The Fast Mode spoke to Bernard Debauche, Chief Product & Marketing at Systancia on the impact of traffic visibility on ZTNA networks. Bernard joins us in a series of discussions with leading cybersecurity and networking vendors, assessing the evolution of ZTNA technologies, the roadmap for ZTNA deployments, the benefits of ZTNA for enterprise and telco networks, and the need for real-time traffic visibility technologies such as DPI for ZTNA.
Ariana: What do you consider are the core features (must have) of ZTNA?
Bernard: ZTNA is about enforcing the “zero-trust” in remote, i.e. network, access to organization’s IT assets. The same way a “secure by design” approach is not enough and does not free you from doing runtime evaluations, pentests, etc., “zero-trust” is not just a matter of access policies and the enforcement of these; it is also a matter of access infrastructure: does it have all the “zero-trust” characteristics required to ensure the security of the access. That is why our vision, at Systancia, is that ZTNA goes beyond “least privilege; JIT privilege; zero-standing privilege”: it must guarantee “least connection; JIT connection; zero-standing connection”. The connection to the application or resource must be enacted only at the time and for the duration of the use of the application/resource. “Zero-trust” characteristics of an access infrastructure are features such as:
- Dynamic, continuous, context and behavior based check of the end user;
- Dynamic, continuous device posture check;
- An architecture which guarantees that no application/resource is exposed to the network (outgoing flows, no port opening); “url rewriting” avoid exposing web applications/resources to the network, hence renders them invisible and forces to go through the ZTNA solution to access them;
- Managing dynamic, random and volatile ports on the client terminal renders the solution invisible from the security network scanning tools;
- Leveraging isolation technologies enable to display only images and to let only keyboard/mouse traffic to go through, avoiding third-party to deploy a client on their terminal, and ensuring a protocol break, the best protection against malware/ransomware dissemination
Unlike VPN, ZTNA solutions allow to scale much better, to provide a single access with a unified user experience to applications/resources spread over different datacenters and clouds, to deliver single-sign-on and avoid disclosing credentials to end users and third parties, and to implement an SDP paradigm where the security perimeter is not the network but the dynamic identity context.
Ariana: How has ZTNA evolved over the years?
Bernard: ZTNA evolves at the speed of the “zero-trust” maturity within the organization. As it is a kind of paradigm shift, it takes time, and maturity grows as organizations become increasingly conscious of the cyber risk as they make use of SaaS applications, accept access to their IT systems from third-party organizations (customers, suppliers, partners, service providers, etc.). Even if teleworking is the base and standard use case for ZTNA, it is not necessarily the main trigger, as many organizations remain with their traditional VPN habits. The change which makes the switch to ZTNA is either access from unmanaged devices (BYOD) (which accelerated at the COVID lockdown) or the access from third-party partners, anyway from unmanaged devices. The ability to access without deploying a client agent on the device helps the adoption of ZTNA technologies.
Another trend is the convergence between ZTNA and remote PAM. Many organizations leverage ZTNA for the access from business entities of their ecosystem: but often, these use cases regard access by uncontrolled staff to critical assets. Requirements for detailed traceability and audit trails, and sometime for session recording, arise then. That is why, at Systancia, we converged both (ZTNA and PAM) into a single SaaS platform, i.e. cyberelements.io. In that case, time-to-operation is key: the case is often that you need to give access to a third-party to a critical asset in an emergency mode; it must be fast and easy to setup such a connection to guarantee both cyber security and operational efficiency in these business situations. Breaches appear when organizations leave access open after an access granted during a crisis. That is why we wanted to deliver a 3 minutes time-to-operation for the cyberelements.io platform.
We can also mention another evolution that we see in the market: the extension of the ZTNA application to OT systems – not only IT. Industrial organizations face more and more the need to provide access to their OT infrastructure to vendors, service providers, on-call/on-duty personnel, etc. Industrial organizations have a different security culture, compared to IT: but we see an increasing demand for a secure remote access to OT industrial control systems. The main use cases are: either the industrial application runs on a remote device, or the remote operator accesses to an on-site engineering workstation which runs the industrial application. The ZTNA+PAM combination is especially suited to these use cases, because it strengthens the security, provides complete audit trail (who/when/where has done what on which system), and avoids opening too much the IT/OT system to the outside.
Bernard Debauche is the Chief Product & Marketing at Systancia
This interview is a part of The Fast Mode's Next-Gen DPI Traffic Visibility for ZTNA segment, featuring over 40 leading cybersecurity and networking solution providers and their views on the importance of traffic visibility for ZTNA. A research report on this topic will be published in January 2024 - for more information, visit here.
