Cloud-only ZTNA Isn’t Enough

At the start of the pandemic, nearly every organization was forced to expand their security to include an entirely remote workforce. All those home offices significantly increased the organization’s attack surface and exposed it to more risks because home networks often aren’t well secured. These remote office vulnerabilities have led to increased attacks as employees, vendors, partners, and guests move to different locations using an array of devices.

Now, as organizations embrace more of a hybrid work model with the workforce begins to return to the office and travel resumes, securing today’s work-from-anywhere world is more difficult than ever before. The need to secure access any time and from virtually any place means zero-trust network access (ZTNA) has become a critical element of almost every security strategy. ZNTA needs to cover everything and everyone, no matter where they’re located, so an approach that supports both cloud-delivered and on-premises is critical.

Zero Trust and ZTNA

ZTNA is based on the principles of the zero-trust security model, which states that a user or device can only be trusted after explicitly confirming their identity and status. Every request for access must be authorized and continuously verified. Even once they have been granted access, users and devices only can access the resources required to do their job and nothing more.

ZTNA is used to secure access to applications. At a high level, it has three pieces. The first is a client agent on the employee’s device. The second is a policy engine that determines whether the person is allowed access and what they can access. The ZTNA application access policy and verification process are the same whether users are on or off the network.

The final piece is the enforcement part, which needs to happen as close to the application as possible. Once a user has provided appropriate access credentials, they are given least privileged access, which means the person can access only those applications they need to perform their job and nothing else. ZTNA operates in terms of identity rather than securing a place in the network, which allows policies to follow applications and other transactions end to end.

ZTNA Should Be Everywhere

The ZTNA implementation from many vendors is limited to cloud-based applications. But cloud-only ZTNA doesn’t work for those organizations that have a hybrid network with a combination of cloud and on-premises applications.

One such scenario where cloud-only ZTNA is inefficient or simply does not work is in dense office locations, like headquarters or branch offices where local applications exist. The business case to send traffic to the cloud simply does not exist because all traffic can remain on the LAN. In this highly common scenario, firewall-based ZTNA works great. By building enforcement into the firewall, which is distributed across the entire network through appliances or virtual machines, organizations can leverage their existing IT investments and gain other efficiencies along the way.

Using the Right Firewall for ZTNA

Some vendors have proclaimed that firewalls or even the entire network are “dead.” Or they’ll say you can’t put too much on the firewall because it will degrade performance. But it depends on the firewall. Firewalls based on commercially available, generic CPUs can’t handle multiple applications, but a next-generation firewall (NGFW) with custom ASICs can deliver an average of 15x more performance for the same price point of competitive solutions. You can run NGFW security, ZTNA, an access point controller, 5G controllers, and SD-WAN with the right firewall. Doing so means you have one appliance, not five. Performance is essential, along with the ability to run multiple applications on these systems.

Networks are still important, even in cloud-centric environments. Security must be seamlessly converged with the underlying network to enable protections that dynamically adapt to a constantly shifting network. In this environment, the network firewall becomes the foundation of a converged security and networking platform.

To adapt to the shifts in the workforce and threat landscape, organizations need consistent converged networking and security that is available both on-premises and in the cloud. Today, users need access to all of their applications, no matter where the application or the user is located. ZTNA should be everywhere with everything secured through consistent policies and controls across all operating environments, both on-premises and in the cloud.

Learn how Fortinet ZTNA improves secure access to applications anywhere, for remote users.