Why ZTNA needs to be updated to meet modern working demands

By Martin Mackay, CRO at Versa Networks.

  • 1 year ago Posted in

In recent years, Zero Trust has become the standard security approach for many organisations. Based on the principle of not trusting any user, device, or application by default, the security framework has seen rapid adoption.

Okta's recent report revealed that a whopping 97% of global organisations surveyed are either implementing or planning to implement Zero Trust, with over half already having done so. It’s also likely that the remaining 3% are also having constructive discussions around the potential implementation of Zero Trust in the near future.

However, working environments are changing post-pandemic, and there has been a dramatic rise in hybrid work, with employees regularly working both in the office and remotely. Latest reports show that by the end of 2022, 53% of U.S. workers were engaging in a hybrid manner.

Unfortunately, current Zero Trust Network Access (ZTNA) models are yet to adapt fully to these changing tides. They remain laser-focused on remote work, often leaving on-site networks in the lurch. It's time ZTNA was brought out of the confines of remote work and adapted to meet the needs of the equally demanding realm of the office and multi-branch premises.

Understanding the security limitations of ZTNA in a hybrid working setup

ZTNA solutions for remote workers are cloud-delivered, and they typically become inactive when the user is on-site, thereby reverting to less secure, perimeter-based security approaches in the LAN. This disconnect between the demands of hybrid work and the current capabilities of ZTNA poses a significant challenge in terms of access security and the organisation’s security posture.

Inline inspection, a crucial aspect of network security, also becomes problematic with cloud-delivered ZTNA. With inline inspection, all data passing through a certain point in the network are analysed for malicious content or behaviour. Performing this function in the cloud for on-site workers requires “hair-pinning” – going out to the cloud from the campus and back – meaning that the process is not only slow, causing significant delays, but also leads to increased costs due to the higher bandwidth and processing demands.

On-site devices, such as printers and IP phones, also become difficult to access under cloud-delivered ZTNA, posing additional operational hurdles. And OT and IoT devices that are commonly found onsite cannot accommodate the agents required by most ZTNA solutions. This is one of the primary reasons vendors turn off ZTNA when users are onsite.

Additionally, ZTNA solutions struggle to fully replace legacy security systems like Perimeter Intrusion Detection Systems (PIDS), as they do not have the ability to monitor inline network traffic onsite. These limitations accentuate the need to reimagine ZTNA to provide a holistic and efficient security protocol, suitable for hybrid work environments.

On top of these security challenges, the current design of ZTNA solutions, which have been optimised for remote settings, tend to fall short in providing the requisite application performance and policy enforcement needed by on-site workers.

The universal Zero Trust strategy: Zero Trust everywhere

To meet the evolving demands of the modern workforce, we need to revisit and refine our understanding of Zero Trust. A holistic approach, coined 'Zero Trust Everywhere', is the key to securing both remote and on-premises users. This all-encompassing strategy looks to bridge the existing gaps in ZTNA implementation, ensuring optimal security and performance regardless of user location.

The aim of 'Zero Trust Everywhere' is extending ZTNA to all users, including remote workers and office staff, ensuring ZTNA is delivered directly in the network, thereby mitigating latency and performance issues.

This strategy must cater to a range of onsite use cases, such as ZTNA for unmanaged devices, Bring Your Own Device (BYOD), contractors, and third-party access. It needs to account for both client and client-less access requirements, including ZTNA for operational technology (OT) and Internet of Things (IoT) devices, so that every component of the wider enterprise network is brought under the Zero Trust aegis. This will allow businesses to reduce their external threat landscape and ensure secure access across all components of the network.

It’s also crucial that the strategy allows management of all ZTNA policies from a unified control point and repository, simplifying the task for IT teams. Moreover, 'Zero Trust Everywhere' integrates ZTNA into broader Secure Service Edge (SSE) and Secure Access Service Edge (SASE) platforms for internet/SaaS security and WAN edge optimisation. This benefits businesses and security teams by reducing the complexity of managing user access across different systems and optimising network performance, thus supporting business continuity and growth.

Adopting network security solutions that embrace 'Zero Trust Everywhere' thus provides a forward-thinking and inclusive solution, catering to the needs of a diverse workforce and the wide array of devices and systems in play in today's evolving digital landscape.

By Alasdair Anderson, VP of EMEA at Protegrity.
By Eric Herzog, Chief Marketing Officer, Infinidat.
By Shaun Farrow, Security Practice Lead at Bistech.
By Andre Schindler, GM EMEA and SVP Global Sales at NinjaOne.
By Darren Thomson, Field CTO EMEAI, Commvault.