Zero-trust network access, or ZTNA, is a technology that has come into sharper focus thanks to the COVID-19 pandemic. ZTNA has proved critical for securing remote workers that were forced out of the office due to quarantines and the other realities presented by COVID-19 worldwide. However, there are still a lot of misconceptions about what ZTNA is and what exactly it does for the enterprise.
Dispelling those misconceptions is imperative, considering that ZTNA is well on its way to becoming a critical enterprise technology. For example, Gartner predicts that by 2022, 80% of new digital business applications opened up to ecosystem partners will be accessed through ZTNA. Gartner research also predicts that by 2023, 60% of enterprises will phase out most of their virtual private networks (VPNs) in favor of ZTNA solutions.
The importance of the technology is obvious; now, IT pros need to learn more about the technology and better understand the facts versus the misconceptions.
Separating Fact From Fiction
ZTNA is More Than a Remote Access Solution
At first blush, many assume that zero-trust network access is just about using a browser to establish a secure connection to a network to enable remote work. However, there is much more to the technology than just remote connectivity. “As the acronym implies, ZTNA is about the concept of zero-trust, where zero-trust is about limiting access to the least amount of privilege needed for a user to accomplish their job,” said Myo Zarny, senior director, product management, SD-WAN and security, Open Systems. “ZTNA follows the users, not so much an endpoint. In other words, [it] establishes a connection based upon the user’s credentials, and then further takes into account the device the user is on, the location of the users, and what applications the user needs to access. ZTNA can deliver additional security on-prem, as well as to cloud applications and any other services available via the enterprise,” Zarny said.
ZTNA is not SASE
Another misconception is that a secure access service edge (SASE) SD-WAN is the equivalent of ZTNA, since SASE connections are all about secure network access. However, that is not true. Zero-trust network access is both complementary and foundational to SASE. “ZTNA is a small part of SASE. SASE restricts access of all edges, sites, mobile users and cloud resources,” said Shlomo Kramer, CEO of Cato Networks. “ZTNA is an identity-driven, default-deny approach to security that greatly improves security posture. Even if a malicious user compromises a network asset, ZTNA can limit the damage done.”
VPNs Can’t Do What ZTNA Does
Some argue that the latest VPN solutions on the market are just as capable as ZTNA, and even provide identity awareness for access to the network. However, VPNs are only about accessing the network, not about controlling access once on the network. “VPNs allow users to connect to the network securely, but once a user is connected, VPNs do not take into account any other considerations,” Zarny said. “ZTNA uses the zero-trust model and provides granular control that can be driven by policies. Administrators can control the context of the connection and limit access based upon a wide range of criteria,” he said. Zarny makes a good point – VPNs are focused on allowing access to a network, while ZTNA adds application and services control to the mix and is contextually aware of the user.
ZTNA is a Replacement for VPNs
While ZTNA appears to be the heir apparent to the VPN crown, the fact is that ZTNA provides much more than just improved security; it also gives IT better visibility into connections. “Visibility is a foundational element of ZTNA. If you can see what’s happening, you can enforce the rules,” Zarny said. “With ZTNA, you can see what is happening and use that information to define granular policies. In other words, you can collect information on legitimate activity and use that to normalize access policies and then block access for anything that falls outside of norms.”
Differentiating fact from fiction around ZTNA will prove to be critical for IT pros; after all, remote work and work from home policies are quickly becoming the norm. With those policies, however, comes an increased attack surface for the enterprise. Research from IDC shows that 76% of enterprises expect to increase the amount of remote access over the next two years, while BCG reported that companies expect approximately 40% of employees to use a remote working model in the future.