by Chris Hines, Head of Product Marketing - Zscaler Private Access and Z App
Gartner predicts that by 2023, 60% of enterprises will phase out most of their remote access Virtual Private Networks (VPNs) in favour of Zero Trust Network Access (ZTNA) solutions. The Gartner team further predicts that 40% will have adopted ZTNA for uses besides VPN replacement, such as enabling third-party access, multi-cloud access, and activities around mergers and acquisitions or divestitures.
ZTNA, often referred to as Software-Defined Perimeter (SDP) services, provides seamless and secure connectivity to private applications without ever placing users on the network or exposing apps to the internet. As the name implies, the technology is driven by the need for organizations to embrace a zero trust security model built for mobility and a cloud-first world. A model that delivers security based on the user and applications - not IP address - regardless of location and device.
IP addresses were built for connectivity, not security, and are thus inherently weak security identifiers (shocker, I know). Even so, they continue to be used as a means of network connectivity. Using IP addresses is problematic because their inherent default “allow” posture leads to implicit trust, which can then be abused by nefarious actors. As organizations realized that they needed a demarcation point where their corporate network could connect to the internet, they began to deploy firewalls, which led to massive firewall adoption over the last 30 years.
Why any of this matters to you
ZTNA technologies shine a light on the reason why the concept of “trusted” and “untrusted” is flawed and they, furthermore, render all those inbound gateway firewalls obsolete. This is because the idea of zero trust nullifies the concept of “trusted” altogether. Additionally, treating external systems as “untrusted” and blocking them by default worked well enough in the early days, but now forces organizations to use remote access VPNs and DMZs to allow external users to connect to apps on the network. Think about this for a second. VPNs tunnel holes past firewalls and allow for connections to the internal network. DMZs make private apps accessible to not only the good guys but expose them to the bad actors as well. WAFs can’t secure against this either. Oops.
As the number of private apps that run in multi-cloud or hybrid environments increases, along with the number of employees and third-parties connecting from devices located outside the classic perimeter, security will become increasingly difficult if attempted with legacy technologies. More appliances will be required to keep up with demand, leading to more exposed IP addresses. User experience will suffer as a result of backhauling and unnecessary hops. ZTNA provides an opportunity for enterprise teams to solve both challenges.
Like all new technologies, ZTNA looks to one-up these legacy approaches, not by simply making them better or “always-on,” but by bucking the concept altogether. ZTNA frees organizations from the grip of legacy VPN inbound gateway stacks and FW appliances. Instead of allowing access based on IP address, ZTNA uses simple policies hosted in the cloud that are globally distributed but enforced locally. They provide visibility and grant access to private apps only to the specific users authorized to view them, and never to the internal network. All access is contextual. ZTNA effectively makes the internet the new corporate network, creating end-to-end encrypted micro-tunnels that create a secure segment of one between a user and an application (aka micro-segmentation). Admins can even discover previously unknown applications and set granular access controls for them.
ZTNA technologies are generating a lot of buzz, but not all solutions are created equal. Which begs the question of what should enterprises consider as they look to adopt ZTNA. To be objective, I will defer to Gartner on this.
Eight considerations for ZTNA
In Gartner’s recent Market Guide on Zero Trust Network Access, Steve Riley, Neil MacDonald, and Lawrence Orans outline several things to think about when choosing a ZTNA solution. Below, I list those I think enterprises should prioritize: