Is Your ZTNA Vendor Really Zero-Trust?

A recent article defined ZTNA (zero-trust network access) and delivered recommendations on how to get the best results from ZTNA. The piece also touched on the importance of selecting a zero-trust vendor that is truly zero-trust.

But that was just the tip of the iceberg. There are important considerations when selecting a zero-trust provider to ensure that your IT environment is compliant, performant and secure.

Keep Your Credentials Secret

Extend the zero-trust mantra, “never trust, always verify,” to your ZTNA provider. Do that by verifying that your zero-trust credentials are in a secure environment and that your ZTNA provider never needs to see them.

A common solution is to keep security credentials using a secure IdP solution such as Azure AD and Okta or other vaults in virtual networks or virtual private clouds, such as those from AWS, Azure and Google Cloud. ZTNA credentials can also be secured on-premises if you have an existing credential vault infrastructure.

The key is that your provider never needs to see your credentials. Therefore, a ZTNA solution must integrate with your IdP or other credential vaults. With that approach, even if the provider is compromised, your credentials will remain secure and secret.

It’s also important to confirm that a ZTNA provider has an architecture where a compromised ZTNA cloud doesn’t mean that sensitive transmitted data is visible. You should be in control, know where traffic interception is happening and make sure that it is limited to a single occurrence. Unless there are other requirements, there is no reason to intercept traffic multiple times and create a larger attack surface.

The main thing is to ensure that the ZTNA solution has no access to user credentials and the traffic interception points are limited. This will protect you in case the solution itself is compromised. Not all ZTNA providers can deliver ZTNA capabilities using that architecture. Make sure you select one that does.

Get An Edge

The best ZTNA solution combines edge-based access points with enforcement points guarding applications and resources. A ZTNA user would use a browser to connect to a ZTNA access point. The access point would determine which application the user is trying to reach. It would then use smart and efficient routing and send the user to the enforcement point guarding the requested application. The enforcement point would be in front of the application, keeping it hidden. The enforcement point authenticates the user and then grants the appropriate access based on pre-determined policies.

With an edge-to-enforcement point ZTNA cloud, traffic is distributed and smartly routed between edges and enforcement points to ensure high performance and continuous access. ZTNA performance may be bottlenecked and slow if all traffic is traveling through an environment where access points are limited and not near users or if enforcement points are not near applications. To ensure high performance, it’s best to verify with your ZTNA provider how access points and enforcement points are distributed.

Do Not Delay

Imagine a scenario where user A in Tulsa, Oklahoma wants to connect to application 123 hosted on the corporate Microsoft Azure private cloud in Sacramento, California. The access request goes to the regional ZTNA access point. The access point determines which ZTNA enforcement point is securing application 123. The traffic is smartly routed to that ZTNA enforcement point in Sacramento, where the credentials are checked and access is granted.

But what if both the user and application are on-premises at the same location? It doesn’t make sense to send that traffic out to the regional ZTNA access point and then back to the on-premises ZTNA enforcement point.

Select a ZTNA service provider that allows both access and enforcement points to be at the same location so traffic can stay local. That approach will increase application performance because traffic won’t have to travel as far. You won’t have to worry as much about compliance because local applications and data – and all communications related to them – stay within your environment. Plus, you have limited the cybersecurity attack surface and extended zero-trust to your corporate environment.

Consider Your Use Cases

The criteria you use in selecting a zero-trust service provider should ultimately hinge on your use cases, security sensitivity, access requirements, cloud use and network architecture. That said, ask yourself the following questions:

  • Are my users and their applications widely distributed?
  • Do I have both on-premises and cloud-based (IaaS or PaaS) applications?
  • Do I have SaaS applications?
  • Do I have partners and suppliers with production access and special compliance requirements?
  • Do I have compliance requirements regarding data and credentials?
  • What performance and reliability do I need, and do I need a partner to guarantee the SLAs?

ZTNA, which trusts nothing to enable secure, any-to-any communications, is a powerful approach. That’s why enterprises’ adoption of zero trust is accelerating. But be aware that not all ZTNA service providers deliver the same level of compliance, control, flexibility and security. Select a ZTNA provider you can trust with your security – but don’t need to trust with your credentials.

Avatar photo

Stefan Keller

Stefan Keller is CTO, SASE at Open Systems, the preeminent cybersecurity and networking provider for the enterprise cloud. Open Systems is a secure access service edge (SASE) pioneer supporting enterprises in their digital transformation journey. Its cloud-delivered Secure SD-WAN and Managed Detection and Response (MDR) services unify security and comprehensive networking capabilities, enabling organizations to connect their clouds, branches, applications and users anywhere in the world, in a secure and agile way. Open Systems’ service delivery platform combines AIOps and automation with 24×7 experts to deliver immediate peace of mind and future-proof business-critical infrastructure. 

stefan-keller has 2 posts and counting.See all posts by stefan-keller