Take Your ZTNA Blinders Off. True Zero Trust Requires More.


By Denny LeCompte, CEO, Portnox

In an era of relentless digital innovation and interconnectivity, safeguarding sensitive information has become an urgent necessity. As technology evolves at an unprecedented pace, so do the sophisticated techniques used by cybercriminals. Traditional security measures, once considered robust, are now proving to be inadequate in the face of rapidly evolving threats. Enter zero trust, an innovative approach that challenges the very foundation of conventional cybersecurity.

Zero trust is not merely a buzzword or a fleeting trend; it represents a fundamental shift in how organizations perceive and enact security. Gone are the days when organizations relied on the traditional perimeter-based model, which assumed that all activities within the network were trustworthy by default. Today, zero trust assumes that nothing should be trusted automatically, whether inside or outside the network perimeter.

Zero Trust Network Access (ZTNA) has emerged as a promising concept to address the expanding threat landscape. ZTNA is a new approach to securing access to enterprise applications by remote employees or contractors. ZTNA solutions originally promised to deliver more advanced and robust security than virtual private networks (VPNs), which historically offered broader network-level access control and encryption-based security.

While ZTNA has become all the rage in recent years, however, it’s becoming increasingly clear that there is still much work to be done before it can truly deliver on the promise of zero trust beyond being a mere VPN replacement. While ZTNA offers access control for applications, its potential as a comprehensive security solution requires further development and maturity. After all, employees still clock into the office, which means the physical network isn’t going anywhere anytime soon.

ZTNA Implementation is Complex

ZTNA is still in its infancy and many organizations are struggling to implement it effectively. One of the biggest challenges is the complexity of the technology itself.

Implementing ZTNA often requires a significant redesign of the network architecture. Furthermore, it requires every employee to change how they access the tools they need to do their jobs. Traditional network architectures typically rely on a perimeter-based security model, where access is granted based on the assumption that internal networks are secure. ZTNA, on the other hand, focuses on securing individual resources and verifies every access request, regardless of the network location. Perhaps most importantly, however, ZTNA generally requires organizations to send all traffic between the user and the target through an encrypted tunnel – possibly even through a third-party cloud service – resulting in a lot of re-engineering. This architectural shift requires careful planning and coordination to ensure seamless integration with existing systems. It is no small lift.

ZTNA solutions also often require integration with various applications and services within an organization’s IT ecosystem. Such integrations can involve implementing secure gateways, connectors, or agents for different types of resources, including web applications, legacy systems, cloud services, and on-premises servers. Ensuring compatibility, scalability, and interoperability with existing infrastructure and applications can pose implementation challenges. All this system interconnection, of course, can result in increased latency, generating frustration on the part of users.

There’s No Coverage for Physical Networks

Physical wireless and wired networks remain in constant use. One of the main shortcomings of today’s ZTNA is that their sole focus is on securing application-level access rather than the underlying network infrastructure. They are designed to authenticate and authorize users and devices at the application or service layer. ZTNA typically relies on a combination of identity verification, multi-factor authentication (MFA), and policy-based access controls to ensure secure application access. However, they do not provide direct access control to physical networks – so, in a sense, they’re not so much securing your network as they are working around it. 

Ultimately, ZTNA solutions are unconcerned with any real-time information about network switches, routers, access points, or other network devices. Without this, they cannot enforce granular access controls or apply security policies directly to the physical network access layer. This means companies opting to utilize ZTNA must also implement and manage a traditional network access control (NAC) solution that provides authentication, authorization, and accounting (AAA) capabilities needed for its physical networks. That is, if they care about securing access to their wireless and wired networks, which they almost certainly do.

As we know, the more an IT team must manage, the greater the opportunity for oversight, and the more potential attack vectors that cybercriminals have to prey on.

ZTNA Best Practices Remain Nebulous

Another challenge is the lack of standardization in the industry. There are currently no agreed-upon standards or best practices for implementing ZTNA, which means that businesses may struggle to find a solution that meets their hyper-specific needs. This lack of standardization can even lead to the ZTNA tool simply not working for some applications, leaving significant security gaps across an organization’s digital environment.

As a result, many organizations are adopting ZTNA without fully understanding its limitations. While ZTNA can provide a more granular level of access control than traditional VPNs, it is not a silver bullet. ZTNA still relies on user authentication, which means that if a user’s credentials are compromised, an attacker can still gain access to sensitive data and applications. Moreover, ZTNA can only control access to specific applications, meaning that other parts of the network may still be vulnerable to attacks. 

What’s more, is that ZTNA solutions do not provide the endpoint risk posture assessment and remediation capabilities that would be considered best practice for threat mitigation and deterrence. This security gap should be a major red flag, as the fastest growing target for cybercriminals is the remote workforce and the devices they use.

Universal Zero Trust Access Control

ZTNA has a lot of growing up to do before it can truly deliver on the promise of zero trust beyond just being a VPN replacement authentication to applications. As we move forward, companies should consider flexible, preferably cloud-native tools that allow them to centralize the enforcement of authorization policies for those working both on-site and remotely, and across all critical IT assets, including networks, infrastructure, and applications.

Ultimately, this means adopting universal zero trust access control – or access control solutions that can deliver universal zero trust security across an organization’s entire digital eco-system. Implementing this technology will unlock greater operational efficiency, stretch IT’s bottom line, and accelerate other strategic security initiatives on the roadmap – future-proofing any organization’s security posture for years to come.


CEO, Denny LeCompte is responsible for overseeing the day-to-day operations and strategic direction at Portnox. Denny brings over 20 years of experience in IT infrastructure and cyber security. Prior to joining Portnox, Denny held executive leadership roles at leading IT management and security firms, including SolarWinds and AlienVault. Denny holds a Ph.D. in cognitive psychology from Rice University.

.


Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.