• United States



ZTNA Security That’s the Same Way No Matter Where You Are

Mar 25, 20225 mins
Zero Trust

istock 1169668297 2
Credit: iStock

Today, people work from wherever they happen to be. Jane may be working from her home in beautiful downtown Pasadena, California. Jack may be working from an airport, killing time while he waits for a connecting flight on his way home from Barcelona. Jill may be working from a coffee shop, sipping a latte before she heads off to a customer meeting.  Terri may be in the corporate office, preparing a quarterly report on Sales efficiency. 

All of these people should be able to connect the same way to the same applications no matter where they happen to be physically located. Unfortunately, that’s often not the case because many organizations use different products to secure access when users are working on campus than when they are working from remote work environments. They may use a cloud-based zero-trust network access (ZTNA) service for their remote workers but use a different approach for on-premises security.

Using multiple products is not only inefficient, it’s less secure and more difficult for both IT staff and employees. Staff that need to manage the network have to use multiple consoles or dashboards that aren’t integrated and deal with separate policies in multiple places. The odds of misconfiguration and errors are higher, and troubleshooting is more difficult when dealing with more than one product.

From the user standpoint, accessing applications isn’t the same when they’re in the office and away from it, which can lead to confusion or frustration, particularly if one of the products is more difficult to use like an old, slow VPN. Cost is another downside of using multiple products. Almost inevitably, it’s more expensive to license two products and their associated services versus only one.

The Same Security for Everyone

The answer is to use the same security for everyone no matter where they may be located and what resources they need to access. Most people agree that to improve security for remote access, organizations should shift from using VPNs to ZTNA because ZTNA provides more verification and authentication of users and devices than a VPN. It also automates the encrypted tunnels and provides granular application access, which improves both security and the user experience.

Although people have been talking about zero trust for more than a decade now, vendors don’t necessarily use the terminology the same way. Part of the confusion stems from the fact that ZTNA is often only associated with cloud application access. But most organizations don’t have all of their applications in the cloud. People definitely need access to cloud applications, but they may also need access to applications located at a data center or branch location. ZTNA should be used no matter where the applications or the users may be located. Everything should be secured with consistent policies and controls across all of the operating environments, including across multiple clouds.

The reason ZTNA is often considered a “cloud-only” solution is because many cloud-only vendors are optimized for situations where both users and applications are in the cloud. Cloud-based ZTNA has issues when users are in the office and accessing an on-prem hosted or DC-hosted application. Hybrid ZTNA solutions can be deployed on-prem or in the cloud and optimize for wherever users or applications are located. If ZTNA is going to be everywhere, it can’t be a cloud-only solution.

Start with the Firewall

Rather than starting with the cloud, it makes more sense to approach the problem from the other direction. Traditional firewalls have been used for creating a network perimeter for years, but if the firewall is an integrated next-generation firewall (NGFW) that has ZTNA built in and available on campus, in the cloud, or even as-a-service, its role can expand to control all access for everyone. Instead of acting as an entry or exit point, the NGFW becomes the control mechanism for the entire extended network.

Called endpoint-initiated or client-initiated ZTNA, this approach to securing access uses an agent on a device to create a secure tunnel. The agent manages the encrypted connection to the ZTNA enforcement points integrated into the NGFWs. This connection is the foundation for ZTNA, whether the device is on-premises or remote. The ZTNA enforcement point authenticates both the user and the device. It checks for the appropriate device posture and the user’s rights to access a particular application. A ZTNA policy orchestrator manages the ZTNA clients and provides redirection to different authentication proxies depending on user requirements.

One advantage of using firewall-based ZTNA is that the traffic will flow though a complete security stack.  Updated threat information ensure intrusion protection service engines and signature matching to identify known threats and attacks. And management tools can provide single-pane-of-glass visibility and control across the network so that IT staff can see what is going on with users when they are at home, the office, or on the road.

Everywhere Means Everywhere

Supporting employees working from multiple locations has placed more pressure on networking and security teams. The last thing they need is more complexity from multiple products that do the same thing. To improve both security and the user experience, ZTNA is replacing prior technologies such as VPN for remote access. But it shouldn’t be relegated only to remote users. It’s better for security teams and users if ZTNA works the same way everywhere, both on-premises and off. Instead of a piecemeal approach, it’s more secure and inherently easier to implement zero trust everywhere by starting with an NGFW solution that integrates with a cybersecurity mesh platform architecture. This holistic approach delivers unified visibility, automated control, and coordinated protection to secure endpoints, networks, and application access.

Discover how Fortinet’s Zero Trust Access framework allows organizations to identify, authenticate, and monitor users and devices on and off the network. Read more about why the Fortinet Security Fabric is the industry’s highest-performing cybersecurity mesh platform.