Gartner predicts that by 2023, 60 percent of enterprises will phase out most of their remote access virtual private networks (VPNs) in favor of zero trust network access (ZTNA) solutions. The Gartner team further predicts that 40 percent will have adopted ZTNA for uses besides VPN replacement, such as enabling third-party access, multi-cloud access, and activities around mergers and acquisitions or divestitures.
ZTNA, often referred to as software-defined perimeter (SDP) services, provides seamless and secure connectivity to private applications without ever placing users on the network or exposing apps to the internet. As the name implies, the technology is driven by the need for organizations to embrace a zero trust security model built for mobility and a cloud-first world. A model that delivers security based on the user and applications—not IP address—regardless of location and device.
IP addresses were built for connectivity, not security, and are thus inherently weak security identifiers (shocker, I know). Even so, they continue to be used as a means of network connectivity. Using IP addresses is problematic because their inherent default “allow” posture leads to implicit trust, which can then be abused by nefarious actors. As organizations realized that they needed a demarcation point where their corporate network could connect to the internet, they began to deploy firewalls, which led to massive firewall adoption over the last 30 years.
ZTNA technologies shine a light on the reason why the concept of “trusted” and “untrusted” is flawed and they, furthermore, render all those inbound gateway firewalls obsolete. This is because the idea of zero trust nullifies the concept of “trusted” altogether. Additionally, treating external systems as “untrusted” and blocking them by default worked well enough in the early days, but now forces organizations to use remote access VPNs and DMZs to allow external users to connect to apps on the network. Think about this for a second. VPNs tunnel holes past firewalls and allow for connections to the internal network. DMZs make private apps accessible to not only the good guys but expose them to the bad actors as well. WAFs can’t secure against this either. Oops.
As the number of private apps that run in multi-cloud or hybrid environments increases, along with the number of employees and third-parties connecting from devices located outside the classic perimeter, security will become increasingly difficult if attempted with legacy technologies. More appliances will be required to keep up with demand, leading to more exposed IP addresses. User experience will suffer as a result of backhauling and unnecessary hops. ZTNA provides an opportunity for enterprise teams to solve both challenges.
Like all new technologies, ZTNA looks to one-up these legacy approaches, not by simply making them better or “always-on,” but by bucking the concept altogether. ZTNA frees organizations from the grip of legacy VPN inbound gateway stacks and FW appliances. Instead of allowing access based on IP address, ZTNA uses simple policies hosted in the cloud that are globally distributed but enforced locally. They provide visibility and grant access to private apps only to the specific users authorized to view them, and never to the internal network. All access is contextual. ZTNA effectively makes the internet the new corporate network, creating end-to-end encrypted micro-tunnels that create a secure segment of one between a user and an application (aka micro-segmentation). Admins can even discover previously unknown applications and set granular access controls for them.
ZTNA technologies are generating a lot of buzz, but not all solutions are created equal. Which begs the question of what should enterprises consider as they look to adopt ZTNA. To be objective, I will defer to Gartner on this.
In Gartner’s recent Market Guide on Zero Trust Network Access, Steve Riley, Neil MacDonald, and Lawrence Orans outline several things to think about when choosing a ZTNA solution. Below, I list those I think enterprises should prioritize:
Does the vendor require that an endpoint agent be installed? What OSs are supported? What mobile devices? How well does the agent behave in the presence of other agents? NOTE: ZTNA technologies that do not support clientless use are often unable to support unmanaged device use cases, e.g., third-party access, BYOD, etc.
Does the offering support only web applications, or can legacy (data center) applications gain the same security advantages?
Some ZTNA products are delivered partly or wholly as cloud-based services. Does this meet the organization’s security and residency requirements? NOTE: Gartner recommends that enterprises favor vendors that offer ZTNA as a service, as services are easier to deploy, more available, and provide better security against DDoS attacks.
To what extent is partial or full cloaking, or allowing or prohibiting inbound connections, a part of the isolated application’s security requirements?
What authentication standards does the trust broker support? Is integration with an on-premises directory or cloud-based identity services available? Does the trust broker integrate with the organization’s existing identity provider?
How geographically diverse are the vendor’s entry and exit points (referred to as edge locations and/or points of presence) worldwide?
After the user and device pass authentication, does the trust broker remain resident in the data path?
Does the offering integrate with unified endpoint management (UEM) providers, or can the local agent determine device health and security posture as factors in the access decision? What UEM vendors has the ZTNA vendor partnered with?
Keep this list top of mind when the next ZTNA vendor comes calling so you can be sure to choose the solution that fits your needs. Who knows, it might even be Zscaler!
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chris Hines is head of product marketing for Zscaler Private Access and Z App.