In the last couple of years, the tech world has been buzzing about Zero Trust. Every month or so there seems to be a new product with the zero trust label in it. It’s almost like seeing those gluten free labels everywhere. Since 2019 or so remote access has been undergoing a transformation in the form of Zero Trust Network Access or ZTNA. ZTNA is something that has been a big part of my work for the last couple of years and it is a very exciting time to be in the Cloud Security space as a result. In fact if you take a look at SASE and its components ZTNA is front and center as a pilar of SASE architecuture. One of the things I run into most often is a lack of education around what it is and where it fits. In fact, without diving deep on this topic it is easy to declare that this is nothing new or nothing special. This post, and potentially a few more after will attempt to explain the nuances around ZTNA and what it means for perimeter security. I will also dive into some of the architecture that makes up ZTNA.
Another thing I run into a lot is the push back against zero trust remote access solutions. I imagine because we’re so heavily invested in perimeter security that the castle and moat are all we know. So something like ZTNA comes along and people probably imagine some free-wheeling insecure architecture that isn’t as secure as the giant security stacks that are currently implemented in most places. In future posts, we’re going to dive deeper into why this isn’t true. Spoiler-alert: When you imminent a well designed and thought out zero-based infrastructure some of the traditional security stack is generally redundant.
Before we go any further, a word on perimeter security. What you may have today for your remote access is a client that you authenticate to the corporate network. Once there you are assigned an internal corporate IP address and like magic, you’re now part of the corporate network as if you were there in the office. Sounds great right? Nope. As part of the network in a perimeter security design, you and/or your device can move laterally across the network infrastructure. If you are infected the potential to spread that to the rest of the company is enormous.
Several write-ups declare the death of VPN as a result of ZTNA eating the remote access world. I agree with this message. Hear me out. This isn’t to say that tunneling technologies are going away or that all VPN is going away. Sure, there will be use cases where traditional VPNs will continue to be needed. What the death of VPN is really referring to is the need to have a tunnel between an end-point device and a network where the endpoint is completely part of the network. You might have heard this type of tunneling referred to as ‘full-tunnel’ or even ‘split tunnel’ configured remote access.
In addition to combining zero trust principles with remote access to offer enhanced, continuous protection there has been a huge push for a better user experience. I can’t think of a single developer/engineer that wants to think about their remote access solution. Whether they are connected, or not. Whether they are supposed to disconnect or reconnect depending on where they are. People just want to open up their devices and work. So what we need are solutions that create an easy-to-use experience that is secure whether inside the corporate network or not. ZTNA attempts to bridge the gap between dead simple to use access to private applications with the secure access that IT administrators expect.
Despite marketing efforts, zero-trust itself is not a product, but a set of principles in various products that fit a variety of use cases. The philosophy around zero-trust is no device or user should be trusted once inside the network. Such is the case with perimeter-based security. Since we’re discussing ZTNA the principles as they relate to remote access with zero-trust are, in general, the following:
- Least-privileged access between users, devices, and workloads
- Micro-segmentation at the application level regardless of network segmentation
- Application visibility (debatable) – In this case, the lack of visibility to the open Internet
- Multi-factor authentication also known as MFA
- Device identity and, additionally, service, application, and process identity
The last entry “service, application, and process” identity is new for 2021 in terms of the evolving architecture of ZTNA. The other components have been part of a good ZTNA architecture for some time now.
In 2019 there were only a handful of companies that offered ZTNA services. Since then and thanks to the pandemic ZTNA services have seen explosive growth. In fact, as of January 2021, there are now 15-18 organizations jumping in to offer services and try to differentiate themselves from the rest of the space. There have also been some acquisitions along the way. Sometimes it is almost as thought I can’t even keep up. The research in this space is never ending and constantly evovling.
With this kind of explosive growth in the zero-trust security space, it is no wonder a ton of different architectures has emerged. In 2019 Gartner published a general architecture for ZTNA and to no surprise, many vendors have mirrored that architecture. Some, however, have pushed boundaries to offer innovative approaches to providing invisible to the user access to private applications.
In future posts, we’ll dig into these architectures and I will offer my thoughts on the best of them.