryption and tunneling protocols, therefore forming a more secure virtual network overlaying an insecure network infrastructure [39,40]. VPNs can be used for access privilege, confidential data integrity, and authentication when connecting remote and geographically disjointed networks [41,42]. On the other hand, conventional telecom architecture and, particularly, physically configured and hard-wired networks, accompanied by typical perimeters of protection, have failed to cope with ever-changing cyber threats.
Nonetheless, the old paradigm of perimetral security has been replaced with Zero Trust Network Access (ZTNA) due to the dynamics of threat and the necessity of a more accurate and dynamic security model [43,44]. It is a security model that verifies users and devices before granting access to applications or resources. ZTNA is based on the principle of “never trust, always verify” and is designed to reduce the attack surface area and improve security posture [45]. Some assumptions are made by pneumonic; firstly, the model narrows down its view in the network and regards each user and device both within and outside the network as hostile; therefore, each one has to be and should be authentically and authoritatively authorized by the network each time it wants to access the network’s products [46,47,48]. This shift in mentality is important in combating newer and more advanced attacks that use vulnerabilities and lateral movement in the network. The use of both VPNs and ZTNA could provide a robust solution for the remote access problem and the protection of networks [49,50].
The possibility of merging VPN and ZTNA technology can give promising solutions to industrial security accorded by end-device identity, context, and, most importantly, the principle of least privilege to use the network resources. This integration allows organizations to apply tighter security measures to limit the attack vector and safeguard the data. Hence, the purpose of this article is to discuss and identify how to use VPNs to establish Zero Trust Network Access. Thus, the goal of familiarizing ourselves with the concepts and principles is to create patterns, standards, and recommendations for organizations that are trying to implement a safe and efficient remote access solution. Furthermore, we discuss the issues, implications, and possible drawbacks of combining and offering case study analyses. Taken in their entirety, these two approaches present a clear promise, in terms of conceptual development, of effectively conquering the security vulnerabilities that threaten organizations at present. Hence, this article endeavors to offer some insights and real-life best practices for organizations that are aspiring to have strong and fortified network security that incorporates the use of VPNs and ZTNA for the attainment of secure remote access. This article discusses and analyzes various categories of network attacks, their features, and the impact they could have on current networks. We hope that by the end of this research, we will be in a position to add to the body of knowledge on how VPNs and ZTNA can complement each other, thus reinforcing network security and offering secure access to remote resources. The key contributions of the research are as follows:
  • This research paper gives an overview of contemporary technologies used across enterprises, including VPNs and ZTNA, proxy servers, Secure Shell (SSH) tunnels, the software-defined wide area network (SD-WAN), and Secure Access Service Edge (SASE), among others.
  • This paper identifies critical concerns associated with traditional technologies, including latency, throughput, scalability, and cyber threats, and identifies the gap to overcome these challenges.
  • This paper presents a novel Zero Trust VPN (ZT-VPN) framework that integrates Zero Trust Network Access with virtual private networks to create a robust cybersecurity framework for remote work environments, aiming to fortify modern enterprises’ cybersecurity and privacy.
  • Finally, this paper demonstrates the effectiveness of the ZT-VPN framework through various enterprise scenarios, highlighting its ability to prevent data leaks, manage access permissions, and provide seamless security transitions, thereby fortifying cybersecurity frameworks against contemporary cyber threats.
The organization of this paper is structured as follows: The Introduction (Section 1) provides an overview of the shift to remote work environments and the associated cybersecurity challenges. The Background—Related Work and Systematic Literature Review—Methodology (Section 2 and Section 3) review contemporary technologies and existing research in the field. The Proposed Framework (Section 4) details the design and architecture of the Zero Trust VPN (ZT-VPN) framework, including examples of implementation case studies. The Results and Evaluation (Section 5) presents the findings from various enterprise scenarios, accompanied by a discussion of the results and acknowledgment of limitations. Finally, the Conclusion and Future Work (Section 6) summarizes the key contributions of the research and outlines potential directions for future studies.

2. Background—Related Work

The purpose of this section is to provide a comprehensive review of existing technologies and research relevant to the topic of this paper. This section sets the context for the proposed framework by discussing contemporary technologies. It also highlights the limitations and challenges of current approaches, thereby establishing the need for the proposed ZT-VPN framework. By reviewing related work, this section helps to position the research within the broader field of cybersecurity and demonstrates how the proposed framework builds upon and advances existing knowledge.

2.1. Virtual Private Network (VPN)

This is a technology that creates a secure and encrypted connection over a less secure network. It allows users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network [51]. VPNs are commonly used by businesses to allow employees to access the company’s internal network from remote locations securely. This is particularly useful for remote work, enabling employees to access files, applications, and other resources as if they were in the office. VPNs provide a secure connection, protecting your data from hackers and cybercriminals, especially when using public Wi-Fi networks. The encryption ensures that even if the data are intercepted, they cannot be read [52,53]. By masking your IP address, a VPN helps protect your online privacy. It prevents websites, advertisers, and even your internet service provider (ISP) from tracking your online activities. VPNs allow you to bypass geographic restrictions and access content that may be blocked in your region. For example, you can access streaming services, websites, and online services that are only available in certain countries.
Detailed working explanation of VPN is explained in Figure 1. It shows that, on a border level, when you connect to a VPN, it encrypts your internet traffic. This means that the data you send and receive are converted into a secure code that is difficult for unauthorized parties to decipher. This encryption ensures that sensitive information, like passwords and personal data, is protected from eavesdropping. The internet traffic is routed through a VPN server. This server acts as an intermediary between your device and the internet. When you access a website or online service, your request is first sent to the VPN server, which then forwards it to the destination. The response from the website is sent back to the VPN server, which then forwards it to your device. Importantly, by routing the traffic through a VPN server, your real IP address is hidden, and you appear to be accessing the internet from the location of the VPN server. This helps protect identity and location, providing a layer of anonymity.

2.2. Zero Trust Network Access (ZTNA)

Zero Trust Network Access (ZTNA) is a security framework that operates on the principle of “never trust, always verify.” Unlike traditional security models that assume everything inside an organization’s network can be trusted, ZTNA assumes that threats can exist both inside and outside the network [54]. Therefore, strict verification is required for every user and device attempting to access resources. Figure 2 provides a detailed explanation of how a ZTNA works. The figure shows that it is a security framework that assumes no inherent trust in any user or device seeking access to network resources. It emphasizes the verification of user identities, strict access control, and continuous monitoring. ZTNA relies on technologies like multi-factor authentication (MFA), identity and access management (IAM), network segmentation, and micro-segmentation to enforce security controls [55].
Table 1 provides an overview of and shows the differences between the VPN and ZTNA. As we can see from the table, ZTNA is well suited for modern, dynamic environments, including remote work and cloud-based applications. It can easily scale to accommodate growing and changing organizational needs. ZTNA’s micro-segmentation and least-privilege access policies help contain potential breaches, preventing attackers from moving laterally within the network and accessing sensitive data [56,57]. By requiring continuous verification and limiting access based on identity and context, ZTNA significantly reduces the attack surface and improves the overall security posture. ZTNA provides detailed insights into user and device activity, allowing organizations to detect and respond to threats more effectively. This visibility also helps ensure compliance with regulatory requirements.

2.3. Proxy Servers

A proxy server is an intermediary server that sits between a client and the internet. It acts as a gateway, handling requests from clients seeking resources from other servers. Proxy servers can provide an additional layer of security by filtering out malicious content and blocking access to harmful websites [58]. They can also protect against certain types of cyberattacks. Proxy servers help protect the client’s privacy and prevent tracking by websites and advertisers. Proxy servers can bypass geographic restrictions and allow clients to access content that may be blocked in their region [59,60]. Proxy servers can cache frequently accessed content, reducing the load on the target servers and improving response times for clients. Proxy servers work as follows:
  • When a client requests a resource, the request is first sent to the proxy server. The proxy server then forwards the request to the target server on behalf of the client. Once the target server responds, the proxy server sends the response back to the client. This process adds a layer of separation between the client and the target server.
  • Proxy servers can hide the client’s IP address by replacing it with their own. This helps protect the client’s identity and location, providing a layer of anonymity.
  • Proxy servers can cache frequently requested resources. When a client requests a resource that is already cached, the proxy server can deliver it directly from its cache, reducing the time and bandwidth required to retrieve the resource from the target server.

2.4. Secure Shell (SH) Tunnels

SSH tunneling, also known as SSH port forwarding, is a method of transporting data over an encrypted SSH connection. This technique allows secure communication between a client and a server, even over an unsecured network [61]. SSH tunneling begins with establishing an SSH connection between a client and an SSH server. This connection is encrypted, ensuring that any data transmitted between the client and the server are secure and protected from eavesdropping. It uses strong encryption algorithms to secure the data transmitted through the tunnel [62]. It also employs authentication mechanisms, for instance, passwords, public keys, or multi-factor authentication, to verify the identity of the client and the server.
SSH tunnels can be used to bypass firewalls and network restrictions. For example, if a firewall blocks access to a specific service, an SSH tunnel can be used to route the traffic through an allowed port. SSH tunnels enable secure remote access to services and applications. This is particularly useful for system administrators who need to manage servers and devices from remote locations.

