Within the next three years, 42.5 percent of the global workforce is expected to be mobile. With such increases in user mobility, combined with organizations’ need for greater speed and growth, cloud adoption has become the logical course of action. This need for cloud scale and agility has led to a rapid adoption of IaaS within businesses. In fact, according to a recent study, 40% of enterprises are running in hybrid cloud environments while 50% of enterprises have two or more clouds deployed.
Enterprises have been swift to recognize the need for app transformation and cloud services, yet security has lagged behind. As a result, organizations have been in a position to try to secure access to their cloud applications the same way they secured their data center applications: via firewalls, VPN appliances, and other network-centric technologies. These legacy methods of security leave enterprises with a poor user experience, high costs, and a risky security posture. Security needs to evolve with the new focus on cloud and mobility; otherwise, enterprise efforts to transform will be hindered in the long run, primarily due to the following three reasons:
The network-centric security model has been around for nearly 30 years, and while much of the environment has changed, security technology at its core has not. As apps move to public clouds——an environment that you do not control—how can your network security protect them? It can’t. As a result, security design flaws are magnified as old technology is retrofitted into today’s transformed world:
Remote access often requires network access
Network-centric approaches (like VPN) were made to connect devices to networks, rather than users to applications, making network access and application access synonymous. With this approach, security remains tethered to the data center even though apps have moved to cloud environments. Security that’s anchored in the data center requires holes to be poked in the firewalls and apps to be exposed, while VPNs create a poor experience as user traffic to the cloud is backhauled through the data center.
Mitigating over-privileged means complex network segmentation
Once granted network access, users gain full access. Such access increases risk because east-west movement is unrestricted. The only way to reduce lateral access is through network segmentation, which is complicated, and it doesn’t even allow you to control access to individual applications.
Lack of visibility into user and app activity
The VPN only provides visibility into IP and port data, which is hardly useful, especially with the increase in self-service apps, cloud services, and shadow IT. The IT team’s job becomes harder as the lack of visibility denies them the ability to see what users are accessing which apps, from which locations, at what time, and from what device.
Part of business agility means being able to support the fluctuating needs of the enterprise. This agility is one of the many benefits of cloud adoption. But as organizations move to become cloud-enabled, their network-centric security ends up being an albatross, slowing their ability to scale. Security lags behind due to two key limiting factors in a network-centric approach:
Security appliances have set capacities
While the cloud is scalable, appliances are not. Network-centric appliances can only handle so much traffic, and it’s only a matter of time before they reach capacity and need to be replaced. Such upgrades, often unplanned, take from your future budget, and they drain resources as your team has to configure all those new appliances as you outgrow the old. IT needs a solution that is flexible enough to scale with the needs of the business.
Backhauling and site-to-site VPNs cost BIG money
MPLS is expensive and it’s the transport on which network-centric security is built. As user traffic is backhauled through the data center over MPLS, then hairpinned out to the cloud via the site-to-site VPN, then back, the enterprise is hit twice as hard as it was when traffic went straight to the data center. As more and more traffic becomes destined for cloud, this cost will continue to escalate, spreading IT‘s already limited resources even thinner and restricting the enterprise’s ability to scale.
With organizations widely adopting cloud, IT is now responsible for securing two or more environments. However, network-centric approaches were only designed to secure one: the data center.
While the VPN has been used to secure data center applications, the enterprise must now configure additional site-to-site VPNs to connect users securely to apps in the cloud. In addition to managing their existing environments, IT gets the added layer of complexity of managing new cloud environments—complexity that will only grow as enterprises begin adopting multiple clouds.
Multiple environments means there is no longer one security method standardized across all locations and apps, but rather fragmented security solutions across the various cloud and data center environments. Fragmented security creates points of weakness that can make you vulnerable to attack. So, in the case of cloud, more security solutions actually lead to increased risk rather than an improved security posture.
As enterprises increase IaaS adoption, Gartner recommends that they begin evolving from network-centric security to a ZTNA solution, also known as software-defined perimeter (SDP). ZTNA is a new set of technologies built to enable a modern, cloud-first approach to securing private applications both in the cloud and in data center locations. ZTNA enables cloud transformation in three ways:
Security shifts to app, user, and device
ZTNA takes a user and app-centric approach rather than a network-centric approach to security, which allows application access to be independent from network access, keeping users off the network while allowing access to only authorized apps. By decoupling app access from network access and never receiving inbound pings, IPs are never exposed to the internet and apps are invisible to unauthorized users. One-to-one connections are made between user and app, eliminating east-west movement on the network and also reducing the risk of shadow IT as applications have the ability to be discovered by IT.
Cloud-hosted security services are born to scale
ZTNA is appliance-free, 100% software-defined, and scales like the cloud, so that organizations are no longer constrained by capacity limits. Organizations can easily scale ZTNA by simply purchasing additional licenses while infrastructure requirements are handled by the vendor, not the organization’s team. Additionally, ZTNA secures user and app connections via double-encrypted TLS micro-tunnels rather than leveraging MPLS, resulting in drastically reduced MPLS spend and allowing resources to go further.
A single security platform for any multi-cloud environment
ZTNA is environment-agnostic, whether you’re securing data center, multi-cloud, or hybrid environments. There’s no need for additional security appliances like site-to-site VPNs or cloud-specific user groups; security is unified for all instances, as ZTNA works identically across all locations, creating consistent security at a global scale.
While it may be convenient right now to continue leveraging old technology in this new world of cloud, the network-centric approach will only take your organization so far. With cloud transformation becoming inevitable, the organization must look ahead and evaluate the future needs of the business from a security, scalability, and business agility standpoint.
See what security transformation looks like in the modern world and learn more about ZTNA and how it works: Understanding the SDP architecture.
Interested in learning more about how to secure your multi-cloud strategy with ZTNA? Watch our webinar on how ZTNA brings simplicity and security in the midst of your cloud transformation. Register here.