ZTNA and the Third Generation of SD-WAN

As businesses begin to recover from the global pandemic, very few are returning to the traditional model of having everyone working from the office five days a week. Instead, work-from-home (WFH) employees are transitioning to a hybrid model, known as work-from-anywhere (WFA.) A WFA model allows users to work at home, on campus, at a branch, or anyplace with an internet connection. Most organizations enable employees to work part of the week in a traditional office and part off-campus.

Zero Trust Network Access on its own

Zero-trust network access (ZTNA) is a solution for remote workers that provides secure, per-user and per-session access to specific applications, rather than the general network access provided by traditional VPNs. This functionality allows IT teams to manage access to critical applications and maintain visibility into who has access to which resources. And because ZTNA also provides continuous monitoring of those connections, IT can also quickly determine if connections have been compromised or user behavior becomes suspicious or malicious. It’s a great solution if secure access to specific applications is your only priority.

ZTNA does not, however, provide any of the classic connectivity functions needed to ensure and maintain an optimal user experience. That is a function delivered by SD-WAN.

Organizations have rapidly adopted SD-WAN to replace their aging WAN edge routers and static MPLS connections. The first generation of SD-WAN provided things like application-aware path selection across multiple links, WAN optimization, and self-healing connections. But that was just the start. First-generation SD-WAN vendors failed to provide adequate security, which exposed critical applications, data, and workflows. SD-WAN users struggled to add protections, but traditional security solutions were not designed to adapt to dynamic and rapidly changing SD-WAN connections.

The second generation of SD-WAN fixed that by integrating advanced security (such as IPS, web filtering, SSL inspection, and sandbox to prevent and detect threats) with direct internet connectivity for SaaS applications, advanced networking, application control, and connectivity into a unified solution. And this needs to be wrapped together with centralized management and orchestration—something often referred to as Secure SD-WAN. By building SD-WAN into a secure platform, and licensed as a single solution, security and networking functions could work seamlessly, avoiding the security gaps and bottlenecks that come with adding security as an overlay. And ideally, this integrated solution should be organically built and powered by purpose-built hardware designed to accelerate critical security and connectivity functions deliver the best performance unlike other solutions that tried to stitch VM of two different products.

ZTNA built into Secure SD-WAN supports today’s WFA model

But now, given the rapid rate of change in today’s market, especially with the rapid transition to WFA, even that second generation of SD-WAN no longer meets the needs of today’s hybrid work environments. To solve today’s challenges, SD-WAN must also include integrated remote access. Adding ZTNA functionality for remote workers instead of relying on traditional VPN allows organizations to combine SD-WAN and cloud security into a single, orchestrated architecture. This third generation of SD-WAN—ZTNA and SD-WAN integrated into the same solution (without additional licenses or fees)—is becoming a critical differentiator when organizations evaluate SD-WAN solutions.

Remote workers’ quality of experience, as well as security, are top of mind for organizations. Built-in ZTNA Access Proxy functions ensure superior user experience, advanced security, and complete visibility across all users, applications, and devices, whether on or off the network. And because they are integrated into a single platform, organizations can also eliminate device sprawl and solution management overhead because they can enforce one policy consistently across all edges to protect the entire attack surface.

How SD-WAN with built-in ZTNA works

A remote employee opens a cloud-based application from their device. A ZTNA client installed on that device automatically creates a secure connection to an SD-WAN device with an integrated ZTNA access proxy. The SD-WAN solution then creates a secure and optimized connection to the requested application. It provides continuous monitoring to ensure application performance and identify malicious content or unusual user or device behavior. And all of this happens automatically and seamlessly. The user does not have to initiate anything.

This process uses every element of this third generation of SD-WAN to ensures three things. First, it uses ZTNA to ensure that users can only access those applications to which they are explicitly entitled. Second, ZTNA and the built-in security work together to ensure that every connection is secured end-to-end. And third, SD-WAN constantly monitors connections to ensure that they are being optimized, so the user has the best possible user experience.

This integrated approach enables organizations to provide consistent quality of experience for users even as they move from one work environment to the next. And because it extends WAN connectivity and security to every remote worker, it increases an organization’s security posture effectiveness. And perhaps just as importantly, it allows organizations to eliminate device sprawl by integrating an entire portfolio of enterprise-grade security, advanced routing, optimized connectivity, and application acceleration tools into a single platform. And when those elements all run on the same operating system, it has the added advantage of providing single-plane-of-glass insight into the entire system, end-to-end. Organizations can create, distribute, orchestrate, and enforce one policy consistently across all edges, including off- and on-network users, to protect the entire digital attack surface.

Ready today and ready tomorrow

But perhaps most importantly, a system designed to expand and adapt to changing market and business requirements also means that you won’t have to go searching for a new solution when a fourth-generation solution is eventually required. Given how rapidly digital innovation transforms how and where companies do business, organizations need tools designed to scale and adapt. Because if we have learned anything, the next big thing is probably right around the corner.

Learn more about Zero Trust and SD-WAN solutions from Fortinet that enable organizations to see and control all devices, users, and applications across the entire network.