2.5. Software-Defined Wide Area Network (SD-WAN)

A software-defined wide area network (SD-WAN) is a virtual WAN architecture that leverages software-defined networking (SDN) technology to manage and optimize the performance of a wide area network (WAN) [63]. It allows enterprises to use a combination of transport services, like MPLS, LTE, and broadband internet, to connect users to applications securely.
An SD-WAN separates the control plane from the data plane. The control plane is responsible for making decisions about where traffic should be sent, while the data plane is responsible for forwarding the traffic [64,65]. This separation allows for centralized management and control of the network. An SD-WAN provides a centralized management interface that allows network administrators to configure and manage the entire WAN from a single location. This simplifies network operations and reduces the complexity associated with traditional WAN architectures. An SD-WAN can dynamically select the best path for traffic based on real-time network conditions. It can route traffic over multiple transport links, like MPLS, LTE, and broadband, to optimize performance and ensure high availability. An SD-WAN is application-aware, meaning it can identify and prioritize traffic based on the application. This ensures that critical applications receive the necessary bandwidth and low latency, while less critical applications are given lower priority. An SD-WAN includes built-in security features including encryption, firewall, and intrusion prevention. It can also integrate with existing security solutions to provide end-to-end protection for the network.

2.6. Secure Access Service Edge (SASE)

This is a cloud-based architecture model that combines wide area networking (WAN) and network security services into a single, unified framework. It is designed to securely connect users, systems, endpoints, and remote networks to applications and resources, regardless of their location [66]. Here is a detailed explanation of how SASE works:
  • SASE integrates networking functions, like a software-defined wide area network (SD-WAN), with security services, including Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Firewall as a Service (FWaaS), and Zero Trust Network Access (ZTNA). This convergence allows for a more streamlined and efficient approach to managing and securing network traffic [67].
  • SASE is built on a cloud-native architecture, meaning that both the networking and security functions are delivered as cloud services. This allows for greater scalability, flexibility, and ease of deployment compared to traditional on-premises solutions.
  • SASE grants access based on the identity of users and devices rather than relying on the traditional perimeter-based security model. This ensures that only authenticated and authorized users can access specific applications and resources, enhancing security.
  • SASE solutions are globally distributed, meaning that they have points of presence (PoPs) around the world. This ensures that users can securely access applications and resources with low latency, regardless of their geographic location.
Table 2 provides a comparison of different network security and access technologies. We can see that a VPN creates a secure and encrypted connection over the internet, allowing users to access corporate networks remotely. However, traditional VPNs grant broad access to the entire network once authenticated, which can pose security risks. In contrast, ZTNA operates on the principle of “never trust, always verify,” continuously verifying every user and device attempting to access resources. ZTNA provides granular access control, granting users access only to specific applications and resources based on their identity and context, thereby reducing the attack surface and enhancing security.
Proxy servers act as intermediaries between clients and the internet, masking the client’s IP address and providing anonymity. They can cache frequently requested content to improve performance but do not offer the same level of encryption and security as VPNs or ZTNA. SSH tunnels provide secure communication for specific applications by transporting data over an encrypted SSH connection, ensuring data protection even over unsecured networks. An SD-WAN optimizes network performance by dynamically selecting the best path for traffic and providing centralized management. Each technology has its unique strengths and uses cases, making each suitable for different network and security requirements. VPNs and ZTNA focus on secure remote access, with ZTNA providing more granular control. Proxy servers offer anonymity and content filtering, while SSH tunnels secure specific application communications. An SD-WAN enhances network performance and scalability, and SASE provides a comprehensive, cloud-based solution for modern enterprises.

3. Systematic Literature Review—Methodology

The systematic literature review (SLR) process followed in this study involved a series of rigorous steps to ensure that only high-quality and relevant studies were included in the final analysis. Figure 3 illustrates the multi-phase process used to filter, evaluate, and select the most relevant research articles.
  • Identification phase: The review began with the identification phase, where an initial search was conducted using the query “Zero Trust VPN” OR “ZTNA” OR “Zero Trust Network Access” to capture the literature related to Zero Trust and VPN concepts. Two major academic databases, Google Scholar and Web of Science, were used to gather a comprehensive set of articles. This search returned 1090 results from Google Scholar and 406 from Web of Science, resulting in a total of 1496 papers.
  • Screening phase: In the screening phase, the initial set of papers was reviewed to remove irrelevant studies. The first screening involved filtering by title, abstract, and keywords. Articles that were duplicates, gray literature, out-of-scope publications, book chapters, and editorial letters were excluded, reducing the pool to 608 papers. This step alone excluded 888 papers. A second screening was conducted based on a detailed reading of titles and abstracts. Articles that lacked relevance, were metadata-only or were otherwise irrelevant to this study were excluded. After this step, 426 more articles were removed, leaving 182 papers for further assessment.
  • Eligibility phase: The eligibility phase involved two levels of in-depth evaluation to further ensure the relevance and quality of the remaining studies. In the first eligibility check, both abstracts and main bodies of the papers were skim-read to exclude those that did not meet the criteria for Methodological Evaluation Score (MES) assessment. This step excluded 65 papers, narrowing down the selection to 117. The second eligibility check involved a closer reading of the main bodies of the remaining articles, with an emphasis on applying MES assessment criteria. This step led to the exclusion of an additional 31 articles, resulting in 86 studies that met all eligibility requirements.
  • Inclusion phase: Finally, in the inclusion phase, the remaining 86 studies were included in the final MES analysis, representing the highest-quality and most relevant articles for this systematic literature review. These studies formed the basis for the in-depth analysis and synthesis presented in this paper.

Literature Review

Our literature review focused on existing research on Zero Trust security frameworks, VPN, and ZTNA. The focus was on scalability, access control, performance, and identity verification across various network settings. To ensure a robust and comprehensive understanding, we defined a focused scope, prioritizing academic articles, industry reports, and foundational frameworks that engage directly with Zero Trust principles, their implementation challenges, and their efficacy.
The search process involved Google Scholar databases. The search query was composed of terms including “Zero Trust Network Access (ZTNA)”, “VPN security challenges”, “Zero Trust architecture”, “data-centric security”, and “identity-based access control”. We concentrated on works from the last decade to capture the most relevant contemporary cybersecurity articles, with some exceptions for foundational studies. Our inclusion criteria targeted studies covering one or more of the following areas: Zero Trust frameworks across environments, ZTNA and VPN comparisons (in terms of performance, scalability, and usability), and Zero Trust implementations with a focus on access control, identity verification, and continuous monitoring. Studies focused solely on general network security without Zero Trust concepts or theoretical models lacking practical applications were excluded.
In analyzing the literature, we categorized studies by key themes, including access control mechanisms, scalability, hybrid network challenges, data-centric security, usability, and continuous monitoring. We organized each study’s main contributions using a comparative framework to maintain consistency in our analysis. Key findings, methodologies, and challenges from each study were extracted, particularly regarding their applicability to the ZT-VPN framework. Zero trust is a security architecture that safeguards on-premises resources by eradicating unidentified users and uncontrolled devices and restricting any lateral movement [68]. The research work by Cherrueau et al. [69] discusses the potential risks and mitigations, emphasizing the importance of secure configuration, encryption, and identity-based access controls. The study identifies the challenges of scaling ZTNA VPN solutions and provides recommendations for addressing security concerns.
In the research work by S et al. [70], “Security issues with Virtual Private Network (VPN) and proxy services: Performance and Usability”, usability and performance are crucial factors when implementing ZTNA and VPN solutions. The study also suggests that bad VPN configuration and execution, rather than, say, inadequate cryptography, are the key issues. The research work by Wang et al. [71] evaluates the performance of ZTNA VPN solutions. considering factors of latency, throughput, and scalability. The study emphasizes the need for efficient protocols and optimized configurations to maintain a balance between security and performance. According to Da Silva et al. [72,73], smart home security should include Zero Trust access control that takes context into account and uses behavior-based continuous authentication. There is a proposal for a zero-aware smart home system that would regulate access to the smart home system by continually verifying the user’s authenticity using Zero Trust continuous identity verification. Powering it is edge computing, which gets rid of unreliable service providers and any access. The correctness is not guaranteed, and there has been no testing of the effect of latency and concurrency in a real context.
The research work by Hunt et al. [74] proposes a ZTNA VPN model. The research highlights the benefits of this integration, like enhanced visibility and control over network traffic. This states that incoming requests from users or devices should be accepted after authentication. Running both ZTNA and VPN simultaneously may introduce additional latency and performance overhead. This can impact the user experience, particularly for latency-sensitive applications. He et al. [75] conducted research comparing common trust assessment techniques and outlining the benefits and drawbacks of various access control regimes and authentication procedures. The emphasis of the study is also on protocols for network authentication and access control. Syed et al. [29] broadened the design’s scope to include software-defined perimeters and micro-segmentation and talked about the difficulties of such an architecture. The research work survey by Pittman et al. [76] showed data objects, rather than user-accessible paths, that are subject to Zero Trust concepts and tenets. Trust computation in a dynamic system like a network is, according to their findings, an issue of categorization and regression. In their research, Buck et al. [77] used a search model to distinguish between academic material and gray literature while evaluating articles published on ZTNA. Any piece of writing that does not originate from an academic setting, like a private or commercial enterprise, is considered gray literature.
To some extent, the methods outlined here are comparable to Google’s ZTN approach to access control [78,79]. However, the execution of decision continuity, risk management, and policy wording has been vague. NIST [45] provides a vendor-agnostic framework for ZT implementation. It focuses on the continuous verification of user and device identities. Policy enforcement is based on context, like user identity, device health, and location; micro-segmentation and least-privilege access; and comprehensive and detailed guidance applicable to a wide range of organizations. It encourages continuous monitoring and verification, allowing for flexible implementation.
It may be seen as overly complex due to detailed and broad guidelines. Implementation requires a thorough understanding and careful planning. The Forrester model [80,81], popularized by Forrester Research, emphasizes the need to eliminate trust from the network. It includes continuous monitoring and validation of all users and devices; micro-segmentation to limit lateral movement within networks; data-centric security, ensuring data protection regardless of location; and a strong focus on data protection and reducing attack surfaces. It is a practical approach that can be adapted to various environments. Significant changes may be required to the existing network and security infrastructure. The broad approach might be challenging for smaller organizations to implement fully. Some of the concepts presented here are similar to Dynfire, an AC policy management framework for ZTN put into practice on a college campus, as described by Vensmer et al. [82]. Problematically, neither risk management nor decision continuity are part of it. A ZTN AC solution for cloud computing, AL-SAFE, is described by Giannoku et al. [83]. However, it is missing policy language, risk management, and decision continuity features.
From Table 3, we can see that scaling both ZTNA and VPN solutions to accommodate the increased number of users and devices can be effective. Ensuring seamless scalability while maintaining security can be a complex task. In today’s computing and mobile device settings, when dynamic characteristics make the idea of a conventional DMZ [84] outdated, this comparatively static approach to security, focused on physical or virtual perimeters, fails. As the new network edge, an implicit trust strategy cannot sufficiently protect the cloud. Regarding the idea of protecting information systems [74], changes were made to accomplish the required IP security based on a review of the company’s policy, the SSL encryption technique, and the software utilized in the business. These steps will enable the information system for manufacturing locations to gain the appropriate security. Given the context of prior research and the underlying hypotheses, the authors delve into the data and their potential interpretation. Conversations on the results and their implications need to have a wide view. It is also possible to emphasize potential avenues for future science.
The manner in which companies work has changed over the last many years. Working remotely and other trends like bring your device (BYOD) [85] are driving the demand for flexible access to company data and apps from devices outside of the company’s internal network. This tendency is being exacerbated by the rising number of remote workers and the coronavirus epidemic. Additionally, problems arise for the organization’s network architecture due to external connections, the incorporation of partners and service providers, or the mutual sharing of assets. To date, the majority of companies have provided external users or services with encrypted connections to their internal networks so that they may access internal resources. When a user or service is considered trustworthy, they are granted access to the network’s resources. The problem is that most existing solutions rely on inflexible components like subnetworks, firewalls, and rule sets, making it impossible to adapt to these kinds of ever-changing conditions. Because of this design, there are major security holes. One issue is that the internal network is not segmented or controlled. Once an outsider or malevolent employee breaches an organization’s network defense, they may access almost every part of the system. A large number of organizational resources are, therefore, vulnerable to reading, modification, and harm.
According to Zero Trust techniques, which aim to fix the problems with existing networking solutions, the fundamental premise is that no one on the network can be trusted and that any access to company resources might be a security risk. This means that all accesses are checked and confirmed. The approval of a request is contingent upon its verification. Either complete access to the service or access to just the allowed operations or data may be provided. When verifying a user’s identity, it is important to take into account not only their password but also their device, location, time, and access rights. In addition, resource access is limited to what is necessary for carrying out tasks in accordance with the concept of least privilege. This highlights the need to establish and rigorously follow access rules. The access regulations in question, however, are dynamic. It is possible to include the behavior patterns of the network participants in the verification process by continuously monitoring and recording network traffic. Zero trust is more of a strategy than a technology; it is an umbrella term for a set of guiding principles. This article discusses and analyzes various categories of network attacks, their features, and the impact they could have on current networks. We hope that by the end of this research, we will be in a position to add to the body of knowledge on how VPN and ZTNA can complement each other, thus reinforcing network security and offering secure access to remote resources.

