Typically, the longer something has been around, the more familiar it becomes. But not always. Zero Trust Network Access (ZTNA) has been making the rounds in security circles for quite a while, but it’s still misunderstood.
That’s not to say organizations haven’t started adopting the technology. Gartner revised its earlier forecast to predict that ZTNA would have a 50 percent adoption rate by 2023, and by the end of this year, the consultancy says that ecosystem partners will access the bulk of new digital business applications — 80 percent — through ZTNA.
It seems then that ZTNA is on the tip of (almost) every tongue, and every security-conscious organization — whether enterprise or vendor — wants a piece of it and will continue to do so for many years to come. That might explain the confusion surrounding it.
The buzz around ZTNA, particularly during the last two tumultuous years, has muddied the waters. It’s been pushed as a panacea and used interchangeably with a jumble of other acronyms representing tools that each play a critical and distinct role in security and sometimes work in concert.
VPNs and ZTNA are not created equal. A VPN is sort of like a bouncer at a downtown club, concerned primarily with checking IDs at a single point. Anyone who passes muster at the door gets in and can then move around the premises at will. Once in through a VPN, any approved entity has access to the entire network and the assets it offers. ZTNA is a little like having a bouncer follow a patron, granting entry only to approved areas. Those in security who don’t have a comprehensive understanding of their organizations’ apps and infrastructure can’t take full advantage of ZTNA’s ability to limit access on an app-by-app basis, and are more likely to fall into the “ZTNA is a VPN” trap.
Despite its broad potential, ZTNA is not an answer to every security problem, and it’s probably not the solution for everyone. There is a prevailing belief that an organization can implement ZTNA and it will solve all its security woes. ZTNA is much more targeted, however, in that an organization must identify the apps that users need to do their jobs. Even when properly implemented, ZTNA alone is only one tool, and others are needed to augment security.
Blame the way CASB is discussed by vendors for any conflation with ZTNA. CASB is really good at providing security for those applications — such as Salesforce — that are managed by a third-party vendor. CASB also addresses the problem of shadow IT, identifying which third-party SaaS applications are being used in the organization. But what CASB can’t touch are internally managed applications. CASB generally doesn't have visibility into them, and really just looks at cloud-based SaaS apps and provides security controls for them.
Many security teams seem to believe that if they just get a ZTNA solution, they’re good to go. But making ZTNA work takes effort, time, and a considerable amount of labor, depending on the size of the organization. For example, a 30,000-person multinational company has a lot more applications to protect than a smaller 500-person company, and it takes a lot more effort to sort out who is granted access to which app. Each app deployment needs to be part of a broader company roadmap of how to secure access going forward. ZTNA is a tool that can help an organization get there, but it needs to be carefully considered as just a part of that roadmap.
For all it is not, ZTNA is many things that will solidify its importance to security going forward. The solution’s influence and numbers will continue to grow as remote work becomes a staple — and according to IDC, 76 percent of enterprises will likely expand remote access in the near future.
No, no, no, ZTNA is not interchangeable with SASE, which is a much broader architecture. SASE brings together the benefits of a number of commonly used cloud-based networking and security tools that “see,” “understand,” and “control” more than ZTNA can alone. But ZTNA does underpin and complement the abilities of SASE in a number of ways — to secure application access at the edge; to restrict access from the cloud, websites, and mobile devices alike; and to limit the damage done in case of a breach. A ZTNA solution should be considered a key factor as organizations look toward moving to a broader SASE architecture.
Gartner says 60 percent of enterprises are going to eventually replace VPNs with ZTNA. VPNs simply aren’t scalable enough to meet the demands of a modern network jam-packed with remote users and a wild proliferation of apps. ZTNA provides access in a simpler fashion for end users, third parties, contractors, and the like without necessarily requiring deployment of a client. In addition, ZTNA provides extra security controls to these users’ access, which is impossible with a VPN. But many enterprises have sunk a lot of time and money over the last two decades into building networks with VPN architecture as the centerpiece, so some headbutting between networking and security is expected as organizations make the transition to ZTNA.
Once a security team understands the applications in its computing landscape, who needs access to them, and what security needs to be tied to them, they can set policies around those factors. ZTNA will support those policies and ensure that they are followed, calling out “violations” and blocking access where necessary.
Once you figure out all the applications your organization has, who needs access to those applications, and what kind of security controls need to be tied to them, then you can bring the ZTNA solution in to start implementing security measures.
Security teams will have to put in work upfront — along with significant expense — to understand the expanse of an organization’s applications and access needs in order to implement ZTNA. But once that’s done, ZTNA is far less cumbersome than a VPN strategy, as applications can be added and access can be granted at will according to established security policies.
ZTNA’s many benefits sound like a wishlist for defenders. It supports anytime, anywhere work, reduces risk, provides greater visibility into cloud environments, creates a nimbler computing environment, and focuses security on the users and applications where all of the action is. It also limits lateral movement, ensures audit compliance, augments existing VPN strategies, and prevents data exfiltration. But to get the most out of ZTNA, organizations must align it to their business objectives, as well as to their security team’s principles.