The 5 principles of zero-trust security Understanding the zero trust-SDP relationship

Choosing ZTNA vendors amid zero-trust confusion

In the era of cloud and COVID-19, analysts say ZTNA vendors offer a more secure remote access model than the legacy VPN. Here's how the technology works.

Just before Christmas 2015, an alleged stalker talked his way inside a gated community in Hidden Hills, Calif., to the home of Kris Jenner, matriarch of the infamous Kardashian-Jenner clan. Strolling inside without challenge from security guards, the intruder found Jenner alone in her home office and announced, "Lucy, I'm home." About a year later, another alleged stalker breached the private community's gates. This time, however, Jenner's new security detail -- she fired the previous guards -- questioned and detained the man before he entered her property.

These back-to-back incidents offer a clear illustration of the fundamental differences between legacy and zero-trust network access (ZTNA) models. The traditional paradigm -- which allowed an intruder to gain access to Jenner's home -- gives the benefit of the doubt to anyone inside a well-defined physical perimeter. This approach, otherwise known as implicit trust, has resulted in a slew of high-profile and costly corporate data breaches in recent years, with attackers, once inside a network, moving laterally to commandeer sensitive resources.

In contrast, ZTNA -- like Jenner's new guards in the second intruder incident -- treats everyone everywhere as a threat, granting users and devices tailored access to only the applications they need, when they need them. Also known as software-defined perimeter (SDP), ZTNA has garnered enormous interest in the enterprise as increased cloud use and remote work decentralize infrastructure and dissolve the traditional network perimeter. Gartner predicted that, by 2022, 80% of new business applications will support ZTNA for third-party partners and that, by 2023, ZTNA will have eclipsed most VPN use in 60% of enterprises.

Fact-checking would-be ZTNA vendors

John BurkeJohn Burke

While a ZTNA strategy might sound like common sense, the details matter, according to John Burke, principal analyst and CIO at Nemertes Research. Network pros are "swimming in a sea of products" from ZTNA vendors, he said, and they should understand how various technical flavors work and differ before investing. Burke also noted that many vendors now label products and services as zero trust -- one of the buzziest terms in IT marketing -- that don't qualify. Zero trust hinges on the concept of granting minimal resource access based on preestablished identity- and context-based criteria.

"If you can't say in advance who gets to talk to whom with a given tool, then you're not working on zero trust," Burke said. He added that behavioral threat analytics, for example, entails letting an entity into the network, watching how it behaves and stopping it if it behaves badly. "That's a fine adjunct to zero trust, but it's an independent concept."

We want to eliminate implicit trust. You're no safer on your internal network than you are at a coffee shop.
Neil MacDonaldVice president and fellow, Gartner

A ZTNA security strategy applied to the Kris Jenner example would have subjected the first intruder to increasingly stringent authentication and authorization requirements as he moved from the gated perimeter toward more sensitive network areas and resources -- Jenner's home, her family members and herself. Technologies from true ZTNA vendors require users to satisfy identity and context requirements as a prerequisite to obtaining privileges, rather than as a requirement for keeping them.

"We want to eliminate implicit trust. You're no safer on your internal network than you are at a coffee shop," said Neil MacDonald, vice president and fellow at Gartner, during a recent ZTNA presentation.

Claims about a ZTNA product's "agility" should also raise red flags, said John Watts, senior director and analyst at Gartner. Restricting access to network resources might improve security, but it logically reduces agility, which he identified as a competing priority. He added that vendors sometimes claim to sell zero-trust collaboration tools and zero-trust VPNs, but those are both contradictions in terms.

"The vendor hype leads to a lot of confusion. They are using zero trust as overloaded marketing shorthand for 'more secure,'" Watts said. To avoid drowning in misleading messaging, he suggested enterprises focus on the building blocks of zero trust, starting with network access.

Context is the new perimeter

MacDonald said most zero-trust initiatives begin with networking because of the network's foundational role in the IT stack and the weaknesses inherent to IP address access identifiers, which attackers can easily spoof. With ZTNA, authentication depends on user and device identities that organizations preestablish using integrated -- native or third-party -- identity and access management, single sign-on and multifactor authentication tools.

Andy EllisAndy Ellis

ZTNA trust brokers, or centralized controllers, enforce enterprise access policies by negotiating connections between users and applications, while shielding private network resources from the public internet. "All of your application access enforcement happens in a new layer in between your corporate apps and your end users," said Andy Ellis, CSO at Akamai, an early pioneer in ZTNA.

The trust broker acts as a kind of dynamic ZTNA policy brain, cross-referencing identities, roles and contextual variables -- such as dates, times, geolocations, data sensitivity levels and device postures -- against enterprise policies and norms, granting or denying client connection requests accordingly. "Context is the new perimeter," MacDonald said.