4. Design and Architecture

The detailed architecture of the Zero Trust VPN (ZT-VPN) is illustrated in the provided diagram and comprises three main modules: Policy Enforcement Point (PEP), Identity Enforcement Point (IEP), and Security Enforcement Point (SEP). The PEP module handles the initial access flow, encrypts traffic, and validates interactions between the subject and the resource. This involves certificate-based authentication, where both the client and server use SSL/TLS certificates to establish a secure connection, and username/password authentication, which adds a layer of security by requiring clients to provide valid credentials. The combination of these authentication methods ensures that only authorized clients can establish a VPN tunnel with the server.
Once connected to the VPN, the IEP module validates the user’s identity through login credentials and a one-time password (OTP) sent to the registered device. It also verifies the device’s health, operating system settings, and the user’s location before granting role-based access to organizational resources. The SEP module monitors session time and grants time-bound access, logging user activities and monitoring access to organizational resources. This comprehensive approach enhances the overall security and access control of the organization’s network, ensuring that only authenticated and authorized users can access sensitive resources.
A detailed architecture diagram of the ZT-VPN is illustrated in Figure 4. It has three modules, namely, Policy Enforcement Point (PEP), Identity Enforcement Point (IEP), and Security Enforcement Point (SEP). In the first form, the subject or person uses the resource on behalf of a requester or as a requester. The access flow is blocked by the PEP, which encrypts the traffic once the subject interacts with the resource and validation is successful, which is shown in Algorithm 1. Details are provided below:
  • Certificate-based authentication: OpenVPN creates an encrypted connection between the client and server based on SSL/TLS. Certificates are employed to ensure that both the client and the server are genuine. The process is as follows:
    The VPN server has an independent SSL/TLS certificate and private key.
    Every client gives out a distinct SSL/TLS certificate and a private key.
    During the SSL/TLS negotiation, when a client connects to the server, it has to send its certificate to the server.
    The server checks the client’s certificate against the list of the trusted certificates the server possesses. If the client’s certificate is valid and recognized as trustworthy by the server, then the SSL/TLS negotiation is accomplished, and the connection is established.
  • Username/password authentication: Apart from the certificate, the VPN can also use the names and secret codes for other recognition in addition to the use of certificates. This is particularly useful when multiple clients use the same certificate, for instance, in road warrior configurations. The process is as follows:
    Every client has a username and a password created on the VPN server.
    If the client attempts a connection, it presents a certificate as mentioned above, and then the server is asked for a username and password.
    It then has to verify the username and the password of the client against the list of clients and the password with which it has been configured.
    If the credentials match those of the authenticated client, the client will be logged in and connected to the VPN.
  • Combining certificate and username/password authentication: Besides the certificates, OpenVPN also has options for the username and password in the second level of the authentication. This is especially useful when several clients have the same certificate (for example, for the road warriors). The process is as follows:
    Users obtain an account on the VPN server, which has their unique username and password.
    When a client attempts to connect, it sends its certificate, as mentioned above, and the VPN server then asks for a username and password.
    The server compares the given username and password with the client list and the necessary password.
    If the username and password are correct, the client is authorized, and phase 2 of the VPN connection is initiated.
  • Combining certificate and username/password authentication: In practice, a VPN can be configured to require both certificate-based authentication and username/password authentication for enhanced security. This ensures that clients possess the correct certificate and valid credentials to connect to the VPN server. In this, the clients go through both certificate-based authentication and username/password authentication before being granted access to the VPN server.
Algorithm 1: Policy Enforcement Point (PEP)
Require: VPN client, VPN configuration file (.ovpn), credentials (username and password)
  1:
Module 1: Enforcement Point (EP)
  2:
Submodule 1: Install VPN Client
  3:
1.1 Download the appropriate OpenVPN client for your operating system.
  4:
1.2 Follow the installation instructions to install the OpenVPN client on your device.
  5:
—————————————————————————————————————–
  6:
Submodule 2: Obtain OpenVPN Configuration File
  7:
2.1 Obtain the .ovpn configuration file from your network administrator or VPN service provider.
  8:
2.2 Ensure you have the necessary credentials (username and password), if required.
  9:
—————————————————————————————————————–
10:
Submodule 3: Configure OpenVPN Client
11:
3.1 Place the .ovpn configuration file in the appropriate directory:
12:
   Windows: C:\Program Files\OpenVPN\config\
13:
3.2 If needed, open the .ovpn file in a text editor and modify any settings as per your requirements.
14:
—————————————————————————————————————–
15:
Submodule 4: Connect to OpenVPN Server
16:
4.1 Launch the OpenVPN client application.
17:
4.2 Select the appropriate .ovpn configuration file.
18:
4.3 Enter your credentials (username and password) if prompted.
19:
4.4 Click on the Connect button to establish the VPN connection.
20:
—————————————————————————————————————–
21:
Submodule 5: Verify the Connection
22:
5.1 Once connected, verify the VPN connection:
23:
   5.1.1 Check the OpenVPN client status window for connection details.
24:
   5.1.2 Verify your IP address has changed to the VPN server’s IP address using an online service like whatismyip.com.
25:
   5.1.3 Ensure you can access network resources that require a VPN connection.
The server verifies the certificates and then checks the provided username and password against its client credentials database. Only after successful validation are the clients allowed to establish the VPN tunnel with the server. After successful validation of credentials, the IP address is assigned to the client from a predefined IP pool managed by the VPN server. Each time a client connects, it receives an available IP address from the pool. This approach is more scalable and useful when you have a large number of clients connecting intermittently. If a client disconnects, its assigned IP address becomes available for future connections. This allows efficient use of the address space as clients come and go.
In the second module, after the user connects to the VPN, IEP will act and validate its identity through user login credentials. OTP is sent to the given device through which the device is verified. Afterward, the device health, OS settings, and person location is verified. Then, role-based access is granted to that person for organizational resources, as can be seen in Algorithm 2 from lines 1 to 22. In the SEP module, session time is monitored, and limited time-based access is granted to every user. It is a time-bound session; once the user logs in, the session time is collected from the log’s server, and the counter starts with it. Then, the user profile and activities are also monitored through server logs. When the user tries to access any organizational resources or tries to access any link, it can be logged and monitored as well, which can be seen in Algorithm 2, and 2 from lines 24 to 49.
This implementation can enhance the overall security and access control of an organization’s network. In a VPN, client credentials are typically validated through a combination of certificate-based authentication and username/password authentication. Let us explore how this validation process works, along with a diagram.
These are the steps through which we can achieve our goal:
  • The user has to input their credentials into the VPN client, and then it will validate with the server, and then traffic goes to the internet.
  • Then the person can access the web application; if VPN credentials are not validated, then it will not permit access to the web application.
  • Now, the user has to put their credentials in the web app; at this point, the user is validated with a password, and it also receives the OTP on its registered mobile number.
  • In the next step, the user device OS, settings, and device health are monitored, and user logs are generated every time it performs any activity.
  • There is also access management; the user is restricted to the privileges that are allowed by the admin.
Algorithm 2: ZTNA Policy Enforcement Point (ZPE)
Require: resources, userRoles, accessPolicies, ztnaConfig
  1:
Module 2: Identity Enforcement Point (IEP)
  2:
Submodule 1: Define Access Policies
  3:
defineResources(resources)
  4:
defineUserRoles(userRoles)
  5:
createAccessPolicies(accessPolicies)
  6:
Submodule 2: Set Up ZTNA Infrastructure
  7:
selectZTNASolution(ztnaConfig.solution)
  8:
deployZTNAController(ztnaConfig.controller)
  9:
installZTNAAgents(ztnaConfig.agents)
10:
Submodule 3: Implement Authentication Mechanisms configureAuthentication(ztnaConfig.authMechanisms)
11:
Submodule 4: Enforce Zero Trust Principles
12:
for user in users do
13:
   if authenticate(user, ztnaConfig.auth) then
14:
     session = establishZTNASession(user)
15:
     if assessAccess(session, ztnaConfig.policies) then
16:
        grantAccess(session, user)
17:
     else
18:
        denyAccess(session, user)
19:
     end if
20:
   else
21:
     denyAccess(user)
22:
   end if
23:
end for
24:
Module 3: Security Enforcement Point (SEP)
25:
Submodule 1: Monitoring and Logging
26:
setupActivityLogging()
27:
enableRealTimeMonitoring()
28:
configureAlertsAndReports()
29:
Submodule 2: Continuous Improvement
30:
while True do
31:
   updateZTNASoftware(ztnaConfig)
32:
   reviewPolicies(accessPolicies)
33:
   conductUserTraining()
34:
end while
35:
function grantAccess(session, user)
36:
function allowAccess(session, user)
37:
   allowAccess(session, user)
38:
end function
39:
function denyAccess(session, user)
40:
   blockAccess(session, user)
41:
end function
42:
function setupActivityLogging()
43:
   configureLogging()
44:
end function
45:
function enableRealTimeMonitoring()
46:
   startMonitoring()
47:
end function
48:
function configureAlertsAndReports()
49:
   setupAlerts()
50:
   generateReports()
51:
end function

