In March of 2022, Gartner networking analyst Andrew Lerner published a ZTNA Anywhere (Re-thinking Campus Network Security) post. The blog sparked a conversation within the industry as Mr. Lerner rightly called out the disparity between security solutions for campus/branch technologies vs. modern remote access technologies based on Zero Trust Network Access (ZTNA).
While the on-prem solutions have been available for a decade and a half, they are hardware-based and network-focused versus the more recent remote access solutions based on software and identity policies. To level set, for a solution to be ZTNA, it must possess three characteristics:
- Identify everything
- Apply policy controls
- Allow for instantaneous dynamic updates to policy.
Now that we have defined what ZTNA must accomplish to be viable and described the landscape, let’s get into the challenges. They include:
Different user experiences – One experience is based on working from home and another in the office. The question is, do I turn off one when I am in the other's environment? Is this an ideal outcome in this era of cybersecurity threats like ransomware?
Complexity – Managing two policy engines based on two different focuses – network vs. identity - creates overhead, inconsistency, and the likelihood of human error, resulting in poor security outcomes.
Higher Cost – Paying for two systems and maintaining them to provide similar outcomes is not ideal.
How can we overcome this? The concept is a framework called Universal ZTNA. What it calls for is centralizing a user or a device's Zero Trust access policy to enable a single policy definition. Bring policy under one roof.
Sounds great, right? But there are challenges. They include:
Technology Silos – Between network and security, who owns policy? Who selects the technology? These questions for layer 8 (management) need to be resolved early for a Universal ZTNA program to succeed.
Traffic Steering – Depending on where the focus will be (network or identity), where network traffic is sent for enforcement may cause a redesign. If identity is favored, will the enforcement occur in a cloud-based system? If the network is favored, will traffic need to converge at a central point?
IoT/OT – One of the biggest challenges is this scenario. On campus, how do I unify and identify policies for IoT/OT devices that have no identity? How do you build policy on an object where I cannot leverage identity?
Sounds like a quandary, right? On the one hand, there is a solid need to secure both the campus and remote workers, but on the other hand, the process of doing so is complex and fraught with challenges and, worse, technical overhead. How do we overcome this? Here are my recommendations:
Work “The Edge” and move inwards - The biggest bang for the buck is remote access ZTNA. Secure your remote workforce. This can be done via both agent-based and agentless SSE ZTNA solutions. ZTNA is a mature solution and will replace legacy remote access solutions like IPSec VPNs.
Address your tech silos - As you will find out during your remote access project, there will be friction between departments. If you are a leader, this is your opportunity to make a change. The challenges you uncover will lead you to how to realign.
Address traffic steering – If you are already native, the effort here is likely to be small. This area will be more challenging if in hybrid mode, with a potent mix of legacy applications living in an on-prem data center and next-generation SaaS and cloud solutions.
Address unmanaged devices - IoT/OT must be addressed. Alongside this, IT tooling must be considered as well. Think about patching and software distribution. The model may need adjusting depending on how modern your solution is.
Once you have answers to the above, look at the vendor landscape. Ideally, you want to shortlist vendors who offer a full end-to-end solution: integrated remote access ZTNA plus an on-prem NAC solution. This allows you to extend network and identity policies to cover remote users and campus employees.
The key considerations are user experience and operational simplicity for day-two management. Ideally, this solution will provide a "master policy engine" to align policies based on user or device location. This master will feed both the remote access and on-prem system and cover critical IoT/OT requirements.
Universal ZTNA is a new concept. Given where the industry is going and the growing need to merge networking and security, with the emergence of the hybrid workforce, the idea will evolve and become a must-have technology soon. If you are on the frontline, a network leader, or an enterprise architect, now is the time to start researching and planning. Also, as recommended above, the best first step is to move to a ZTNA-based remote access product. Start there, learn the technology, test it, deploy it, and improve your security posture.
John Spiegel is the Director of Strategy / Field CTO at Axis Security.