The Evolution of Zero-Trust Network Access
February 24, 2023
Fortinet
Cybersecurity, Netzwerk, Fortinet, Zukunft, Datenschutz
When the first mobile phones came on the market, they could only be used to make phone calls. Over time, more and more features were added, such as cameras and internet connectivity, and these capabilities became an expected part of the phone itself. Today, even the cheapest $20 retro flip phone has a camera, texting capabilities, GPS, music and even the ability to (still) make phone calls.
I think a similar transition will happen with trustless network access (ZTNA). Currently, many ZTNA solutions are offered as an additional service, so companies have to pay per user to access applications on top of their existing security solutions. Over time, however, ZTNA will become commonplace, just as you expect your phone to have a built-in camera. In the future, ZTNA will simply become a standard part of cybersecurity.
The pandemic and ZTNA
The zero-trust security model has been around for more than a decade. In this model, everything and everyone who tries to connect to your network is considered a potential threat. And each user must be vetted before being given permission to access resources. ZTNA applies the principles of zero trust to application access. With ZTNA, users and devices are authenticated and monitored every time they want to access an application.
A few years ago, ZTNA slowly became known for securing applications hosted in the cloud, but when the pandemic broke out, companies quickly had to support their employees who work from home. Almost overnight, they needed to ensure their employees had secure access to the information and applications they needed to do their jobs. Many of them resorted to the VPNs they used for remote workers to set up all employees at home. At the same time, the expansion of network boundaries provided a great opportunity for hackers to exploit the weaknesses of often inconsistent remote security and the inherent risks and limitations of VPNs.
After the initial rush to set up home offices, it became clear that traditional VPN technology was not up to the task. After IT managers had a chance to pause and re-evaluate, they realised they needed a better, more secure way to connect their employees to applications. ZTNA provides more secure, granular access to applications. This includes verifying user and device identity and checking other factors such as time of day, location and device condition before granting access. ZTNA continues to monitor these factors and identities.
As companies moved away from VPNs, many of the first ZTNA solutions focused exclusively on remote users. Some cloud-based ZTNA solutions and products were offered as part of a SASE solution. Companies paid per user to access applications, whether through SASE or as a stand-alone cloud-based ZTNA solution.
Work from home evolves to work from anywhere
After the initial crisis of the pandemic subsided, it became increasingly clear that there was a permanent shift in the way people worked. Work from home evolved into work from anywhere as companies moved to adopt different hybrid working models with a mix of office and home-based work. Attitudes towards zero-trust solutions also changed.
Pure remote ZTNA solutions could not support hybrid working models well, as companies eventually had one policy for remote users and another for employees working on-site. However, one of the key principles of ZTNA is that security should be network and location independent, with a consistent access policy applied everywhere. In other words, ZTNA must follow users wherever they are.
These concepts have become widely accepted to meet the security needs of highly distributed networks, with resources spread across data centres and multiple clouds. Today, more and more organisations are looking for ways to unify networking and security, and ZTNA is part of that equation. At Fortinet, we have long talked about the benefits of convergence as it improves security, reduces complexity and lowers costs by reducing the number of products and vendors in the infrastructure.
As part of this philosophy, ZTNA is part of our cybersecurity platform, which is unique in the market. If you have a FortiGate Next-Generation Firewall (NGFW), you already have ZTNA with no additional monthly fee. And Fortinet FortiClient comes standard with both VPN and ZTNA agents, so you can gradually migrate from VPN to ZTNA without incurring additional costs. For organisations already using FortiClient solutions for their VPN, switching to ZTNA is just a matter of turning on the feature.
With cybersecurity in general and ZTNA in particular, multiple solutions need to work together. For example, ZTNA requires multiple components: a client, a proxy, authentication and security, all working together. A separate, bolt-on ZTNA solution adds complexity. In contrast, with a single-vendor cybersecurity platform, the products are designed to work together, improving security and simplifying deployment and management. Because ZTNA is simply integrated as a feature into other products, it goes from being an add-on that enables remote access to cloud-based applications to being an integral part of organisations' cybersecurity strategies.
Zero Trust Everywhere
At Fortinet, we believe Zero Trust should be everywhere, and we have a broad portfolio of Zero Trust solutions that span users, applications, network resources and devices across the hybrid network. And by providing a universal approach to ZTNA that is consistent on-premises, in the cloud or as a service via SASE, Fortinet Universal ZTNA provides secure access for every user, whether they are remote or in the office.
Much like a phone's camera, the Fortinet ZTNA solution is a cost-neutral feature. ZTNA capabilities are integrated into the FortiClient endpoint protection and FortiGate NGFWs and are offered as a non-licensed feature. Implementing a zero-trust architecture does not have to be complex. Because Universal ZTNA is integrated with Fortinet NGFWs, SASE solutions and cloud-based solutions, organisations can benefit from consistent enforcement regardless of where users, applications and other resources are located.