4.1. Review of Case Study Findings Derived from the Literature

Enterprises can vary widely in size, structure, and scope, from small businesses to multinational corporations. Within an enterprise, there are various roles that individuals may assume, each with distinct responsibilities and contributions to the organization’s success. The structure and specific roles can vary depending on the assigned tasks and skills, and giving role-based access and monitoring the activity is the need of the hour due to the increasing number of security breach incidents. As network infrastructures become more complex and the threat landscape evolves, traditional security models and perimeter-based approaches are no longer enough to secure delicate data and resources. The emergence of ZTNA has gained attention as a security framework that focuses on substantiating every access request, irrespective of the user’s place or network context. However, there is a need to explore our integration of ZTNA principles with VPNs, which have long been used to secure network communications. The problem lies in understanding how VPNs can be effectively employed to achieve ZTNA, addressing challenges including trust boundaries, user authentication, access control mechanisms, and data protection. This research aims to investigate the design, implementation, and evaluation of ZT-VPN to provide a comprehensive understanding of the potential benefits; through this, we look at how an organizational network can be secure from insider and outside attacks and the limitations of this integration, and we propose recommendations for successful deployments.

4.2. Case—Implementing ZT-VPN in a Mid-Sized Financial Services Company

To provide a clearer picture of the practical application of the ZT-VPN framework, this article lists a hypothetical case study demonstrating how an organization might implement and benefit from this approach. Imagine a mid-sized financial services company, “SecureBank”, which manages sensitive customer data and has a significant number of employees working remotely. SecureBank faces common cybersecurity challenges, including secure access control for remote employees, protection of sensitive financial data, and the need for scalability to handle fluctuating access demands.
1. Application of the ZT-VPN framework:
SecureBank begins by implementing the ZT-VPN framework as part of its remote access and data security strategy. Key stages in this implementation are as follows:
  • Initial access control and identity verification: The Policy Enforcement Point (PEP) is configured to require both certificate-based authentication and multi-factor authentication (MFA) before granting access. Each employee is provided with unique certificates and login credentials, ensuring that only authorized users with verified identities can connect to the company’s network.
  • Contextual security measures: The Identity Enforcement Point (IEP) checks not only user credentials but also device health, operating system settings, and geographic location for each access attempt. For example, if an employee tries to access the system from an unrecognized location, additional verification is required. This added layer helps prevent unauthorized access due to credential theft.
  • Continuous monitoring and limited access control: Using the Security Enforcement Point (SEP), SecureBank restricts access to specific resources based on employee roles and limits session times. Access logs are continuously monitored, and alerts are generated for any unusual behavior, like attempts to access restricted data or repeated login failures.
2. Anticipated outcomes: By implementing the ZT-VPN framework, SecureBank is expected to experience several key benefits:
  • Enhanced security with reduced attack surface: ZT-VPN’s multi-layered authentication and context-based access verification greatly reduce the risk of unauthorized access, protecting sensitive financial data from both external and insider threats.
  • Scalability and flexibility: The framework’s inherent scalability allows SecureBank to accommodate additional users or adjust access privileges dynamically. This flexibility is essential for the organization as it grows or adjusts to new regulatory requirements.
  • Improved access control and monitoring: With continuous monitoring through SEP, SecureBank’s IT team has enhanced visibility of user behavior, enabling them to detect and respond quickly to potential threats. Additionally, role-based and time-bound access control ensures that employees can only access the data they need, reducing the risk of lateral movement within the network.
  • Increased confidence in remote work security: The ZT-VPN framework instills confidence in SecureBank’s remote access protocols, as employees can securely access necessary resources without compromising data protection. This reliability supports the organization’s long-term goals of flexible, secure remote work.
This hypothetical case study illustrates how an organization utilizes the ZT-VPN framework to enhance its cybersecurity posture effectively. While further empirical validation is necessary to confirm these outcomes across different organizational contexts, this example highlights the potential benefits of ZT-VPN in a modern hybrid work environment.

5. Results and Evaluation

The evaluation of the 86 selected studies has reinforced the potential of ZT-VPN as a comprehensive solution that addresses both cybersecurity and performance challenges in remote and hybrid work environments. The reviewed studies emphasize the importance of integrating Zero Trust principles with VPN to provide granular access control, scalability, and continuous verification, which are essential for protecting against contemporary threats. Furthermore, the adoption of role-based and context-aware access policies significantly reduces the risk of unauthorized access and lateral movement within networks. The findings show that ZT-VPN frameworks effectively balance security and user experience, especially by reducing latency through optimized traffic routing. This enhanced approach not only strengthens the security posture but also supports scalability, making ZT-VPN an adaptable solution for organizations of varying sizes and industries. These insights underscore the growing relevance of ZT-VPN frameworks in fortifying enterprise networks amidst evolving cybersecurity demands.
The proposed ZT-VPN framework has been evaluated in various enterprise scenarios to assess its effectiveness and advantages over traditional VPNs, ZTNA, and other security solutions. The results demonstrate that ZT-VPN offers significant improvements in terms of security, performance, and scalability. When integrating a VPN and ZTNA, the result is a comprehensive remote access solution that combines the benefits of both technologies to enhance security and access control. Here is a discussion regarding the integration:
  • Improved security: VPNs traditionally provide a secure tunnel for remote users to access corporate resources.
  • Enhanced user experience: Integrating VPN and ZTNA allows organizations to strike a balance between security and user experience.
  • Scalability and flexibility: VPNs are typically designed to accommodate a fixed number of concurrent connections, which can be a limitation for organizations with dynamic workforces or fluctuating access demands.
  • Granular access control: This solution enables organizations to implement granular access controls based on user roles, device types, and other contextual factors.
  • Centralized management and visibility: ZTNA solutions often provide centralized management consoles and comprehensive visibility of user access and activity.
Table 4 provides a comparative summary of key contributions in existing Zero Trust research, highlighting specific features and limitations addressed by prior studies. This comparison emphasizes how the proposed ZT-VPN framework builds on these works by addressing critical gaps in access control, device health assessment, and contextual identification. ZT-VPN enables enterprises to implement granular access policies based on a variety of contextual factors, significantly reducing the risk of unauthorized access and data breaches while ensuring seamless access to necessary resources. Additionally, its scalability and adaptability allow organizations to adjust to evolving access needs. The centralized control feature further enhances security, enabling effective monitoring of user activity across both on-site and remote environments.

