- The need to enable work from anywhere is accelerating adoption of ZTNA services
- Gartner's newly released new guidance around ZTNA technologies
- Five considerations for selecting a ZTNA service
The recent movement to large remote workforces has accelerated the adoption of cloud-based technologies. But there's one in particular called zero trust network access (ZTNA) that has been enabling the remote workforce. This is due to ZTNA's ability to scale at a moment's notice while providing a great experience for users. And, as the world begins to open up, IT leaders must cope with the new reality of work-from-anywhere, security must remain top-of-mind.
Traditional networks, VPNs, and DMZs use IP addresses and network locations to establish network connectivity for users. This architecture was designed to provide access to apps in the data center, not a hybrid and multicloud world. Because of this, users are left frustrated due to a highly latent experience. The reliance on network connectivity also leads to excessive trust and exposure of network resources to the internet. Bad actors take advantage of this exposure, targeting users as a means of gaining access to sensitive data accessible on the network.
I call it risk with no reward.
Network teams, risk managers, and infrastructure security teams are constantly forced to decide whether to reinvest in old architectures or to replace them with a modern, cloud-based approach. This tug of war between old and new is, at times, uncomfortable but must be overcome.
We first wrote about zero trust network access (ZTNA) last year when Gartner released its initial Market Guide for Zero Trust Network Access back in April 2019. Recently, Gartner has announced an updated version of the guide. As a reminder, Gartner defines ZTNA as "products and services that create an identity-and context-based, logical-access boundary encompassing a user and an application or set of applications.” Ever since users and applications gained the ability to work and run outside the network, the classic network perimeter has eroded (if you don’t control the network, you can’t do network security).
ZTNA allows for authorized users to have identity and contextual-based access to specific applications—and never the network. This level of precision ensures that access is limited in scope and that applications are never exposed to the internet. Since users are never on the network, this also removes the potential for lateral movement on the network, a common way that malware spreads.
Since many ZTNA services are cloud-based and hosted by the vendor, they bring with them all the benefits you can expect from the cloud. More points-of-presence leads to a better user experience. Like Netflix, Airbnb, or any cloud service, a distributed cloud brings more scale and agility in times of need. It also brings security to where your users are, ensuring you always have the level of security required regardless of their location, device, or even the app or app environment. We also extended the ability for customers to run a piece of our cloud in their own data center so their on-premises users can benefit from ZTNA too. There are no appliances to manage or long lists of firewall rules required. You simply define the user and hostname policies, with the cloud service—which is always running—enforcing them for you.
With users and applications already in the cloud, it makes sense for your secure access capabilities to live there as well.
Teams often ask us where they should begin with ZTNA and for guidance around putting a plan in place. We urge them to just pilot ZTNA projects (we even created a ZTNA test drive for our ZPA service to help). Of course, this should be part of a larger strategy that is not solely focused on private apps, but a broader initiative around the use of a cloud-delivered access service to provide access to all apps. Gartner calls this the secure access service edge (SASE).
Many organizations begin with using ZTNA as an alternative to their VPN, especially given the abundance of remote work being done today. As you think about your access strategy going forward, and how it relates to your plan for opening offices back up, consider using ZTNA for on-premises users as well. This will bring the same user-to-app segmentation on-premises that is valued when users are remote. In turn, it will helps you reduce the complexity of network segmentation, reduce the risk of lateral movement on your network, and instead rely on identity-based access based on policy, and enforced by a local broker (while hosted by you, the software package is still managed by the ZTNA vendor).
If your organization is likely to embrace a consolidation strategy over the next few years, also consider ZTNA to accelerate IT integration during M&A or divestitures. This removes the need to consolidate networks, allows you to standardize security levels across multiple entities, and ensures that users are productive as quickly as possible.
Five things to keep in mind when selecting a ZTNA service
- When considering ZTNA, be sure to evaluate a cloud-based ZTNA service. This will come in handy, especially now with many users still working remotely during the pandemic. You won’t need to worry about capacity limitation or be constrained by bandwidth (that was the old appliance-based world).
- Make sure the vendor has trusted brokers running across enough locations to ensure your users have the best experience possible. A good rule of thumb is that the more points of presence available, the more you’ll be able to reduce latency. Users will appreciate that.
- Choose a vendor that can support both web and legacy apps, not a vendor that is limited to web applications. You most likely have legacy and customer applications that are not web-based.
- Since work from anywhere will mean a mix of BYOD and managed devices, ensure the ZTNA service has the ability to support each. This will require the option to support access in the case of no endpoint (BYOD) or end (managed) running on the device.
- Prioritize ZTNA vendors that integrate with end-user management technologies (e.g., CrowdStrike, Carbon Black, Microsoft, etc.) for simpler deployment of the agent and advanced device posture management
I wish you good fortune as you look to support your “work from anywhere” workforce, and maintain the security of your private apps while doing so. ZTNA will, I’m sure, make things easier for you.
We’re here if you need any guidance along the way.
Check out our Zscaler Private Access data sheet
Take ZPA for a Free Test-Drive
Hear from National Oilwell Varco about the ways they're using Zscaler Private Access
Chris Hines is Director of Product Marketing for Zscaler Private Access