Zero Trust Network Access (ZTNA) has emerged as the go-to security solution for distributed organizations with remote workforces accessing on-premises resources. While remote work is nothing new, COVID accelerated the shift toward a distributed workforce for the vast majority of organizations around the world. Today, most continue to embrace this remote style of operations. Naturally, this requires securing remote access to internal resources on the network. However, throughout this global pandemic, it has become clear that VPN, which was previously the go-to solution for securing remote access, is not the silver bullet that it was once thought to be, and suffers from a few noteable issues. 
Using VPN to connect to on-premises applications leads to an impaired user experience that disrupts employee productivity. The tunnels these tools establish are not designed for user experience and don't provide the level of performance that users need to do their jobs. Additionally, as the use of VPN requires costly hardware appliances with fixed capacities to be installed on premises, there is a lack of scalability. This became apparent at the beginning of shelter in place when organizations were shifting from a small percentage of remote workers to a fully remote workforce. Existing VPN appliances were not designed for the increased loads, were overwhelmed, and failed, requiring organizations to reactively rack and stack more and better appliances (paying for what will one day be excess capacity). Finally, while it is often overlooked, VPN is insufficient when it comes to security. Typically, these tools grant full access to the network and everything on it, violating the core principles of zero trust security and enabling lateral movement across resources on the network--leading to larger breaches. 
Fortunately for modern, distributed enterprises, ZTNA is up to the challenge of securing remote access--as noted by Gartner throughout its 2020 Market Guide for Zero Trust Network Access.

Zero Trust Network Access

As mentioned above, ZTNA circumvents the challenges associated with VPN while providing enhanced protections for modern organizations. Rather than giving excessive access to the network and all internal resources, ZTNA is focused on the zero-trust principal of least privilege, and gives secure access to specific resources one at a time based on a user's access context. This is typically accomplished through identity and access management (IAM) capabilities like single sign-on (SSO) and multi-factor authentication (MFA), as well as contextual access control. Leading ZTNA solutions can provide this functionality natively as well as integrate with whatever solutions you already have in place. 

Leading ZTNA solutions are architected in and delivered through the public cloud. This allows them to forgo the use of costly hardware appliances that would otherwise need to be installed and maintained on premises. In this way, ZTNA delivers enhanced performance over sluggish tools like VPN, and offers significantly improved, automated scalability that is not available with appliance-based architectures which require reactive racking and stacking of costly appliances in order to scale. 

As a final point, due to the rise of bring your own device (BYOD), organizations evaluating ZTNA vendors should choose solutions that offer agentless deployment options for securing browser-based access on personal devices to on-premises apps like Jira or Confluence. For protocols outside of HTTP or HTTPS that require the use of thick clients, like RDP or SSH, ZTNA solutions require the use of an agent. 

Agentless ZTNA

ZTNA can be deployed in various modes. A foundational and critical requirement is the ability to deploy it without agents. An agentless ZTNA architecture enables remote access to your private applications for users on the go. Notably, it unlocks the following use cases for security teams:

  • Remote access from any device, including unmanaged BYOD devices
  • Eliminate the complexity of agents
  • Real-time DLP inspection and enforcement
  • Real-time threat protection with choice of AV engine

The following real-world examples represent organizations that have used agentless ZTNA to optimize their security:

  • A Global 2000 medical devices company enables remote access to manufacturing automation applications to employees, contractors and partners from both managed and BYOD devices. Without the complexity of agents, the company completed the deployment quickly with real-time DLP and malware protection enforced in place.   
  • A Fortune 500 financial services enterprise enables remote access to money laundering and fraud detection applications to employees, partners and law enforcement.  No agents required, yet real-time DLP and malware protection are enforced.