Discussion and Limitations

The ZT-VPN is a complete solution for enterprises as it secures the network as well as organizational resources. The framework combines the strengths of both VPNs and ZTNA by integrating certificate-based authentication, username/password authentication, and continuous monitoring of user and device credentials. This multi-layered approach ensures that only authenticated and authorized users can access organizational resources. Unlike traditional VPNs, which grant broad access to the entire network once authenticated, ZT-VPN provides granular access control, reducing the attack surface and preventing unauthorized lateral movement within the network. Additionally, the continuous verification of user and device health, operating system settings, and location further enhances security, making it more robust than standalone ZTNA solutions.
The ZT-VPN framework addresses common performance issues associated with traditional VPNs, including latency and throughput. By dynamically selecting the best path for traffic and optimizing network performance, ZT-VPN ensures that critical applications receive the necessary bandwidth and low latency. This results in a better user experience and increased productivity. The integration of software-defined wide area network (SD-WAN) technology within the ZT-VPN framework further enhances performance by providing centralized management and dynamic path selection based on real-time network conditions.
The cloud-native architecture of the ZT-VPN framework allows for easy scalability and flexibility. Organizations can quickly adapt to changing business needs and deploy new services without the need for extensive hardware investments. The framework’s ability to integrate with existing security solutions, like Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Firewall as a Service (FWaaS), ensures comprehensive protection and seamless security transitions. This makes ZT-VPN a more scalable and adaptable solution compared to traditional VPNs and standalone ZTNA implementations.
The framework provides a unified approach to access control by combining the principles of Zero Trust with the secure connectivity of VPNs. This ensures that users are granted access based on their identity, role, and context rather than relying on the traditional perimeter-based security model. The role-based access control and time-bound sessions further enhance security by limiting access to only the necessary resources for a specific duration. This comprehensive access control mechanism is more effective than the broad access granted by traditional VPNs and the application-specific access provided by ZTNA.

6. Conclusions and Future Work

The rapid shift to remote work environments has necessitated the development of robust cybersecurity frameworks to protect organizational resources and ensure seamless operations. This paper presented a comprehensive overview of contemporary technologies employed in enterprises. Among these, the proposed ZT-VPN framework stands out as a highly effective solution for enhancing IT security and privacy in modern enterprises. The ZT-VPN framework integrates Zero Trust principles with VPN technology, addressing critical concerns, for instance, security threats, latency, throughput, and scalability. By continuously verifying every user and device attempting to access corporate resources, ZT-VPN ensures a robust security posture, preventing data leaks, managing access permissions, and providing seamless security transitions. The effectiveness of the ZT-VPN framework was demonstrated through various enterprise scenarios, highlighting its potential to fortify cybersecurity frameworks against contemporary cyber threats.
In addition to developing the theoretical framework, future work will focus on empirically validating the effectiveness of the ZT-VPN model. We plan to conduct real-world case studies and pilot implementations within various organizational contexts to assess the model’s practical impact. We aim to collect data on the reduction of unauthorized access incidents, successful implementation of access control policies, and improved data protection. Future studies will examine how well the ZT-VPN framework scales in environments with growing or dynamic access demands, particularly in hybrid and cloud-based networks. Through these empirical studies, we aim to provide comprehensive evidence of ZT-VPN’s effectiveness and address any limitations or refinements needed to optimize its deployment in diverse organizational settings.
Despite the promising results, there are several other areas for future research and development. One potential direction is the exploration of advanced cryptographic techniques to enhance the security and performance of the ZT-VPN framework further so it can resist post-quantum cryptography cyberattacks. Additionally, the integration of artificial intelligence can provide real-time threat detection and response capabilities, further strengthening the security posture of enterprises. Another possible future work direction is the evaluation of the ZT-VPN framework in diverse organizational contexts, including small and medium-sized enterprises (SMEs) and large multinational corporations.

Author Contributions

Writing—original draft preparation, S.M.Z.; supervision, S.M.S.; validation, S.M.S.; writing—review and editing, Z.I. and M.Y.; visualization, M.H.; project administration, Z.M.; funding acquisition, Z.M. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

Data is contained within the article.

Conflicts of Interest

The authors declare no conflicts of interest.

Abbreviations

Abbreviation key for technical terms used throughout this document, providing definitions for essential terms:
BYODBring your own device
DHCPDynamic Host Configuration Protocol
DoSDenial of Service
HTTPHypertext Transfer Protocol
HTTPSHypertext Transfer Protocol Secure
IAMIdentity and access management
IEPIdentity Enforcement Point
IPInternet Protocol
MFAMulti-factor authentication
PEPPolicy Enforcement Point
PoPPoint of presence
SASESecure Access Service Edge
SD-WANSoftware-defined wide area network
SSHSecure Shell
SEPSecurity Enforcement Point
SSLSecure Sockets Layer
TLSTransport Layer Security
VPNVirtual private network
ZT-VPNZero Trust VPN
ZTNAZero Trust Network Access

