Zero Trust Network Access: Security has now surpassed access on the priority list

If Zero Trust was simply aspirational before 2020, it’s become a must-have methodology after the onset of the pandemic. But could it be that Zero Trust is already an idea whose time has come and gone, and past its prime before it truly got off the ground?

Actually, it’s more likely that security professionals are realizing — some painfully so — that not all approaches to Zero Trust are created equal. They’re beginning to subscribe to a Zero Trust approach that places a premium on security while giving remote workers access to the applications and data they need to do their jobs.

No doubt, the pandemic accelerated the embrace of Zero Trust Network Access (ZTNA) — pre-COVID, Gartner predicted a 14 percent adoption rate by 2025. But after the mad rush to support a mostly remote workforce, the predicted rate of adoption skyrocketed in a compressed time frame — to 50 percent by 2023.

As an initial answer to the question of how to support the new remote workforce, first-gen ZTNA held quite the lure for many organizations. This cloud-delivered solution was not tied to hardware, it was easy to turn on, and it gave everybody what they needed — access to applications without touching the network, slowing things down, or compromising previous investments.

But those early implementations also quite often required companies to maintain two sets of solutions for the same intended outcome — otherwise they would have to choose between staying with their trusted VPN or moving over to a whole new approach.

Again, VPNs fall short

In fact, those earliest ZTNA implementations at the beginning of the pandemic, when VPNs were overwhelmed and their shortcomings exposed, were all about connectivity. And security got the short shrift. Many organizations were willing to forego security to keep business up and running under those most trying of times. After all, if people couldn’t connect, then the business would go down. The same was not true for security — it could falter without taking the business down with it. At least, until a wily threat actor decided to exploit a vulnerable company with employees who were connecting to corporate resources from any device available to them — a smartphone, a spouse’s laptop, and so on — or perhaps they were bypassing security measures to get to the tools they needed to do their jobs.

That’s when the much-vaunted VPN’s shortcomings became glaringly apparent. COVID proved that VPNs simply could not scale from supporting roughly 10 to 20 percent of an organization’s workers to a full 100 percent. The solution literally toppled over, and the bandwidth suck that VPNs require made performance appear slow. And the major security problem with VPNs — in a nutshell — is that once a threat actor is in, they’re in.

After access rights to the network are established, the VPN solution doesn’t distinguish who might be at the controls and trying to access apps or sensitive data. VPNs connect a person to a location and an entire network, not just a resource. Once in through a VPN, a bad actor can move laterally in an environment, accessing applications and data without raising an eyebrow.

But not with Zero Trust, which trusts literally no one and further enhances security by improving visibility into connections across even multi-cloud environments. Security teams not only see a connection, but also what’s going on within that connection.

The “why” has changed

Now that the “hair on fire” urgency of providing connectivity to apps and other resources while abruptly moving entire workforces home has passed, the “why” tied to ZTNA has changed, too, with the focus shifting to security. Organizations have reverted back to security, visibility, and policy — and putting all these elements in place between users and apps. In fact, Menlo’s research shows that 75 percent of companies that have gone through a hair-on-fire approach are coming back and reevaluating their strategies for secure remote access.

If in the heyday of the pandemic the focus was about 95 percent on access and 5 percent on security, a decided swing of the pendulum has nudged the focus toward security (now about 55 percent, compared with about 45 percent for access). Perhaps spurred on by the sheer number of endpoints that would require updating in a VPN-oriented strategy or the daunting uptick in cyberattacks during the last two years, organizations are no longer willing to sacrifice security for connectivity. 

The move from the VPN to ZTNA is clearly a step in the right direction, but it is only the beginning of the Zero Trust journey. The next step is developing a given set of functions for ZTNA. VPNs are good for segmenting and providing access to networks and resources. But to maximize security and support the rigors of remote work, security teams must stretch Zero Trust to all ends of communications — employees and devices, apps and data, and everyone else who can connect back into an environment, such as partners or even apps that can connect to other apps. Organizations must look at all points that communicate in an environment. While ZTNA without that kind of bilateral flow is the right step to establishing Zero Trust, users can still be attacked.

The best way to implement full-throated Zero Trust is to adopt a solution that is agnostic to the way an organization uses policy, visibility, reporting, and control mechanisms. ZTNA is not bulletproof but creating an intelligent model that can build on a single platform will satisfy end users and administrators alike.

Such a model also keeps the user experience consistent and moves IT away from having to push clients out to thousands of endpoints. Instead, everything can be implemented without touching every endpoint — a huge plus. This “clientless first” approach uses a browser without enabling clients, covering the vast majority of an organization’s users.

Getting there

Of course, making the move to an enriched ZTNA model is a process. Depending on an organization’s starting point, following these steps can make the move that much easier.

• When an organization starts thinking about a shift from their current VPN environment toward one that’s based on ZTNA, it’s prudent to catalog all applications, where they’re located, who accesses them, and how they’re accessed.
  
  
• Consider exactly what the organization wants to roll out. Focus on maintaining visibility between end users and applications — not just curbing the theft of data — from a malware and policy perspective. Data resides in an app, so make sure the data is secured. This needs to be reviewed in a bidirectional manner. A whole lot of things must be considered as part of policy in ZTNA that just weren’t relevant in a VPN-dominated strategy.
  
  
• On the operational side, take inventory of available resources and what must be rolled out. Making the change from the traditional solution to a new architecture requires a mind shift regarding how people connect and access resources and what they do once they’re in. Make the new approach more intuitive to users and don’t be afraid to make necessary changes to support overall goals.
  
  
• Consider how ZTNA will be managed. Some organizations will favor a standalone solution; others, a platform in which ZTNA is a function or key ingredient. Which approach is best often comes down to the resources available to execute a particular strategy.

ZTNA’s time has clearly not come and gone — but the focus solely on access rather than on access plus security is most definitely a thing of the past. Shaking off the confines and limitations of the VPN in favor of a clientless-first approach to Zero Trust will maximize security while giving users access to the resources they need. Many organizations have taken a solid first step toward this new strategy. Now it’s time to apply Zero Trust to all facets of communications across an organization’s environment.