Sooner or later, zero-trust network access (ZTNA) will play a big role for many organizations.
Whether you’re handling the immediate surge in remote users or looking toward adopting the Secure Access Service Edge (SASE) framework, ZTNA will be an increasingly important part of your cybersecurity landscape.
Customers tell us that they don’t want to deploy multiple agents on their endpoints. In parallel, the shortage of IT security staff remains an ongoing challenge for most organizations. That is why Sophos ZTNA leverages the existing Sophos ecosystem in order to simplify both deployment and day-to-day management for our customers. This integration reduces both admin effort and device footprint–it’s a win:win.
A technology whose time has come
ZTNA has been thrust into the limelight lately—and I’m not surprised. IT is facing an intersection of security challenges where it can help.
Most obviously, all the signs suggest that the hybrid workforce is here to stay. IT teams will need to support more users, needing access to more applications and data, from more locations outside the organization’s brick-and-mortar premises. And not just home offices, but coffee shops and other shared spaces. Data is increasingly stored in multiple locations too: on premises, in public and private clouds, and in SaaS-based applications.
Meanwhile, ransomware is not going away anytime soon. It’s a persistent, pervasive threat—and the real challenge is the way it spreads laterally around your network. It’s not just the initial device that gets held hostage; ransomware actors look for ways to maximize their impact. For example, the Ryuk strain is known to spread to application servers, domain controllers, terminal servers, and more. Limiting broad access to the network helps to mitigate the damage and stranglehold from ransomware.
As a result, organizations are trying to secure hybrid working patterns, while also mitigating the potential damage from trusting any individual device. ZTNA is a perfect fit.
Simplified access—without the keys to the castle
Fundamentally, zero-trust network access solves the problem of how you give the right users and devices the application access they need, without letting them loose on your network. A ZTNA gateway gives a named entity, a user, discrete access to a discrete application.
The gateway validates three things: the user’s identity, the identity of the device, and the device’s health. And importantly, it does this every time, for every session request—so if a device is stolen or infected, access can be instantly revoked.
To further reduce your exposure, you can set granular, traffic light-style policies based on the user’s role, needs, and validation status. For example, a device in a “red” state—because it’s infected with malware—could have its access restricted to all applications except a helpdesk website, enabling the user to reach out for assistance or remediate the issue.
For example, with a VPN solution the end user might need to figure out which gateway to connect to, worry about being kicked from the network when they move from a wired to a wireless connection, and be prompted to re-authenticate every time. ZTNA makes all the complexity happen behind the scenes, which improves the user experience drastically.
With ZTNA, all the end-user needs to do is enter their multi-factor authentication—assuming you have it enabled—and the device health checks and third-party identity validations are essentially invisible.
A more defined role for VPN
While IT teams were still in the firefight stage of their pandemic response, VPN use soared. That makes sense—it’s a trusted way to provide remote access.
But 18 months on, a growing number are considering whether ZTNA is a better answer to their problem. And if you’re purely connecting remote users, and providing support for modern applications (typically using TCP and UDP protocols), a wholesale replacement could be a good fit.
For most organizations, though, there will still be a time and place to use a VPN solution. You might want to bridge two office networks together, for example, or use older software with its proprietary protocols. As such, ZTNA won’t usually replace VPNs outright; instead, they’ll most likely be complementary options in your IT security toolbox.
Underpinning the secure access service edge (SASE)
That’s the situation today. But the picture is getting more complex, with on-premises, public and private cloud, and SaaS applications, and users connecting from everywhere, using every kind of device.
To make sense of it all, cybersecurity is moving toward a more cohesive, centrally-controlled ecosystem approach. And ZTNA—along with the third-party identity services it uses—will be a key pillar of that framework.
There are several names for this idea; one of the most popular is secure access service edge (SASE). It’s a framework that takes a confusing landscape, and lets you apply unified security policies. You can focus on granting access and protecting your users, without worrying about where and how to place and configure a patchwork of point solutions to make it all happen. And it’s cloud-driven, so the work of inspecting your traffic puts less pressure on your cybersecurity appliances, making it easier for you to scale with new users, applications, and data.
That’s going to change the workload significantly for IT administrators. There’ll be less running around installing patches and setting policies on individual appliances and endpoints. But it’ll be very important to keep a closer eye on your applications—and understand what software your organization is using, and why.
There are a few cornerstones that will allow SASE frameworks to apply policies across your landscape in a coherent way. One of them is SD-WAN, and ZTNA is another. We envision a world where SASE provides a unified policy for Web access and protection, private application access, SaaS application access, and general network traffic protection and inspection.
Licensing and installation should be simple too
With all this change to cope with, IT and security teams need the freedom to work out how best to use ZTNA to its fullest advantage. The last thing you want is your cybersecurity partner making things more complicated than they need to be.
So at Sophos, we’re taking a different approach—and keeping things as simple as we can.
The value of ZTNA lies in your users and the applications you enable them to access, so our licenses are based on user numbers alone. Our zero trust gateways are available in high availability and clustering configurations; deploy as many as you want, however you want, at no cost.
So if you decide to re-architect your datacenter, change your applications, or leverage your environment’s existing resilience technologies such as VMware clustering, you don’t have to worry about being nickel-and-dimed.
ZTNA should be simple to deploy, too. That’s why we’re using the same installer agent that’s common to all our endpoint products—whether it’s Sophos device encryption or Intercept X. If you already have a Sophos footprint on your endpoints, you don’t need anything else; ZTNA is only a checkbox away in the Sophos Central management platform.
After all, your current challenges are complicated enough. ZTNA is there to make life easier, not more difficult.
Overall, I think that’s a pretty cool set of capabilities—and so far, the users in our Early Access Program seem to agree. We expect to make Sophos ZTNA generally available at the end of 2021. In the meantime, speak with your Sophos representative to discuss how Sophos ZTNA can support your organization.