References

  1. Hodge, R. VPN Use Surges During the Coronavirus Lockdown, But So Do Security Risks; CNET: San Francisco, CA, USA, 2020; Volume 23. [Google Scholar]
  2. Singer, P.W.; Friedman, A. Cybersecurity: What Everyone Needs to Know; Oxford University Press: New York, NY, USA, 2014. [Google Scholar]
  3. Deibert, R.J. Subversion Inc: The age of private espionage. J. Democr. 2022, 33, 28–44. [Google Scholar] [CrossRef]
  4. Zhang, Z.; Zhang, Y.Q.; Chu, X.; Li, B. An overview of virtual private network (VPN): IP VPN and optical VPN. Photonic Netw. Commun. 2004, 7, 213–225. [Google Scholar] [CrossRef]
  5. Baykara, M.; Gürel, Z.Z. Detection of phishing attacks. In Proceedings of the 2018 6th International Symposium on Digital Forensic and Security (ISDFS), Antalya, Turkey, 22–25 March 2018; pp. 1–5. [Google Scholar]
  6. Kaur, J.; Ramkumar, K. The recent trends in cyber security: A review. J. King Saud Univ. Comput. Inf. Sci. 2022, 34, 5766–5781. [Google Scholar] [CrossRef]
  7. Ghelani, D. Cyber Security, Cyber Threats, Implications and Future Perspectives: A Review. Authorea Preprints 2022. Available online: https://www.techrxiv.org/doi/full/10.22541/au.166385207.73483369 (accessed on 30 September 2024).
  8. Alkhalil, Z.; Hewage, C.; Nawaf, L.; Khan, I. Phishing attacks: A recent comprehensive study and a new anatomy. Front. Comput. Sci. 2021, 3, 563060. [Google Scholar] [CrossRef]
  9. O’Kane, P.; Sezer, S.; Carlin, D. Evolution of ransomware. IET Networks 2018, 7, 321–327. [Google Scholar] [CrossRef]
  10. McIntosh, T.; Kayes, A.; Chen, Y.P.P.; Ng, A.; Watters, P. Ransomware mitigation in the modern era: A comprehensive review, research challenges, and future directions. Acm Comput. Surv. 2021, 54, 1–36. [Google Scholar] [CrossRef]
  11. Dutkowska-Zuk, A.; Hounsel, A.; Xiong, A.; Roberts, M.; Stewart, B.; Chetty, M.; Feamster, N. Understanding how and why university students use virtual private networks. arXiv 2020, arXiv:2002.11834. [Google Scholar] [CrossRef]
  12. Jegede, A.; Fadele, A.; Onoja, M.; Aimufua, G.; Mazadu, I.J. Trends and future directions in automated ransomware detection. J. Comput. Soc. Inform. 2022, 1, 17–41. [Google Scholar] [CrossRef]
  13. Khan, E.; Sperotto, A.; van der Ham, J.; van Rijswijk-Deij, R. Stranger VPNs: Investigating the Geo-Unblocking Capabilities of Commercial VPN Providers. In Proceedings of the International Conference on Passive and Active Network Measurement, Virtual Event, 21–23 March 2023; pp. 46–68. [Google Scholar]
  14. Santhanamahalingam, S.; Alagarsamy, S.; Subramanian, K. A study of cloud-based VPN establishment using network function virtualization technique. In Proceedings of the 2022 3rd International Conference on Smart Electronics and Communication (ICOSEC), Trichy, India, 20–22 October 2022; pp. 627–631. [Google Scholar]
  15. Li, Y.; Liu, Q. A comprehensive review study of cyber-attacks and cyber security; Emerging trends and recent developments. Energy Rep. 2021, 7, 8176–8186. [Google Scholar] [CrossRef]
  16. Zhang, Z.; Al Hamadi, H.; Damiani, E.; Yeun, C.Y.; Taher, F. Explainable artificial intelligence applications in cyber security: State-of-the-art in research. IEEE Access 2022, 10, 93104–93139. [Google Scholar] [CrossRef]
  17. Furnell, S. The cybersecurity workforce and skills. Comput. Secur. 2021, 100, 102080. [Google Scholar] [CrossRef]
  18. Rajasekharaiah, K.; Dule, C.S.; Sudarshan, E. Cyber security challenges and its emerging trends on latest technologies. In IOP Conference Series: Materials Science and Engineering; IOP Publishing: Philadelphia, PA, USA, 2020; Volume 981, p. 022062. [Google Scholar]
  19. AL-Hawamleh, A.M. Predictions of cybersecurity experts on future cyber-attacks and related cybersecurity measures. Momentum 2023, 3, 15. [Google Scholar] [CrossRef]
  20. Shaukat, K.; Luo, S.; Varadharajan, V.; Hameed, I.A.; Xu, M. A survey on machine learning techniques for cyber security in the last decade. IEEE Access 2020, 8, 222310–222354. [Google Scholar] [CrossRef]
  21. Secure Remote Access Best Practices-Check Point Software—checkpoint.com. Available online: https://www.checkpoint.com/cyber-hub/network-security/what-is-vpn/covid-19-and-secure-remote-access-best-practices/ (accessed on 26 August 2024).
  22. Fatima, M.; Abbas, H.; Yaqoob, T.; Shafqat, N.; Ahmad, Z.; Zeeshan, R.; Muhammad, Z.; Rana, T.; Mussiraliyeva, S. A survey on common criteria (CC) evaluating schemes for security assessment of IT products. PeerJ Comput. Sci. 2021, 7, e701. [Google Scholar] [CrossRef] [PubMed]
  23. Streun, F.; Wanner, J.; Perrig, A. Evaluating susceptibility of VPN implementations to DoS attacks using adversarial testing. In Proceedings of the Network and Distributed Systems Security Symposium 2022 (NDSS’22), San Diego, CA, USA, 24–28 April 2022. [Google Scholar]
  24. Zhou, Y.; Zhang, K. Dos vulnerability verification of ipsec vpn. In Proceedings of the 2020 IEEE International Conference on Artificial Intelligence and Computer Applications (ICAICA), Dalian, China, 27–29 June 2020; pp. 698–702. [Google Scholar]
  25. Ginty, S. Discover the Anatomy of an External Cyberattack Surface with New RiskIQ Report|Microsoft Security Blog—microsoft.com. Available online: https://www.microsoft.com/en-us/security/blog/2022/04/21/discover-the-anatomy-of-an-external-cyberattack-surface-with-new-riskiq-report/?msockid=355668c01f696b823ed97c6f1e6f6a0f (accessed on 26 August 2024).
  26. Singh, K.K.V.; Gupta, H. A New Approach for the Security of VPN. In Proceedings of the Second International Conference on Information and Communication Technology for Competitive Strategies, Jaipur, India, 19–21 December 2016; pp. 1–5. [Google Scholar]
  27. Frahim, J.; Huang, Q. Ssl Remote Access Vpns (Network Security); Cisco Press: Indianapolis, IN, USA, 2008. [Google Scholar]
  28. Shut the Front Door: Analyzing VPN Vulnerability Exploits—mandiant.com. Available online: https://www.mandiant.com/resources/webinars/mandiant-intelligence-briefing-stories-directly-frontline (accessed on 26 August 2024).
  29. Syed, N.F.; Shah, S.W.; Shaghaghi, A.; Anwar, A.; Baig, Z.; Doss, R. Zero trust architecture (zta): A comprehensive survey. IEEE Access 2022, 10, 57143–57179. [Google Scholar] [CrossRef]
  30. Arshad, J.; Talha, M.; Saleem, B.; Shah, Z.; Zaman, H.; Muhammad, Z. A Survey of Bug Bounty Programs in Strengthening Cybersecurity and Privacy in the Blockchain Industry. Blockchains 2024, 2, 195–216. [Google Scholar] [CrossRef]
  31. Nagmote, S.U.; Soni, P.D. An Overview of Network Security Model Using Cryptography, Firewall and Vpn for Social Organization with There Benifits. Int. J. Eng. Res. Technol. (IJERT) 2013, 2. [Google Scholar] [CrossRef]
  32. Adeyinka, O. Analysis of problems associated with IPSec VPN Technology. In Proceedings of the 2008 Canadian Conference on Electrical and Computer Engineering, Niagara Falls, ON, Canada, 5–8 May 2008; pp. 001903–001908. [Google Scholar]
  33. Sombatruang, N.; Omiya, T.; Miyamoto, D.; Sasse, M.A.; Kadobayashi, Y.; Baddeley, M. Attributes affecting user decision to adopt a Virtual Private Network (VPN) app. In Proceedings of the Information and Communications Security: 22nd International Conference (ICICS 2020), Copenhagen, Denmark, 24–26 August 2020; pp. 223–242. [Google Scholar]
  34. Rothvoß, T.; Sanita, L. On the complexity of the asymmetric VPN problem. In Proceedings of the International Workshop on Approximation Algorithms for Combinatorial Optimization, Virtual, 16–18 August 2009; pp. 326–338. [Google Scholar]
  35. Dutkowska-Zuk, A.; Hounsel, A.; Morrill, A.; Xiong, A.; Chetty, M.; Feamster, N. How and why people use virtual private networks. In Proceedings of the 31st USENIX Security Symposium (USENIX Security 22), Boston, MA, USA, 10–12 August 2022; pp. 3451–3465. [Google Scholar]
  36. Sawalmeh, H.; Malayshi, M.; Ahmad, S.; Awad, A. VPN remote access OSPF-based VPN security vulnerabilities and counter measurements. In Proceedings of the 2021 International Conference on Innovation and Intelligence for Informatics, Computing, and Technologies (3ICT), Virtual Conference, 29–30 September 2021; pp. 236–241. [Google Scholar]
  37. Cheung, K.H.; Mišić, J. On virtual private networks security design issues. Comput. Netw. 2002, 38, 165–179. [Google Scholar] [CrossRef]
  38. Bansode, R.; Girdhar, A. Common vulnerabilities exposed in VPN–A survey. J. Phys. Conf. Ser. 2021, 1714, 012045. [Google Scholar] [CrossRef]
  39. With Everyone Working from Home, VPN Security is Now Paramount—zdnet.com. Available online: https://www.zdnet.com/article/covid-19-with-everyone-working-from-home-vpn-security-has-now-become-paramount/ (accessed on 26 August 2024).
  40. Einler Larsson, L.; Qollakaj, K. Cybersecurity of Remote Work Migration: A Study on the VPN Security Landscape Post COVID-19 Outbreak. 2023. Available online: https://www.diva-portal.org/smash/get/diva2:1778036/FULLTEXT03.pdf (accessed on 30 September 2024).
  41. VPN Access and Activity Monitoring, Sans, 2020.-Bing—bing.com. Available online: https://www.bing.com/search?q=VPN+Access+and+Activity+Monitoring%2C"+Sans%2C+2020.&qs=n&form=QBRE&sp=-1&lq=1&pq=vpn+access+and+activity+monitoring%2C"+sans%2C+2020.&sc=1-48&sk=&cvid=167E379FC8C341CCB182FAC4A95D10D3&ghsh=0&ghacc=0&ghpl=. (accessed on 26 August 2024).
  42. Ikram, M.; Vallina-Rodriguez, N.; Seneviratne, S.; Kaafar, M.A.; Paxson, V. An analysis of the privacy and security risks of android vpn permission-enabled apps. In Proceedings of the 2016 Internet Measurement Conference, Monica, CA, USA, 14–16 November 2016; pp. 349–364. [Google Scholar]
  43. Yoo, S.J. A Study on the Improvement of Security Enhancement for ZTNA. Converg. Secur. J. 2024, 24, 21–26. [Google Scholar] [CrossRef]
  44. Nazir, A.; Iqbal, Z.; Muhammad, Z. ZTA: A Novel Zero Trust Framework for Detection and Prevention of Malicious Android Applications. Preprints 2024. [Google Scholar] [CrossRef]
  45. Stafford, V. Zero trust architecture. NIST Spec. Publ. 2020, 800, 207. [Google Scholar]
  46. Developing a Framework to Improve Critical Infrastructure Cybersecurity. Available online: https://www.nist.gov/system/files/documents/2017/06/01/040513_cgi.pdf (accessed on 26 August 2024).
  47. NIST. Framework for Improving Critical Infrastructure Cybersecurity. Available online: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf (accessed on 30 September 2024).
