Associate Feature: Zero Trust Network Access – A better mousetrap or just a trap?

One of the most basic tenets of network security is how to control access to the network and its resources such as applications, file servers, and printers.  As networking evolved from computer system proprietary protocols to Ethernet and Windows, part of the solution was incorporated into the network operating system (NOS) itself, such as Windows.  As long as the computer was attached to the network, successfully logging into the computer automatically gave access to the network. 

This is the underlying principle of implicit trust – the device is attached to the network therefore it can be trusted.  However, the boundaries of implicit trust began to be tested once it become possible to connect to the network remotely, or remote access.  A remote device was considered to be untrusted.  This in turn led to the development and use of authentication technology - username and password in its most simple form - to confirm the identity of the user before connecting to the network.

The next step was the creation of the virtual private network (VPN). VPNs took remote access to another level by combining the use of encapsulation and encryption for secure connectivity with authentication.  But the assumptions were still the same – a successfully authenticated device was considered to be trusted and accorded all of the rights and privileges that went with it.  But in the 20+ years since VPNs appeared on the market, something more is needed.

Enter the concept of Zero Trust.  While the origins of the actual phrase are a bit hazy due to the mists of time, the current definition is largely attributed to Forrester, a global market research firm in the United States.  The Zero Trust concept is quite extensive, but it can be summarised quite succinctly – Never Trust, Always Verify.

This means that Zero Trust leaves implicit trust behind and replaces it with a continuous verification process and limited access to resources.  The tangible way it does this is through Zero Trust Network Access (ZTNA).  ZTNA’s focus is on access to applications and not the network.  For every request to access an application, whether an initial request or even if the user was already connected to a different application, goes through both an authentication and a verification process before given access to that specific application.  And the same process is applied where a device is on- or off-network.  So, in today’s hybrid Work from Anywhere environment, it doesn’t matter where a user is located, consistent and secure access is possible.

The only thing left to ask is how does an organisation deploy or use ZTNA. 

For most organisations ZTNA is part of their decision to use a cloud-based service called Secure Access Service Edge (SASE).  SASE can be a very effective method for secure remote access and organisations are able to choose from a number of different suppliers and features.  But can ZTNA also be deployed in the organisation’s network itself? 

In some cases, yes, but in most instances the answer is no.  And that’s due to the complexity inherent in most corporate networks through the mixing and matching of different vendors for different technologies.  In order to implement ZTNA in this environment, there first needs to be a rationalisation of vendors with the goal of converging multiple security and networking technologies into a single device.  ZTNA can then be deployed for on-network users.

So, while ZTNA can be deployed for both remote and on-network users, the result is two different ZTNA deployments.  For smaller organisations, the operational management of maintaining two separate environments can be managed.  But for larger organisations, the operational complexity can offset the benefits of deploying ZTNA in the first place. 

To avoid this bottleneck, organisations should first look for a vendor that offers both the ability to evolve from their current, multi-vendor campus network to a networking and security converged environment that enables ZTNA to be delivered for on-network users and offers SASE-based ZTNA as well.  Taking this common approach will enable what Gartner refers Universal ZTNA, delivering the benefit of ZTNA to all users of the network.

To learn more about ZTNA and Universal ZTNA and the benefits it can bring to your organisation, please click on the above links or contact your local Fortinet representative.