The 2020 Gartner Zero Trust Market Guide predicts that in just two years, 80 percent of businesses will access new digital applications using Zero Trust Network Access (ZTNA). The report also declares that ZTNA security solutions will soon supplant legacy security solutions such as virtual private networks (VPN) for remote employees and third-parties.
ZTNA and other cloud security solutions are moving to the forefront of IT plans for two reasons:
Last January, I would’ve agreed with Gartner’s optimistic ZTNA-adoption assessment. But then the COVID-19 crisis happened. Companies refocused on ensuring business continuity. (In a time of urgency, many look to familiar technology, even if it’s not the best for the situation.) Much of the enterprise reactive scrambling involved expanding existing VPN systems. But as entire companies shifted to company-wide work-from-home (WFH) scenarios, enacting long-term security plans became a tactical exercise rather than a strategic one.
After “day one” of the crisis, enterprise business continuity plans (BCP) generally took three different paths: Consistent, Confident, and Courageous. Imagine you are at a public pool with your three children, each standing on a different diving board: one at one meter, one at three meters, and one at six meters.
Below, we’ll look at all three in the context of zero trust.
The first child at the lowest height—the one-meter diving board—jumps straight into the water: low risk, low concern. This is the “Consistent” approach. In an enterprise security context, the low-diving-board-metaphor business continuity plan includes scaling up work-from-home with current or expanded VPN capacity. As long as that capacity is accessible, consistent companies can move forward as before with little impact to ongoing operations or productivity.
The Consistent approach provides continued and non-interrupted application access without new tools or systems. Longer-term network transformation plans are unaffected, and business continues as before. There isn’t enough (or any) pain to force a change to a zero trust adoption strategy.
When it comes to security, however, inherent VPN risks now exponentially increase. Increasing WFH increases the risk to your network. More users on the VPN expands the network attack surface: Perimeter-based security must encircle each and every individual remote network connection. (Consider each remote employee as a new branch office of one.) This extended exposure will continue until circumstances change. And threat actors know this: The recent REvil attack targeted unpatched VPN servers.
When it comes to protecting the enterprise “crown jewels,” you can continue to use legacy solutions such as virtual routing and forwarding (VRF), firewalls, or network access control (NAC) to control who accesses what in the network. But recognize that these legacy solutions are expensive to implement and difficult to manage.
Alternatively, you can use this opportunity to compare Zero Trust to legacy solutions for VPNs, third-party access, and operational technology (OT) protection, assuming the crisis doesn’t usurp resources and budget in the meantime, of course.
The next child climbs to the three-meter diving platform: higher risk, and some marginal concern on your part. This is comparable to the “Confident” enterprise course. Organizationally, the Confident enterprise quickly adjusts to the new crisis-based reality. Extending legacy system capacity in order to get remote workers functional requires intensive (and probably costly) efforts. As a result, enterprise leadership recognizes how legacy network security architectures limit flexibility. The pandemic offers a use case to demonstrate zero trust as a network transformational solution. You can create test groups to demonstrate ZTNA versus VPNs. (For adopting ZTNA solutions, Gartner Research recommends using a pilot group to measure transformation solutions against legacy networks.)
Enterprise transformation usually involves numerous stakeholders. This means enterprises must address many architectural risks and concerns. While the current pandemic probably speeds up the adoption process, keeping a zero trust solution depends on seeing immediate benefits from the technology. It also highlights other (perhaps contractual or financial) obligations associated with your legacy architecture.
Now is the time to promote any solid data showing zero trust benefits over legacy solutions. This will pique the interest of other teams and business units in the enterprise. Look for support from zero trust providers, trusted advisors, and internal champions.
The third child races up to the six-meter diving board: high risk, high concern. The six-meter diving board may be impressive, but it also triggers insecurity and fear. This is the “Courageous” option. The Courageous enterprise, rather than sticking with legacy architectures or adopting transformation as needed, jumpstarts its transformation strategy immediately.
There is risk in this approach. Executing a new transformational strategy while dealing with the pandemic can pose challenges to resources, costs, and responsiveness.
Replacing legacy VPN systems with a zero trust solution is an excellent first step. The IT team must identify what applications users are accessing, and where those applications reside (in an internal data center, or in a cloud environment). The sheer number of applications may surprise IT admins, given the proliferation of shadow IT (and often, the lack of visibility into user data traffic). IT must determine how to apply policies so that users can access internal and external applications and services. A comprehensive data-traffic audit/application inventory will provide good visibility into both enterprise network traffic and user network behavior.
Setting policies in a zero trust architecture—at least in the beginning—can seem like a daunting task. It’s why many organizations choose to jump into the transformation pool from a lower diving board. They fear that policies will hinder employee productivity (too restrictive) or expand the network attack surface (too permissive).
But with the risks comes greater rewards: Courageous organizations gain the immediate value of a zero trust solution—better security and better performance—and create an agile connectivity environment able to accommodate change. Zero trust supports the type of network transformation that gives enterprises competitive advantages and better customer experiences. (And those impacts will matter when we come out on the other side of the current crisis.)
The three pandemic responses are like our three divers: they can all achieve a clean and safe dive into the transformation pool without mishap. Ensuring business continuity during the current pandemic requires a Herculean effort no matter which path a company chooses. The difference is in how the company’s transformation strategy positions its ability to achieve enterprise goals when the crisis is over.
“Consistent” organizations will ultimately carry on as before, but will remain a step behind competitors when it comes to transformation. “Confident” enterprises will have significant data at their disposal to use in moving their strategy plans forward. And “Courageous” enterprises will find themselves ahead of the game when transformation’s benefits further their business goals.
There are many discussions asking what will happen after the pandemic. Will we return to “normal”? Will the pandemic accelerate transformation strategies? My take is that WFH policies and practices will become a more robust part of daily enterprise culture, a go-to strategy as part of BCP, and an entry point for network transformation. There is an enterprise need for flexible and scalable secure application access—in the immediate crisis and beyond. And that makes now a perfect time to begin network transformation.
Oh, and go for the high dive. You’ll cause the biggest splash.