RSA 2024 just ended. The usual topics were in play: AI, regulations, startups, and the rise of the cyber platform. To my surprise, there was another topic that I did not expectโextending ZTNA to the campus and branch. While on-prem solutions have been available for a decade and a half, they are hardware based and network focused vs. the more recent cloud-based solutions built on software and identity policies. To level set, ZTNA solutions must possess three characteristics:
- Identify everything
- Apply policy controls
- Allow for instantaneous dynamic updates to policy
Now that we have defined what ZTNA must accomplish to be viable and described the landscape, letโs get into the challenges on-prem and remote approaches can create when experienced together.
Different user experiences โ One experience is based on working from home and another in the office. Meaning: do I turn off the security stack when I arrive at the office because I am on a โtrusted networkโ? Is this an ideal outcome in this era of cyber security threats like ransomware?
Complexity โ Managing two policy engines based on two different focusesโnetwork vs. identityโcreates overhead, inconsistency, and likelihood of human error, resulting in poor security outcomes.
Higher cost โ Paying for two systems that provide similar outcomes is not ideal. On top of that, the human capital to manage these systems from a โkeep-the-lights-onโ perspective is not trivialโitโs likely two or more resources from different departments.
How can we overcome this? The concept is a framework called Universal ZTNA. What it calls for is centralizing a user or a deviceโs Zero Trust access policy to enable a single policy definition. Instead of multiple systems, unite them. Bring policy under one roof. The benefits include closing existing security gaps, policy unification, simplification for operations, greater visibility and reduced cost, operational overhead, and, most importantly, enhancing the user experience.
Sounds great, right? Yes, but there are challenges, mainly:
Technology silos - Due to how IT is managed, network and security teams are often siloed. Result, who owns the policy? Who selects the technology? Where is the focus for enforcement? Network or identify? These questions for layer 8 (management) need to be resolved early for a Universal ZTNA program to succeed.
Traffic steering โ Depending on where the focus will be (network or identity), where network traffic is sent for enforcement may cause a redesign. If identity is favored, will enforcement occur in a cloud-based system, similar to how many SSE solutions are designed? If the network is favored, will traffic need to converge at a central point? If so, what about remote access technologies? The latency penalty must be considered.
IoT/OT โ One of the biggest challenges is this scenario. On campus, how do I unify and identify policies for devices which have no identity? For example, this could be an LCD or even a simple printer. They exist on the network, but, likely, they do not have an account in the IDP. If so, how do you build policy? How do you discover them? How do you secure this type of technology but also grant the right level of access without an extraordinarily long policy (which is prone to human error)?
Sounds like a quandary, right? On one hand, there is a solid need to secure both the campus and remote workers, but on the other hand, the process to do so is complex and fraught with challenges and, worse, technical overhead. What should the network leader, the security leader, and the engineer staff building and supporting these systems do? Here are my recommendations:
Work โthe edgeโ and move inwards - The biggest bang for the buck is remote access ZTNA. Start by securing your remote workforce and critical third-party resources. This can be done via both agent-based and agentless SSE ZTNA solutions. If youโve not adopted a solution, start now. ZTNA is a mature solution and will replace legacy remote access solutions like IPSec VPNs. Why start here? The solutions are easy to use and policy is straightforward. Once youโve solved remote access, then tackle the following:
Address tech silos - As you will find out during your remote access project, there will be friction between departments. If you are a leader, this is your opportunity to make change. The challenges you uncover will lead you to how to realign.
Address traffic steering โ How much time you spend here will depend on where you are in your cloud journey. If you are already native, the effort here is likely to be small. This area will be more challenging if in hybrid mode, with a potent mix of legacy applications living in an on-prem data center and next-generation SaaS and cloud solutions. The question you need to consider is: when do I favor an Internet-based WAN approach vs. private services like dedicated lines and MPLS? As applications transform, you will move in favor of the Internet as your WAN.
Address unmanaged devices - This could be as simple as the video monitor to display a presentation or as complex as a dialysis pump. IoT/OT must be addressed. Alongside this, IT tooling must be considered as well. Think about patching and software distribution. The model may need adjusting depending on how modern your solution is.
Once you have answers to the above, look at the vendor landscape. Ideally, you want to shortlist vendors who offer a full end-to-end solution: integrated remote access ZTNA plus an on-prem NAC solution. This allows you to extend network and identity policies to cover remote users and campus employees. The key considerations are user experience and operational simplicity for day two management. Ideally, this solution will provide a โmaster policy engineโ to align policies based on user or device location. This master will feed both the remote access and on-prem system and cover critical IoT/OT requirements.
Universal ZTNA is a new concept. Given where the industry is going and the growing need to merge networking and security, with the emergence of the hybrid workforce, the idea will evolve and become a must-have technology soon. If you are on the frontline, a network leader, or an enterprise architect, now is the time to start researching and planning. Also, as recommended above, the best first step is to move to a ZTNA-based remote access product. Start there, learn the technology, test it, deploy it, and improve your security posture.
John_Spiegel
John Spiegel is Director of Strategy and Field CTO for the Axis Atmos SSE platform, powered by HPE Aruba Networking. He has 25 years of experience running global networks and managing infrastructure. He is an industry pioneer in software defined networking (SDN) and software defined WANs (SD-WAN). When not helping companies on their journey to modernize and secure their networks, John can be found cycling on the backroads of Oregon.
