10 things to ask the ZTNA vendor on your next discovery call that you probably never knew to ask
The term “ZTNA,” zero trust network access, has been around for years – first bursting onto the scene in 2017 when Gartner dropped the term in their ZTNA Market Guide. This solution quickly became the starting point for most zero trust projects in the industry since it helped solve a relatively simple, but critical problem – finding more secure ways of providing remote access to internal applications. Unlike VPNs, the promise of ZTNA was to minimize the exposure of apps, keep remote users off the corporate network, and provide application-level segmentation instead of traditional network segmentation.
Since 2017 the total number of vendors offering ZTNA has blossomed from around 10 to now over 40. I was speaking with Gartner about this just earlier this week. It’s clear that the value of ZTNA is immense, but how do IT leaders suss out the vendors and shortlist the 2-3 they will ultimately bake off in a POC?
Throughout my career at Zscaler, where we designed the world’s first ZTNA service and now Axis, where we offer a world class second generation ZTNA service, I have met with over 550 enterprises. Most of which were Fortune 2000 organizations like Brinks, National Oilwell & Varco, Manpowergroup, Unilever, BBC etc. – and all looking to adopt ZTNA. I’ve been in the unique position to hear from CxO, architects, and IT admins from every one of them and learned a ton from working with them across the various stages of their journey. Now I want to help anyone embarking on a ZTNA journey, or who may have selected a ZTNA 1.0 solution and are now left longing for a bit more functionality, understand what to look for.
Modern Day ZTNA solutions are game changers, but are still relatively new. So, here are ten things to ask the ZTNA vendor on your next discovery call that almost every IT leader doesn’t know they should ask, and why they matter.
1. Is the ZTNA service part of a larger Security Service Edge (SSE) platform that you offer?
- Here’s why: Some ZTNA vendors only offer ZTNA, and have no solution for external traffic proxying or digital experience monitoring. Some have ZTNA, but the service is separate from the SWG, CASB and Digital Experience solution they offer. And even fewer offer a full Security Service Edge solution with all key SSE components built into a simple UI, and with a single governing policy across all of them. Decide which works best for your needs.
2. Is the service delivered as a service, or is it hosted on-premises?
- Here’s why: Most organizations I’ve worked with prefer the as-a-service model because it offloads the management of the ZTNA service to the vendor, and not their often undermanned team. ZTNA services that are fully hosted on-prem can feel similar to managing a firewall appliance and will lack the footprint most large enterprises need for scale.
3. Do you support all private applications – even the legacy ones like VOIP, ICMP and IBM AS400 apps?
- Here’s why: Sadly one of the biggest realizations that companies have after they have deployed a ZTNA solution is that if the vendor does not support common legacy protocols they will need to keep their VPN or VDI service around. While these apps may be the minority (especially given the emergence of apps like Zoom), almost every single large company I have worked with has apps with these protocols running in their environment (compliance software on end user devices, call centers etc.). Some retail companies have AS400 apps where they are using mobile computers to scan inventory items. Make sure the ZTNA service can support them if you have them!
4. What does the policy set up look like?
- Here’s why: Complexity is the killer when it comes to policy. Look for automation and ways to flatten the policy framework. Don’t get marooned on “Wildcard Mode Island” where you leave the ZTNA solution in discovery mode, discover apps, but have no way to actually build and adopt least-privilege policies. Remember that’s one of the biggest promises of ZTNA – more granular segmentation. ZTNA vendors with user group pairing, APIs, policy tags, and application tag features can help dramatically simplify policy setup. If you are looking for a full SSE platform, select the ZTNA vendor that allows you to set ZTNA, SWG and CASB policies all within a single policy rule (yes this exists).
5. How many edge locations does the service have, and are they hosted in a datacenter, public cloud, or multi-cloud backbone?
- Here’s why: Minimizing latency is critical to delivering a strong end user experience. The more points of presence, the better. But there are some important caveats. Make sure that each point of presence can handle both private and external traffic. This is not the case for all SSE platforms. Also, there are advantages for platforms that have multi-cloud PoPs. They can select from providers like AWS, Google, Oracle etc. and use latency data to determine which is the optimal path for user traffic, and will automatically select it. This will also protect you from unplanned downtime or outages. Pro Tip: A bonus question to ask the vendor is do they plan to offer both public edges as well as private service edges? There could be compliance standards that do not allow fully cloud-based security, or users in China where on-premises deployments are ideal, or even latency reduction needs for highlighting sensitive applications (media applications at BBC for example).
