ZTNA: A Key SASE Capability Enabling Digital Transformation
Rise of Digital Transformation
The main driver for SASE and zero trust network access (ZTNA) has been the rise of digital transformation. The rapid increase of mobile and cloud computing means users and the applications they require could be far apart and located anywhere. Moreover, the best way to connect is over the internet, which greatly increases the cyberattack surface. The challenge for enterprise IT is twofold: ensure cybersecurity across an extended attack surface without adversely affecting performance and the user experience.
The pandemic has taught us that employees can be productive and more cost-efficient when they work from anywhere (office, home, coffee shop) using corporate-managed and unmanaged devices. The same holds true for partners and contractors. Both require fast, secure, and reliable access over the internet to resources that can be anywhere from a data center to the cloud. Ensuring secure and performant connectivity has become a top business challenge.
Enter SASE and ZTNA
SASE aims to provide fast and secure communications between any user, any application, anywhere. It does so by delivering optimal network connectivity and adaptive precise security from the cloud, as close to the user/endpoints as possible.
Adaptive precise security is where ZTNA comes in. ZTNA enforces explicit granular policies beyond the network-based policies of traditional firewalls or VPNs. It considers the identities of users and endpoints along with contexts (device security posture, location, risk, etc.) in its decision-making process. It grants granular access – e.g., to a specific application instead of a broader set of resources, based on those decisions. That allows IT to provision "just enough, least privileged" access for groups of users under specified conditions.
Secondly, ZTNA security is agile and adaptive. It isn't just one-time enforcement when you log in for the first time. Even after authentication and authorization, the ZTNA service should continue to monitor for any changes in initial policy conditions. For example, if your device has been compromised or your password has been found on the dark web, ZTNA will apply the appropriate access policy as soon as possible. This capability is known as continuous monitoring/validation/authorization, and it's not easy to achieve. It requires integration with external systems that can relay those changes in conditions to the ZTNA service, as soon as possible. In many cases, the ZTNA service is only as effective as the level of integration with those external systems. The systems range from identity providers (IDPs) to extended detection and response (XDR) systems to Secure Web Gateways (SWGs) and beyond.
There's a lot more to zero trust network access and the use cases it covers. I'll discuss more about them in my next blog.
In the meantime, check out our short overview about what ZTNA is and isn’t in our new guide, Zero Trust in 3 Minutes: A Quick Guide to ZTNA.