The trust brokers grant authenticated users segmented, isolated access to individual or grouped applications on a one-to-one basis, preventing them from making unsanctioned lateral movement into other areas of the private network.

"In a sense, ZTNA creates individualized 'virtual perimeters' that encompass only the user, the device and the application," MacDonald and Gartner analysts Steve Riley and Lawrence Orans wrote in a 2020 ZTNA market guide.

ZTNA flavors: Endpoint-initiated vs. service-initiated

Organizations can choose between two basic ZTNA architectures: endpoint-initiated and service-initiated, according to MacDonald. Endpoint-initiated ZTNA requires enterprises to deploy software agents in all network endpoints to gather information and share it with the broker as part of the authentication and authorization process. Based on the context it receives from an agent, the broker determines the resources it trusts a user to access and then signals a secondary gateway, an appliance located near the hidden enterprise network, to initiate an encrypted outbound tunnel from application to user. This "inside-out" model closely reflects the original SDP specification of the Cloud Security Alliance, Watts added.

Technologies from true ZTNA vendors require users to satisfy identity and context requirements as a prerequisite to obtaining privileges, rather than as a requirement for keeping them.

In contrast, service-initiated ZTNA does not require endpoint agents. Instead, an enterprise installs a connector appliance in its private network, which initiates an outbound connection to the ZTNA provider's cloud. If a user and device pass muster based on identity credentials and context requirements, the ZTNA controller facilitates a connection with the requested application via a proxy appliance in the provider network. The user typically accesses services through a browser. This flavor of ZTNA aligns with Google's BeyondCorp Remote Access design, which it has used internally since 2011 and now sells commercially, according to Watts.

An agent on an enterprise-managed endpoint can provide the ZTNA trust broker with rich contextual insight into user behavior and device posture, theoretically resulting in more nuanced, sophisticated access control. But, because it requires software installation, endpoint-initiated access can't support devices that the enterprise doesn't control, limiting third-party and BYOD use. On the other hand, service-initiated ZTNA doesn't require agents on the end-user side but typically supports only application protocols based on HTTP/HTTPS. Some vendors, such as Netskope and Zscaler, support a hybrid approach, mixing and matching service-initiated and endpoint-initiated ZTNA for different use cases, such as connecting internal employees and third-party contractors.

When vetting either architecture, MacDonald said enterprises should ask ZTNA vendors if the broker or controller stays in the encrypted data path to perform continuous, inline inspection and authentication functions for the duration of the exchange. If the broker removes itself after setting up the application access, the network will have less visibility and a higher level of implicit trust but potentially also a lower risk of traffic bottlenecks.

ZTNA flavors: As-a-service vs. self-hosted

ZTNA vendors also offer standalone products and cloud-based services, with the latter reportedly far outstripping the former in terms of interest and adoption. In September 2020, Gartner estimated that more than 90% of its clients were implementing the as-a-service option, which enables rapid, easy deployment and scalability.

ZTNA as-a-service products include the following:

  • Akamai's Enterprise Application Access
  • Broadcom's Secure Access Cloud
  • Cato Networks' Cato Cloud
  • Cisco's Duo
  • Google's BeyondCorp Remote Access
  • Netskope's Private Access
  • Okta's Identity Cloud
  • Palo Alto Networks' Prisma Access
  • Perimeter 81's Software-Defined Perimeter
  • Proofpoint's Proofpoint Meta
  • Zscaler's Private Access

MacDonald said standalone, customer-managed trust brokers may offer enterprises greater control but tend to have more cumbersome deployment and management requirements. They rely on on-premises physical appliances or virtual appliances deployed in public cloud.

Standalone, self-hosted ZTNA products include the following:

  • Appgate's Software-Defined Perimeter
  • Banyan Security's Zero Trust Remote Access Platform
  • Pulse Secure's Pulse SDP
  • Safe-T's Secure Application Access
  • Unisys' Stealth
  • Verizon's Vidder PrecisionAccess
  • Waverly Labs' Open Source Software Defined Perimeter

"The better ZTNA vendors give you choice, so you can have it as a cloud-based service or you can set it up and do it yourself," MacDonald added. Companies offering hybrid options include Palo Alto Networks, Netskope, Verizon and Zscaler.

Watts reminded network pros to bring a healthy sense of skepticism to conversations with ZTNA vendors, vetting products to ensure they meet their specific needs. "Work with standards bodies, get independent advice and come up with your own ideas before you start engaging with the vendors because they will want you to do zero trust their way," Watts advised.

He also cautioned: "These are not silver bullets. ZTNA can't meet every single security use case, such as unstructured data protection and customer access for public-facing applications." Other complementary tools, he explained, need to come into play as enterprises think about security holistically and not just from the zero-trust network access perspective.

This was last published in October 2020

Dig Deeper on Network Security