6. Do you have the ability to inspect private traffic should I need it? I.e. logins, commands used, files downloaded, logouts.
- Here’s why: Visibility into exactly what an employee or third-party is accessing is incredibly important for risk avoidance, data leakage prevention, and auditing for compliance. Make sure the ZTNA vendor can inspect all internal traffic (and also gives you the option to turn it off) for all apps (not just web applications). If they don’t have inspection, ask them why not.
7. Is continuous monitoring, automatic session termination, and SCIM 2.0 supported?
- Here’s why: The more you automate the more you will celebrate. Continuous monitoring will ensure that policies automatically adapt based on changes in context. This could be the location of a user is from a country you blocked, or the user changes user groups, or is no longer part of the organization at all. Minimizing the delay between the service’s recognition of the change, and the actual policy change to zero is critical for zero trust. Automating this also removes any human error. So those contractors working 3-month projects, or disgruntled employees, their access is automatically revoked once the project is over and they’ve left the org.
8. What’s your cybersecurity mesh positioning?
- Here’s why: There are no god platforms that are best in class for IDP, endpoint security, policy enforcement etc all in one. Run if someone says they are. Integrations are critical, and cloud services offer the ability to integrate incredibly easily. Ask them who they can integrate with, and which services they provide themselves. For example do they offer their own identity service (this can have massive cost savings implications and not have to pay for 3rd party licenses) or integrate with vendors? So do they provide some device posture management themselves or do they rely fully on Crowdstrike, Sentinel One or another endpoint security service (some ZTNA vendors are much more robust here than others)? Understanding the answers to these questions will help you make the most out of any prior investments you may have made in identity and endpoint security. Master the mesh.
9. Do you offer an Application Connector component?
- Here’s why: In order to mask a private service from the Internet there needs to be a layer of obfuscation. The Application connector acts as an invisibility cloak for the private application. The connector can’t be port scanned or DDoSed and only speaks with the ZTNA service. These provide vital capabilities like performing the backend DNS connection with the service, and load balancing across the environment. Most ZTNA services have connectors, but what you need to ensure is that they have adequate connector telemetry data so you can track memory, disk utilization, and uptime. Make sure there are automated alerts so you know when it’s time to deploy more connectors! Connector management can be a massive headache without this telemetry. Also, the connectors should always be deployed in pairs and should be freely given to the customer. Doesn’t really cost the vendor anything so never pay for additional connector pairs.
10. What does the end user experience feel like?
- Here’s why: It doesn’t matter how great the ZTNA service is. If the users complain, it’s dead on arrival. Make sure to ask the vendor if they support both agent-based (typically for employees with managed devices) and agentless (typically BYOD and third-parties) connectivity flows. You will need this flexibility, especially if you have third parties (example healthcare workers are not always hospital employees and won’t want to deploy an agent on their device just to update their timesheet at the end of week). There are also pesky use cases like captive portals when employees are working from hotels or airports? Business travel is resuming again, so this is key. Ask the vendor if they can automatically recognize captive portals as part of the service. Lastly, ask if they offer a user portal where all apps that a user is authorized to access can be displayed. If that portal has a bookmark link to add to your IDP vendor, or the user’s browser, that’s even better. And when the user is connecting via agent or agentless, if there are different policies set for each status the portal should auto-adapt as the agent is toggled on and off.
So there you go. Now you’re equipped for the next time you speak with a ZTNA vendor. Even if you are already a customer of that vendor. I hope this was helpful as you look to explore ZTNA for your zero trust project. I’m always open to chat if you would like. Also happy to connect you with Jaye Tillson, who has had hands-on experience deploying a ZTNA 1.0 service at TT Electronics.
Want to learn more? Download the Definitive Guide to ZTNA Adoption to get in-depth guidance on how you can move forward with a Modern Day ZTNA solution.