The business case for zero trust network access [Q&A]
As the business network landscape has become more complex, many organizations are turning to zero trust network access (ZTNA) in order to boost their security. It's also replacing or supplementing older technologies like VPN.
We spoke to Kurt Glazemakers, CTO at secure access specialist Appgate who believes that there is a solid business case for ZTNA as well as a security one.
BN: Does VPN, still have a place today, with more and more services and systems moving to the cloud?
KG: It's a good question and actually VPN is still probably the most used technology out there, especially since COVID, because it was, I think, the only thing available at that time, people were already used to it and then took decisions to see if they could extend it.
The biggest risk with VPN in general is that it's basically an extension of your corporate network, all the way down to the device. That means it can often be an entry point into the network. So that's the reason why we are moving a little bit away from it and moving forward to a ZTNA approach where connectivity and authentication are aligned, not just for network access but to get to the application too.
BN: So is ZTNA in direct competition with VPN?
KG: Yes, I think the most common use case we see is VPN replacement. It's taking over more and more of these VPN services. We need to step away from corporate networks going all the way down to an endpoint device and take a more granular approach where only necessary applications are reachable through the journey.
I think we will see the end of VPN, especially on the user side, but also you have the site-to-site VPN which connects multiple parts of the network in a secure way. It's where the user needs to connect to the corporate network that we see the most activity right now and that's where we see a fundamental shift in going from a VPN solution to allow access into the network to a ZTNA approach.
With more systems moving to the cloud it means that you have entry points going into the network and then we need to spread all kinds of activities out to different locations. That's where ZTNA offers a completely different approach because it actually breaks out those activities outside the corporate network and treats them as individual. That leads to a volume improvement in security but it also reduces the costs of interconnectivity and reduces the complexity, so it benefits the business too.
BN: How much of an effect has the shift to remote working over the last year and a half had?
KG: VPNs weren't designed for such high volumes of remote traffic, they were intended for perhaps 25 percent maximum. VPNs still are very appliance driven, so you have delays in scaling them up. But also scale becomes a problem -- let's take a simple example of Zoom calls -- if you want to capture all the network traffic to your VPN because of the bandwidth involved.
Because ZTNA can be used inside as well as outside, you only have one access profile to manage, so for a user there is no difference between working from the office or outside it.
BN: We increasingly see security breaches, both on corporate networks and in the cloud, being down to configuration errors. How does ZTNA help to to combat those?
KG: That's a really good question, it comes down to trying to make network access a little bit more intelligent. In a conventional scenario you need all the corporate device policies like proper endpoint protection and so on, installed and patched. But the endpoint is only one thing that identifies the user.
What we do differently with ZTNA is that we can now also make policies that are descriptive, so you can say, "Give me all assets that are flagged for engineering," in different location or in the cloud, and then our solution will find those and build individual network access to all of them. That will mean that if you spin up new assets in the cloud or in-house for the engineering department, they automatically become part of your network, if these assets are removed they will be gone. This helps in dealing with more complex structures when an application is not always long lived, where applications are spun up automatically and defined for an audience they are automatically able pick up the right controls and that's definitely a big step forward compared to VPN.
BN: So it makes things easier when employees leave or change roles?
KG: If your role changes you network access will change too. That helps reduce the attack surface because the policy automatically adapts, this cuts the scope for human error especially with applications or containers that will spin up sometimes for a very short period of time. Moving the human factor away is where agile and security goes hand in hand.
Also ZTNA is a huge cost saver because all your metrics that need to be interconnected in a corporate network, and received in a solution, can actually make an internet connection to your cloud and to your corporate data center at the same time so you don't need extra connectivity in between. We see massive savings in reducing firewalls, security stacks, MPLS connections and site-to-site VPNs because you can reduce the amount of hours spent creating and managing rule sets.