Data Loss Prevention

Securing on-premises resources is not merely a matter of statically allowing or blocking access to applications. Organizations today also need intelligent security functionality that identifies sensitive files and data patterns at access and prevents them from falling into the wrong hands in real time. Data loss prevention (or data leakage prevention) describes a number of capabilities which provide varied levels of access to data in order to prevent unauthorized access and illegitimate usage. DLP is a critical component of ZTNA because an organization's most sensitive information commonly resides on premises. 

There are multiple ways DLP solutions can identify data patterns that ought to be protected. Simpler tools scan for keywords like "confidential" or "sensitive" within documents, and use basic regex to identify instances of patterns like Social Security numbers (XXX-XX-XXXX). More developed solutions provide advanced regex to scan for multiple data patterns while using logical operators (and, or, not) and mathematical operators (count). Additionally, advanced solutions can scan for file formats, fingerprints (templates), and exact data matches. 

Through the above mechanisms, DLP solutions can identify sensitive or regulated files and data patterns that need to be protected. From there, they can take a variety of actions that are designed to prevent leakage. As an illustration, if a user attempts to download a document that contains sensitive data such as a handful of customer credit card numbers, the solution can identify said data at access. Consequently, depending on the user's authorization, it can encrypt the file on download or enforce digital rights management (DRM), which requires additional authentication and provides read-only access to the file via the web browser. Likewise, if an uploaded file is deemed sensitive or suspect, a copy can be created in an admin-only folder for review.

Advanced Threat Protection

As mentioned in the preceding section, remote work security requirements go far beyond the simple allow and block mechanisms of VPN. Additionally, on top of preventing the leakage of sensitive data and files, organizations must defend against threats like malware and ransomware. As was made painfully obvious in recent years with the global outbreaks of threats like Petya and WannaCry, malware can quickly proliferate across an organization, grind its operations to a halt, and bring it to its knees. 

Leading ZTNA solutions include native advanced threat protection (ATP) functionality for securing on-premises resources against malware. This allows them to scan files in transit for threats and block them as needed--preventing threats at rest from spreading to user devices, and preventing threats on user devices from infecting internal resources. Where ZTNA solutions offer agentless deployment options, uploads and downloads from even unmanaged devices can be scanned for threats. This capability is increasingly important given the meteoric rise of BYOD and the challenges associated with controlling software on non-corporate devices. 

ZTNA vendors providing built-in threat protection typically integrate the detection engines of leaders in the AV space, like CrowdStrike, into their solutions. This affords them highly specialized, behavior-based threat detection. Unlike reactive signature-based approaches which rely upon static lists of patterns, signatures, or hashes known to be associated with malware, behavior-based engines use machine learning to scrutinize files and their potential behaviors across dozens of attributes. In this way, they can detect even zero-day malware with an unknown signature. 

Secure Access Service Edge

Zero trust network access technology is one part of a complete SASE (secure access service edge) platform. SASE offerings integrate complementary technologies so that they can secure any interaction between any devices, apps, web destinations, on-premises resources, or infrastructure. Through a single portal, admins can customize a single set of automated policies which can protect data consistently wherever it goes. For comprehensive, integrated security, organizations evaluating ZTNA solutions should ensure that their tool of choice is part of a complete SASE offering. Along with ZTNA, two of the other core components of SASE are described below.

Through cloud access security broker (CASB) functionality, SASE platforms deliver end-to-end protection for data in sanctioned cloud resources, including IaaS platforms like AWS and Azure as well as managed SaaS like Office 365 and Salesforce. Reverse proxies provide agentless deployment modes that can safeguard access from any device, including personal and remote endpoints, which are becoming increasingly common in modern work environments.

Secure web gateway (SWG) technology is another core component of SASE offerings. SWGs offer web security in the form of URL filtering as well as real-time DLP and ATP policies which block leakage and threats like malware. They also secure shadow IT (unmanaged apps) by blocking them, rendering them read only, and coaching users to sanctioned alternatives. Where SWGs are deployed locally on users' endpoints, scalability and performance are enhanced.


Bitglass SASE with ZTNA


Want to see Bitglass solutions in action? Request a free trial below.