As the focus of security policies shift from static network perimeters to dynamic and highly distributed applications and data, Zero Trust Network Access (ZTNA) vendors today need to look beyond enabling "zero trusts" access to private applications and incorporate some level of data awareness and risk assessment capabilities within their offering to secure the remote access and protect data collaboration across clouds, enterprise networks, and user devices.
Let's be honest. The pandemic caught enterprises across the globe off guard. Many were forced to make an overnight switch to remote working environments with no preparation for addressing the cybersecurity fallout. Migrating critical data out of localized datacenters to Infrastructure as a Service (IaaS) and Software as a Service (SaaS) environments for seamless availability and fostering business continuity led to a considerable increase in the attack surface. According to McAfee's Cloud Adoption and Risk report, there was a 630% increase in remote attacks on cloud services. If the notion of employees, partners, and third-party users connecting to applications from less secure home networks and unmanaged devices were not enough of a concern, the daunting task of continuous monitoring and control over an organization's entire business footprint across disparate systems has proven to be extremely challenging.
It is often said that disruption begets innovation, and the current digital disruption has led to the emergence of a new market. Zero Trust Network Access, or ZTNA, builds upon the "Zero Trust" security model to assume every user, whether internal or remote, is unsecure and risky by default, and their identity and security posture must be verified before granting access to sensitive private resources. Although the concept of Zero Trust is not new, its true value came to the fore in the post-pandemic world when organizations were in immediate need of securing their cloud-bound applications and data.
As the remote workforce exploded, VPNs imploded
The biggest benefit offered by ZTNA is about solving the most evident limitations of Virtual Private Networks (VPN). The effectiveness of a VPN deployment is always dependent on two critical factors - the majority of applications should be hosted within corporate data centers and a small percentage of the workforce should connect from remote locations. When remote working became the new normal, VPNs were forced to secure infrastructures they weren't built for. Backhauling every remote VPN connection through centralized hubs leads to bandwidth, performance, and scalability issues. Additionally, the excessive implicit trust of VPNs dramatically increases the attack surface, as any user with valid login credentials can get access to the entire underlying private network and traverse laterally.
In contrast, ZTNAs enable granular, identity-aware, and context-aware access. ZTNAs verify the user identity and additional contextual parameters, such as time, location, and device security posture, to provide precisely, "least privileged" access to specific applications the user is authorized for. ZTNAs also create software-defined perimeters to limit user movement and threats within micro-networks. The applications are never exposed on the public Internet, securing organizations from unnecessary data exposure, malware, and DDoS attacks.
Why do ZTNA vendors need to focus on a data-centric security approach?
With organizations adopting a cloud-first approach, data has become the single most valuable commodity in the industry and the biggest driver for digital transformation. On the flip side, this has expanded the attack surface and created new challenges for security practitioners responsible for protecting the data from cybercriminals.
Most of the existing ZTNA solutions in the market do a remarkable job in enabling zero trust access to private resources, but they don't necessarily deal with securing the sensitive data hosted within those resources. In a near-perfect scenario, a ZTNA solution is expected to inspect the session flow to detect malware and prevent sensitive data loss in real-time. In addition, the solution should be able to:
- Offer greater visibility and deep insights into user and device activity to detect suspicious user behavior within the ZTNA environment
- Provide complete coverage across managed and unmanaged devices to secure users connecting from personal, BYO devices
- Perform endpoint assessment to allow adaptive access control based on the device security posture
Establishing the roadmap for SASE
In the past couple of years, Secure Access Service Edge (SASE) has evolved from being a buzzword to a reality in the making. Prescribing the convergence of networking and network security into a unified cloud-delivered service model, SASE aims to solve the dynamic and secure access requirements of digital enterprises. By creating software-defined perimeters and enabling identity and context-based application access, ZTNAs act as a good starting point for SASE deployments. Organizations evaluating ZTNA solutions should consider whether the solution can integrate with other SASE components and how easily can it help in addressing the future digital transformation roadmaps.