  48. Malatji, M.; Marnewick, A.L.; Von Solms, S. Cybersecurity capabilities for critical infrastructure resilience. Inf. Comput. Secur. 2022, 30, 255–279. [Google Scholar] [CrossRef]
  49. Zscaler’s 2022 VPN Report: As VPN Exploits Grow, 80 Percent of Organizations Shift Towards Zero Trust Security—zscaler.com. Available online: https://www.zscaler.com/press/ (accessed on 26 August 2024).
  50. A VPN Security Brief from AmZetta Technologies, LLC. Available online: https://amzetta.com/wp-content/uploads/2021/05/AmZetta-Remote-AccessSecurity-Going-Beyond-VPN-Security-Brief.pdf (accessed on 26 August 2024).
  51. Pavlicek, A.; Sudzina, F. Use of virtual private networks (VPN) and proxy servers: Impact of personality and demographics. In Proceedings of the 2018 Thirteenth International Conference on Digital Information Management (ICDIM), Berlin, Germany, 24–26 September 2018; pp. 108–111. [Google Scholar]
  52. Hurkens, C.A.; Keijsper, J.C.M.; Stougie, L. Virtual private network design: A proof of the tree routing conjecture on ring networks. SIAM J. Discret. Math. 2007, 21, 482–503. [Google Scholar] [CrossRef]
  53. Javed, M.S.; Sajjad, S.M.; Mehmood, D.; Mansoor, K.; Iqbal, Z.; Kazim, M.; Muhammad, Z. Analyzing Tor Browser Artifacts for Enhanced Web Forensics, Anonymity, Cybersecurity, and Privacy in Windows-Based Systems. Information 2024, 15, 495. [Google Scholar] [CrossRef]
  54. Talan, A. Zero Trust Network Access with Cybersecurity Challenges and Potential Solutions. Ph.D. Thesis, National College of Ireland, Dublin, Ireland, 2022. [Google Scholar]
  55. Campbell, M. Beyond zero trust: Trust is a vulnerability. Computer 2020, 53, 110–113. [Google Scholar] [CrossRef]
  56. Sood, A.K. Empirical Cloud Security: Practical Intelligence to Evaluate Risks and Attacks; Mercury Learning and Information: Duxbury, MA, USA, 2023. [Google Scholar]
  57. Kazim, M.; Pirim, H.; Shi, S.; Wu, D. Multilayer analysis of energy networks. Sustain. Energy Grids Netw. 2024, 39, 101407. [Google Scholar] [CrossRef]
  58. Jeffery, C.L.; Das, S.R.; Bernal, G.S. Proxy-sharing proxy servers. In Proceedings of the COM’96. First Annual Conference on Emerging Technologies and Applications in Communications, Portland, OR, USA, 7–10 May 1996; pp. 116–119. [Google Scholar]
  59. Saini, K. Squid Proxy Server 3.1: Beginner’s Guide; Packt Publishing Ltd.: Birmingham, UK, 2011. [Google Scholar]
  60. Shahid, J.Z.; Cimato, S.; Muhammad, Z. A Sharded Blockchain Architecture for Healthcare Data. In Proceedings of the 2024 IEEE 48th Annual Computers, Software, and Applications Conference (COMPSAC), Osaka, Japan, 2–4 July 2024; pp. 1794–1799. [Google Scholar]
  61. Xu, V. MAZE: A Secure Cloud Storage Service Using Moving Target Defense and Secure Shell Protocol (SSH) Tunneling. Ph.D. Thesis, University of Pittsburgh, Pittsburgh, PA, USA, 2020. [Google Scholar]
  62. Dusi, M.; Gringoli, F.; Salgarelli, L. A preliminary look at the privacy of SSH tunnels. In Proceedings of the 2008 Proceedings of 17th International Conference on Computer Communications and Networks, St. Thomas, VI, USA, 3–7 August 2008; pp. 1–7. [Google Scholar]
  63. Yang, Z.; Cui, Y.; Li, B.; Liu, Y.; Xu, Y. Software-defined wide area network (SD-WAN): Architecture, advances and opportunities. In Proceedings of the 2019 28th International Conference on Computer Communication and Networks (ICCCN), Valencia, Spain, 29 July–1 August 2019; pp. 1–9. [Google Scholar]
  64. Yalda, K.G.; Hamad, D.J.; Ţăpuş, N. A survey on Software-defined Wide Area Network (SD-WAN) architectures. In Proceedings of the 2022 International Congress on Human-Computer Interaction, Optimization and Robotic Applications (HORA), Ankara, Turkey, 9–11 June 2022; pp. 1–5. [Google Scholar]
  65. Iesar, H.; Iqbal, W.; Abbas, Y.; Umair, M.Y.; Wakeel, A.; Illahi, F.; Saleem, B.; Muhammad, Z. Revolutionizing Data Center Networks: Dynamic Load Balancing via Floodlight in SDN Environment. In Proceedings of the 2024 5th International Conference on Advancements in Computational Sciences (ICACS), Lahore, Pakistan, 19–20 February 2024; pp. 1–8. [Google Scholar]
  66. Islam, M.N.; Colomo-Palacios, R.; Chockalingam, S. Secure access service edge: A multivocal literature review. In Proceedings of the 2021 21st International Conference on Computational Science and Its Applications (ICCSA), Cagliari, Italy, 13–16 September 2021; pp. 188–194. [Google Scholar]
  67. Yiliyaer, S.; Kim, Y. Secure access service edge: A zero trust based framework for accessing data securely. In Proceedings of the 2022 IEEE 12th Annual Computing and Communication Workshop and Conference (CCWC), Virtual, 26–29 January 2022; pp. 0586–0591. [Google Scholar]
  68. Awale, V.; Gaikwad, S. Zero Trust Architecture Using Hyperledger Fabric. In Proceedings of the 2023 14th International Conference on Computing Communication and Networking Technologies (ICCCNT), Delhi, India, 6–8 July 2023; pp. 1–4. [Google Scholar]
  69. Abbas, H.; Emmanuel, N.; Amjad, M.F.; Yaqoob, T.; Atiquzzaman, M.; Iqbal, Z.; Shafqat, N.; Shahid, W.B.; Tanveer, A.; Ashfaq, U. Security assessment and evaluation of VPNs: A comprehensive survey. ACM Comput. Surv. 2023, 55, 1–47. [Google Scholar] [CrossRef]
  70. Security Issues with Virtual Private Network (VPN) and Proxy Services. Available online: https://www.academia.edu/51073706/Security_issues_with_Virtual_Private_Network_VPN_and_proxy_services (accessed on 26 August 2024).
  71. Cybersecurity After COVID-19: 10 Ways to Protect Your Business and Refocus on Resilience. Available online: https://www.marshmclennan.com/assets/insights/publications/2020/june/cybersecurity_after_covid_19.pdf (accessed on 26 August 2024).
  72. Fuchs, J. Vishing: New Threat to VPNs—avanan.com. Available online: https://www.avanan.com/blog/vishing-new-threat-vpn (accessed on 26 August 2024).
  73. Odokuma, E.; Musa, M. Internet Threats and Mitigation Methods in Electronic Businesses Post COVID-19. Int. J. Comput. Appl. 2022, 184, 1–4. [Google Scholar] [CrossRef]
  74. Purchina, O.; Poluyan, A.; Fugarov, D. Securing an Information System via the SSL Protocol. Int. J. Saf. Secur. Eng. 2022, 12, 563–568. [Google Scholar] [CrossRef]
  75. He, Y.; Huang, D.; Chen, L.; Ni, Y.; Ma, X. A survey on zero trust architecture: Challenges and future trends. Wirel. Commun. Mob. Comput. 2022, 2022, 6476274. [Google Scholar] [CrossRef]
  76. Pittman, J.M.; Alaee, S.; Crosby, C.; Honey, T.; Schaefer, G.M. Towards a model for zero trust data. Am. J. Sci. Eng. 2022, 3, 18–24. [Google Scholar] [CrossRef]
  77. Buck, C.; Olenberger, C.; Schweizer, A.; Völter, F.; Eymann, T. Never trust, always verify: A multivocal literature review on current knowledge and research gaps of zero-trust. Comput. Secur. 2021, 110, 102436. [Google Scholar] [CrossRef]
  78. Ward, R.; Beyer, B. Beyondcorp: A new approach to enterprise security. Mag. USENIX SAGE 2014, 39, 6–11. [Google Scholar]
  79. Osborn, B. Beyondcorp: Design to deployment at google. Useni 2016, 41, 28. [Google Scholar]
  80. Zero Trust: What, Why and How. Available online: https://www.forbes.com/councils/forbestechcouncil/2023/04/07/zero-trust-the-what-why-and-how/ (accessed on 26 August 2024).
  81. Saleem, B.; Ahmed, M.; Zahra, M.; Hassan, F.; Iqbal, M.A.; Muhammad, Z. A survey of cybersecurity laws, regulations, and policies in technologically advanced nations: A case study of Pakistan to bridge the gap. Int. Cybersecur. Law Rev. 2024, 5, 533–561. [Google Scholar] [CrossRef]
  82. Vensmer, A.; Kiesel, S. Dynfire: Dynamic firewalling in heterogeneous environments. In Proceedings of the World Congress on Internet Security (WorldCIS-2012), Guelph, ON, Canada, 10–12 June 2012; pp. 57–58. [Google Scholar]
  83. Giannakou, A.; Rilling, L.; Pazat, J.L.; Morin, C. AL-SAFE: A secure self-adaptable application-level firewall for IaaS clouds. In Proceedings of the 2016 IEEE International Conference on Cloud Computing Technology and Science (CloudCom), Luxembourg, 12–15 December 2016; pp. 383–390. [Google Scholar]
  84. Crichigno, J.; Bou-Harb, E.; Ghani, N. A comprehensive tutorial on science DMZ. IEEE Commun. Surv. Tutor. 2018, 21, 2041–2078. [Google Scholar] [CrossRef]
  85. French, A.M.; Guo, C.; Shim, J.P. Current status, issues, and future of bring your own device (BYOD). Commun. Assoc. Inf. Syst. 2014, 35, 10. [Google Scholar]
Information 15 00734 g001
Figure 1. Illustration of VPN functionality, demonstrating encrypted traffic flow for enhanced data security and user privacy across public networks.
Figure 1. Illustration of VPN functionality, demonstrating encrypted traffic flow for enhanced data security and user privacy across public networks.
Information 15 00734 g001
Information 15 00734 g002
Figure 2. Zero Trust Network Access (ZTNA) framework, showing the continuous verification process that ensures secure access based on identity, context, and device compliance.
Figure 2. Zero Trust Network Access (ZTNA) framework, showing the continuous verification process that ensures secure access based on identity, context, and device compliance.
Information 15 00734 g002
Information 15 00734 g003
Figure 3. Systematic literature review (SLR) methodology for selecting and filtering articles related to Zero Trust VPN and cybersecurity frameworks.
Figure 3. Systematic literature review (SLR) methodology for selecting and filtering articles related to Zero Trust VPN and cybersecurity frameworks.
Information 15 00734 g003
Information 15 00734 g004
Figure 4. Detailed architecture of the Zero Trust VPN (ZT-VPN) framework, depicting the Policy Enforcement Point, Identity Enforcement Point, and Security Enforcement Point modules for comprehensive security management.
Figure 4. Detailed architecture of the Zero Trust VPN (ZT-VPN) framework, depicting the Policy Enforcement Point, Identity Enforcement Point, and Security Enforcement Point modules for comprehensive security management.
Information 15 00734 g004
Table 1. Comparative analysis of the VPN and ZTNA, highlighting differences in trust models, access security, performance, and deployment complexity.
Table 1. Comparative analysis of the VPN and ZTNA, highlighting differences in trust models, access security, performance, and deployment complexity.
ChecklistVPNZTNA
