Explore seven key considerations for when you and your team evaluate a Zero Trust Network Access (ZTNA) solution on behalf of your environment.
Across the past few years, organizations have seen a massive shift to remote and hybrid environments. This has significantly increased organizational attack surfaces and risk.
Many organizations accelerated cloud initiatives to provide access to data and resources. BYOD policies enabled employees to access company assets from home and personal devices. Supply chain partners also suddenly needed remote access to information.
What we’re seeing
Until recently, the majority of enterprises have depended on Virtual Private Networks (VPNs) and premises-based security methods for secure remote access. Since 2020, the limitations of these methods have become clear.
- They can’t scale easily
- IT lacks visibility into users and activity
- Performance suffers when backhauling traffic to the security stack in the data center
- It’s not practical to install and maintain VPN clients on BYOD and partner devices
- They’re complex to use with cloud environments
- They lack Privileged Access Management (PAM) capabilities for DevOps and engineering users
Securing access, zero trust
As a result, Zero Trust Network Access (ZTNA) is becoming a crucial component of standardized security architecture. In the ZTNA model, security and IT leaders “never trust and always verify.” When implemented, ZTNA:
- Limits access on an application-by-application basis
- Authenticates every device and user, regardless of their location
- Acknowledges today’s complex networks, making zero assumptions
Beyond serving as a VPN replacement, ZTNA ensures that all users and devices – whether inside or outside the organization’s network -are authenticated, authorized and continuously validated for security configuration and posture before being granted or maintaining access to applications and data.
Key considerations: Selecting the best ZTNA solution
1. Ensure support for all users. A ZTNA solution needs to secure access for everyone. This includes employees with managed devices, BYOD devices, mobile devices, third-party partners, engineering teams, and DevOps users. Seek client-based access to secure employees using managed devices and a clientless architecture for secure access to web applications, databases, remote desktops and secure shell (SSH) servers. Be sure to also consider basic PAM requirements for teams that need access to multi-cloud environments and single sign-on (SSO) into private resources, such as servers, terminals and databases.
2. Ensure support for target resources. Ensure the ZTNA solution supports all high-priority private applications and resources, not just Web apps. This includes access to SSH terminals, SQL databases, remote desktops (RDP) and servers. DevOps and engineering teams need ZT access to Infrastructure-as-a-Service (IaaS) offerings, cloud production environments, microservices, and virtual private clouds.
3. Ensure simple deployment and rapid time-to-value. Look for out-of-the-box identity provider (IdP) integration through a standard like SAML 2.0, as well as intuitive, granular policy configurations. See how to deploy clientless ZTNA in 15 minutes for fast time-to-value.
4. Ensure easy operation. Look for a ZTNA solution that provides maximum value with minimum maintenance. Make sure that there’s no need to hire additional staff. Cloud-based solutions with a unified console are easy to use. They provide visibility across all ZTNA use cases too.
5. Ensure high-performance and service availability. A ZTNA service needs to deliver close to 99.9% uptime and high performance backed by Service Level Agreements (SLAs). Review a vendor’s SLAs and look for a global network of points of presence (PoPs) with redundancy in each zone.
6. Ensure zero trust security soundness. Look for ZTNA solutions that separate the control and data planes to enable true least-privilege access to applications and other resources. They should offer granular in-app controls, such as read, write, administer permissions and enabling policies at the command and query levels. The ability to report on groups, users and application usage with access to video session recordings provides deep visibility. Also, see about obtaining further integrated security features. These might include sandboxing, cloud IPS and DLP.
7. Part of a future-ready security service edge. Consider how the a ZTNA solution can be extended to secure other use cases. For example, branch access (FWaaS), Internet access (SWG) and SaaS access, via a Security Service Edge (SSE). Securing remote ZTNA represents a critical step towards a broader zero trust security architecture.
Get the full story here. And download the ZTNA Buyer’s Guide. Lastly, to receive cutting-edge cyber security news, exclusive interviews, expert analyses and security resources, please sign up for the CyberTalk.org newsletter.