How to Get the Best Results From ZTNA

The pandemic greatly expanded the work-from-home population. Due to the pandemic, 86% of IT leaders say that at least a quarter of their staff members are connecting to corporate networks through personal and shared devices. But even before the pandemic, mass cloud adoption and mobile users meant that applications could live anywhere. That greatly expanded the threat landscape and created the need for a new cybersecurity approach.

IT pros need to ensure security across a complex web of applications, devices, locations and users. You must understand whether a user is an employee, a contractor, a partner – or a bad actor, and whether a person is using devices that are – or are not – corporate issued. Plus, you have to provide security whether applications are on premises or in a public or private cloud.

AWS Builder Community Hub

That means you need to gain visibility, which a secure access service edge (SASE) solution can provide, and use that visibility to enforce security policy. Zero-trust network access (ZTNA) is the enforcement piece and a core capability of SASE.

ZTNA enables secure, any-to-any communications. It means that, by default, you trust nothing. With ZTNA, everything must be explicitly defined. ZTNA could allow a person on a corporate laptop to access and download data from Salesforce. If that person was on a personal laptop, a ZTNA solution might allow them to view Salesforce but not download data. And if what appeared to be a corporate laptop attempted to access Salesforce, but the connection was from North Korea, ZTNA could enforce your security policy to block that connection.

Here are some tips on how your organization can get the best results from ZTNA.

Choose a ZTNA Solution That Supports All Types of Applications

Most ZTNA solutions lack support for local on-premises traffic. So, if an employee is at a company office and wants to access a local app, there is no zero-trust enforcement. To enjoy the full benefits of ZTNA, look for solutions that support all types of applications, not just HTTP and HTTPS applications. Seek out solutions that enforce policy regardless of whether applications are on-premises or in the cloud, or are delivered via software-as-a-service models.

Many ZTNA solutions send all traffic to the cloud. But be aware that it’s not necessary to backhaul all traffic to an off-premises cloud. Choose a solution that supports local, on-premises ZTNA to expedite security policy enforcement in all scenarios.

Prioritize Your Use Cases and Decide What Policies You Want to Implement for Each

Do an assessment of and prioritize your main use cases. Then decide what kind of policies you want to implement for each of them. This may sound straightforward, but it can be challenging.

There are many aspects of ZTNA. For example, somebody needs to establish the policies that will define which users and devices can access what enterprise applications and how.

Choose a supplier that will provide you with a solution as well as the guidance you need about how to implement the policies that will underpin your ZTNA enforcement strategy. Also, select a ZTNA vendor that makes creating and enforcing policies – and connecting to your existing applications – easy.

Have a Single Source of Truth of Your Users and Applications

Many businesses don’t know how many applications they have or where those applications are running. If you also lack a single application inventory, start working to create one.

User inventory is a lesser challenge because most large organizations have Azure Active Directory. But it’s vital that you have authoritative databases both around who your users are and what applications and databases those employees use. Only then can you decide who gets to talk to what.

Understand That ZTNA is Not Just About Providing Access to Your Network

The last two words of ZTNA stand for network access. But the ZTNA approach to cybersecurity is not just about providing access to your network. When you think about ZTNA, think in terms of applications and instances. ZTNA is really about zero-trust access to anything.

Also, zero-trust is not just about the initial access, it requires continuous monitoring.

This is important because, for example, 10 minutes after a user accesses your Salesforce application, that device could be compromised. Now your security posture has changed and you need to enforce policy in light of this change. A managed detection and response (MDR) service can detect a change in security posture, and ZTNA can enforce policy to act on that.

Realize That ZTNA is a Broad Concept That Can Be Implemented on Anything

ZTNA is not network element- or use case-specific. Zero-trust can be implemented on anything. You can implement ZTNA on the user-side endpoint for endpoint detection and response (EDR) or on a secure web gateway, for example. The point is that ZTNA is a security philosophy.

While the market is now focused on remote access, ZTNA is more than glorified remote access.

If you want to enable any-to-any communications, you need to see what’s happening across your IT environment and be able to do something meaningful about it. ZTNA allows you to act to enforce your security policy. Just be sure to select a zero-trust vendor that is truly zero-trust.

Avatar photo

Stefan Keller

Stefan Keller is CTO, SASE at Open Systems, the preeminent cybersecurity and networking provider for the enterprise cloud. Open Systems is a secure access service edge (SASE) pioneer supporting enterprises in their digital transformation journey. Its cloud-delivered Secure SD-WAN and Managed Detection and Response (MDR) services unify security and comprehensive networking capabilities, enabling organizations to connect their clouds, branches, applications and users anywhere in the world, in a secure and agile way. Open Systems’ service delivery platform combines AIOps and automation with 24×7 experts to deliver immediate peace of mind and future-proof business-critical infrastructure. 

stefan-keller has 2 posts and counting.See all posts by stefan-keller