Security featuresCreates an encrypted tunnel for data transfer between the user’s device and the company’s network. However, it may be vulnerable to attacks if misconfigured or if outdated encryption standards are used.Provides customizable access control settings with a more granular security approach, including micro-segmentation and adaptive trust, which minimizes lateral movement within the network.
Trust modelTrust is established once when the user connects to the network, after which they have access to all resources.Employs a Zero Trust model, verifying identity and access permissions continuously, ensuring that only authorized users can access specific resources.
Access security modelAfter authentication, users have broad access to the network, potentially increasing the risk if credentials are compromised.Users can only access specific applications or data as defined by granular policies. Access is determined based on factors of, for instance, identity, device posture, and application sensitivity.
PerformanceCan introduce latency as all traffic is routed through a central server, creating a single point of congestion, especially under heavy load. Performance can degrade with increased distance from the server.Traffic is routed directly to the application or service, reducing latency and avoiding bottlenecks. It also allows local breakout, which improves user experience.
AuthenticationTypically uses basic methods like username and password. Additional security layers like MFA (multi-factor authentication) are optional and may not be consistently enforced.Enforces robust authentication methods, including MFA, device identity verification, and contextual factors like geolocation and time of access.
Deployment complexityGenerally straightforward to deploy, especially for small- to medium-sized networks. It requires the configuration of VPN servers and client software on user devices.Deployment can be complex, requiring integration with identity providers, defining granular policies, and ensuring compatibility with existing applications and network infrastructure.
ScalabilityScalability can be challenging as VPN servers need to handle all traffic, which may require significant infrastructure investment as the user base grows.Designed for scalability, as it does not route all traffic through a central point. Easily supports a growing user base and can integrate with cloud services seamlessly.
Use casesSuitable for remote access to internal resources, secure communication over public networks, and when centralized control over network traffic is needed.Ideal for secure access to cloud applications, enforcing least-privilege principles and protecting against insider threats by restricting lateral movement.
Table 2. Overview of various network security and access technologies, comparing attributes of scalability, use case suitability, and security models across VPN, ZTNA, proxy servers, SSH tunnels, SD-WAN, and SASE.
Table 2. Overview of various network security and access technologies, comparing attributes of scalability, use case suitability, and security models across VPN, ZTNA, proxy servers, SSH tunnels, SD-WAN, and SASE.
TechnologySecurityTrust ModelPerformanceUse CaseScalability
VPNEncrypted tunnel, risk of broad accessTrust established onceLatency due to centralized routingSecure remote access to internal resourcesLimited scalability due to server capacity
ZTNAGranular access, continuous verificationZero Trust, continuousDirect routing, low latencySecuring cloud and hybrid environmentsHighly scalable, supports cloud integration
Proxy serversBasic anonymity, web filteringBasic credentials, no internal securityMay introduce latencyContent filtering, anonymityScales for web traffic, not for internal security
SSH tunnelsStrong encryption, secure remote accessSingle-session accessMinimal impactSecure remote management, tunnelingNot scalable for large user bases
SD-WANIntegrated security options, optimized routingSecure site-to-siteDynamic routing, optimized trafficConnecting branches, performance optimizationScales for large networks, complex deployment
SASEComprehensive security, Zero TrustZero Trust, granularOptimized, low latencyCloud-native, remote workforce securityHighly scalable, complex implementation
Table 3. Comparison of models and scholarly contributions. This table show a comparison of industry Zero Trust models, outlining implementation complexity, device management, data protection, and monitoring frameworks in Google BeyondCorp, NIST, and Forrester models.
Table 3. Comparison of models and scholarly contributions. This table show a comparison of industry Zero Trust models, outlining implementation complexity, device management, data protection, and monitoring frameworks in Google BeyondCorp, NIST, and Forrester models.
CriteriaGoogle BeyondCorp [78,79]NIST Zero Trust Architecture (SP 800-207) [45]Forrester Zero Trust Model [80]
Primary focusDevice and user authenticationContinuous verification and micro-segmentationData-centric security and continuous monitoring
Implementation complexityHigh, complex outside of Google ecosystemHigh, due to comprehensive guidelinesModerate, adaptable, but requires significant changes
FlexibilityLimited, tailored to Google infrastructureHigh, vendor-neutralModerate, adaptable to various environments
Device managementCentralized control, strong device verificationDevice posture checksFocus on endpoint security
User authenticationStrong emphasis on SSO and MFAMulti-factor authenticationContinuous identity verification
Network accessNo inherent trust, direct access to applicationsMicro-segmentation, network isolationMicro-segmentation, no trust within network
Data protectionFocus on securing access to data through identity and device statePolicy-based data protectionStrong emphasis on data protection
Monitoring and loggingCentralized monitoring, comprehensive loggingContinuous monitoringContinuous monitoring and incident response
MaturityHigh, well established in large-scale environmentsHigh, comprehensive, and widely acceptedHigh, influential in industry standards
Support and documentationExtensive support and documentation from GoogleDetailed guidelines and government backingExtensive industry literature and best practices
Best suited forLarge enterprises, especially those using Google infrastructureGovernment agencies, large enterprisesEnterprises prioritizing data security and adaptable solutions
Table 4. Summary of the previous literature on Zero Trust and related technologies. Column definitions: Category A—classification approach used in reviewed works; Category B—comparison of individual statistics across works; Category C—model analysis of variable features; Category D—hybrid network challenges discussed. Notation: Y = yes (characteristic is present), X = no (characteristic is absent), P = partially present.
Table 4. Summary of the previous literature on Zero Trust and related technologies. Column definitions: Category A—classification approach used in reviewed works; Category B—comparison of individual statistics across works; Category C—model analysis of variable features; Category D—hybrid network challenges discussed. Notation: Y = yes (characteristic is present), X = no (characteristic is absent), P = partially present.
Author(s)Key Findings from Previous StudiesABCD
He et al. [75]Review of technologies supporting the Zero Trust framework.YYYX
Syed et al. [29]Examines the impact of Zero Trust on access control and authentication mechanisms.YYPP
Pittman et al. [76]Analysis of Zero Trust as applied to data objects instead of access pathways.YXXP
Buck et al. [77]Identification of industry and academic gaps and an overview of Zero Trust principles in various contexts.YXXP
Cherrueau et al. [69]Highlights Zero Trust scaling challenges and provides secure configuration guidelines, emphasizing encryption and identity controls.YXYX
S et al. [70]Analyzes security and usability issues in VPN and ZTNA, with emphasis on the effects of poor configuration.PYXY
Wang et al. [71]Assesses performance aspects of ZTNA and VPN, focusing on latency, scalability, and protocol optimization.YYYP
Da Silva et al. [72]Proposes Zero Trust for smart home environments, with behavior-based authentication; includes edge computing considerations.YXPY
Hunt et al. [74]Proposes a ZTNA VPN model that discusses enhanced visibility, with potential latency impacts for real-time applications.YYPY
Google [78,79]Describes Google’s ZTN framework for secure access control; limited to Google’s infrastructure.YXYX
NIST [45]Vendor-neutral Zero Trust framework with continuous user/device verification and context-based policies.YYYP
Forrester model [80]Focuses on data-centric security, continuous monitoring, and reducing lateral network movement.YYXP
Vensmer et al. [82]Explores Dynfire, a ZTN access control framework applied in academic settings, lacking risk management features.YXYP
Giannoku et al. [83]Proposes AL-SAFE, a ZTN model for cloud environments, missing policy language and risk management.YPYP
This articleEvaluation of Zero Trust VPN (ZT-VPN) and ZTNA with vendor-supported adoption in open-source contexts.YYYY
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Zohaib, S.M.; Sajjad, S.M.; Iqbal, Z.; Yousaf, M.; Haseeb, M.; Muhammad, Z. Zero Trust VPN (ZT-VPN): A Systematic Literature Review and Cybersecurity Framework for Hybrid and Remote Work. Information 2024, 15, 734. https://doi.org/10.3390/info15110734

AMA Style

Zohaib SM, Sajjad SM, Iqbal Z, Yousaf M, Haseeb M, Muhammad Z. Zero Trust VPN (ZT-VPN): A Systematic Literature Review and Cybersecurity Framework for Hybrid and Remote Work. Information. 2024; 15(11):734. https://doi.org/10.3390/info15110734

Chicago/Turabian Style

Zohaib, Syed Muhammad, Syed Muhammad Sajjad, Zafar Iqbal, Muhammad Yousaf, Muhammad Haseeb, and Zia Muhammad. 2024. "Zero Trust VPN (ZT-VPN): A Systematic Literature Review and Cybersecurity Framework for Hybrid and Remote Work" Information 15, no. 11: 734. https://doi.org/10.3390/info15110734

APA Style

Zohaib, S. M., Sajjad, S. M., Iqbal, Z., Yousaf, M., Haseeb, M., & Muhammad, Z. (2024). Zero Trust VPN (ZT-VPN): A Systematic Literature Review and Cybersecurity Framework for Hybrid and Remote Work. Information, 15(11), 734. https://doi.org/10.3390/info15110734

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop