6 Questions IT Leaders Are Asking About Zero Trust Network Access (ZTNA)
Given the need to support hybrid work, Gartner heavily recommends that IT leaders consider a Security Service Edge (SSE) platform for the practical implementation of a zero trust strategy. An SSE platform largely incorporates these main technologies into a single offering: ZTNA, SWG, and CASB.
Gartner recommends that SSE implementation should begin by prioritizing high areas of risk by replacing remote access VPN with a modern ZTNA solution. In fact, Gartner predicts that by 2023, 60% of enterprises will phase out VPN technologies in favor of ZTNA.
Gartner says that “Remote working and digital business enablement is driving the adoption of security service edge (SSE) technologies to reduce complexity and enhance security for access to the web, cloud services and private applications.”
Gartner, Hype Cycle for Cloud Security 2021
This would explain the mass number of inquiries about ZTNA. In a recent session “Why Hybrid Work Killed VPN”, security and networking leaders shared the burning questions they had about ZTNA technology. Below are six of the questions that came up:
Security
Q: What happens if the ZTNA provider is compromised? Is my organization still secure?
A: Every ZTNA provider architects their product different. There are two main “forms” of ZTNA: self-hosted and as-a-service. Self-hosted is very similar to an appliance, all deployment, management, and upgrades are the responsibility of the customer. This type of architecture is often less desirable as any compromise of the ZTNA product would fall on the responsibility of the customer. ZTNA as-a-service is the recommended architecture as it simplifies the deployment of zero trust for IT, while security reliability and compromise protection is upheld by contractual obligations of ZTNA providers. Further, ZTNA providers will often have fail-over measures to ensure that customer traffic is never routed through a compromised ZTNA node.
Axis’ as-a-service ZTNA offering consists of 350 Global PoPs hosted on the world’s most reliable cloud to prevent this very issue. Axis’ unique architecture has baked in cyberthreat protection as well as stringent contractual obligations and policies, and compliance/controls to prevent breaches.
Q: Does ZTNA technology support cloud hybrid IT environments compared to VPN and is it more secure?
A: Any good ZTNA technology should absolutely support hybrid IT environments (Including on-premises, data center, AWS, Azure, etc). Axis’ support of all IT environments is provisioned through the deployment of lightweight Connectors that front-ends the application a user is attempting to access.
The connector only responds to authorized users, never bringing users directly onto the network, but rather bringing access to an authorized application down to a user.
Unlike VPNs, connectors provide access on the application layer, automatically brokering authorized users with access to authorized applications hosted in any environment. Axis supports more than just private applications; access to SaaS apps also provides heightened security with advanced threat protection as well as advanced control and visibility for IT.
Q: Is Axis considered to be a ZTNA? or is it just a supplementary to ZTNA?
A: Yes, Axis offers a full ZTNA service, however ZTNA is just one element of our holistic security service edge (SSE) platform. Axis has multiple differentiators that distinguish our ZTNA service from other options. Such as having the greatest number of cloud PoP locations globally, agentless capabilities (web, RDP, SSH, Git etc.), inspection of private application and SaaS traffic (even for access to VOIP and ICMP). This also makes Axis ZTNA the ONLY full VPN replacement on the market – Learn more here.
Management
Q: ZTNA provides agentless access options but what do you do if you already have a client on the device, is it best to remove them?
A: When it comes to endpoint requirement that’s where it can get a little tricky. Since many ZTNA solutions either require the deployment of a client or have limited clientless support, that restricts the flexibility for IT.
Axis provides the most extensive agentless access functionality with support of VOIP and RDP with just a browser. This also means that employees or third parties never have to download or remove an existing client if they don’t want to or if they are unable to.
Q: Since ZTNA implementation enables the business to operate on a least-privileged basis, doesn’t that drastically increase IT workloads and management?
A: No, it does not! Now that isn’t to say that there isn’t a ramp up period for ZTNA deployment, but in enabling ZTNA least-privileged access correctly you have a greater ability to scale your business while minimizing IT maintenance and upkeep. Implementation of zero trust and least-privileged policies work in a couple steps:
- Step 1: Stop users from accessing the corporate network – Only enable application access not network access. Unlike VPNs, the network, and business applications, are cloaked by the Axis ZTNA service, which masks the application from potential Internet threats. Not only will IT effectively keep users off the corporate network but can also make all business applications invisible to unauthorized users – while still allowing application access to authorized ones.
- Step 2: Discover accessed applications – Axis makes this easy through automatic application discovery. Once a user attempts to access an application the app is identified and known to IT admins. At this point IT can apply granular policy on who can access based on identity, function, device, device posture, etc. IT admins can also group users or applications together to make higher level policies (ex: Finance team cannot access applications for the Engineering team).
- Step 3: Continued refinement with automatic recommendation of least-privileged policy. Axis has AI/ML “learning” capabilities will identify what users are accessing and start recommending least-privileged policies that can be implemented. Additionally, with SCIM integration access can automatically be cut off if employee/contract status changes. These always-on functions aid IT and minimize the manual workload and management taken on.
Reporting
Q: Does ZTNA provide granular reporting / experience monitoring?
A: While we cannot speak for all ZTNA solutions, the majority have some form of granular reporting, however, only some ZTNA / SSE platforms have digital experience monitoring.
Axis provides granular application layer visibility in the admin UI and can stream all data to a customer’s SIEM of choice. Admins get real-time application and user experience insights with granular visibility into what is being accessed, and how the experience is. IT admins can even record RDP sessions for later viewing. Best of all unlike other SSE platforms, Axis enables management across a single pane of glass instead of two, three, even four different dashboards or clouds.
At Axis, digital experience monitoring is a top priority. Since users are now anywhere, ensuring the best user experience from everywhere is critical. Having the visibility to identify and pinpoint user experience pain points can ultimately be the driver of business productivity or the straw that breaks it.
Have some burning questions of your own?
For any questions about zero trust, security service edge (SSE), or zero trust network access (ZTNA) reach out to our team of experts. They’ll help provide industry-level guidance as your business looks to embrace hybrid work.
Want to learn more about VPN replacement – See if you qualify for our VPN Buyback program.