The Fast Mode spoke to Sashi Jeyaretnam, Senior Director of Product Management for Security Solutions at Spirent Communications on the impact of traffic visibility on ZTNA networks. Sashi joins us in a series of discussions with leading cybersecurity and networking vendors, assessing the evolution of ZTNA technologies, the roadmap for ZTNA deployments, the benefits of ZTNA for enterprise and telco networks, and the need for real-time traffic visibility technologies such as DPI for ZTNA.
Ariana: What challenges do you see across ZTNA deployments?
Sashi: ZTNA relies on trust brokers or policy enforcement points to grant access based on identity, policy, and context (vs network connections). Network operators and architects must be able to validate ZTNA elements for scale and sustainable access request rate, while ensuring that the policy criteria are continuously enforced by security controls like NGFW and data loss prevention (DLP) for application and data access. Lack of ZTNA standardization has resulted in proprietary products or services with varying capabilities, making it harder to quantify and contrast different solution options and to ensure consistent security across distributed, dynamic networks.
Since Zero Trust is a critical component of SASE architecture, the following are some of the key challenges organizations must critically analyze and overcome:
- Multi-vendor Interoperability: Deploying ZTNA can be complex, especially heterogeneous environments and integration with existing infrastructure. Therefore, it is critical to validate the interoperability between the key element of the ZTNA architecture such as Identity Provider, Policy Enforcement Point and security polices based on user context to ensure seamless connectivity and comprehensive security coverage.
- Scale and Performance: Scaling ZTNA to accommodate a growing number of users and devices can be challenging. It is vital to characterize the scalability of the Zero Trust architecture in terms of the authentication rates and concurrent session an Identity Provider can sustain to accommodate busy hour loads. Equally, the performance of the Policy Enforcement Point needs to be validated to understand the impact Zero Trust policies such as micro-segmentation, application and data access authorization, and data loss prevention (DLP) have on distributed network performance by measuring KPIs such as throughput, concurrent users, and application transaction rates. Ensuring that the ZTNA solution remains effective and efficient as the organization expands should be a key consideration.
- User Experience: In addition to performance, end user experience is critical to the success of ZTNA adoption. ZTNA introduces additional authentication steps and extensive polices may impact application transaction latencies. Measuring the application latencies before & after implementing Zero Trust controls will help network architects and operators right-size the ZTNA infrastructure for optimal user experience. If not implemented properly, this can lead to poor user experience, impacting productivity and user adoption.
- Consistent Security: In modern networks, security policies and application network infrastructure are constantly evolving. Ensuring that policies align with organizational security goals and they are consistently applied across the distributed, dynamic networks is critical. Proactively assessing the efficacy and effectiveness of Zero Trust on a continuous basis or periodic basis by emulating authenticated, unauthenticated and unauthorized users will help validate and monitor for any undesirable or unintended deviation of least-privilege access policies.
Ariana: Why is cloud a key component of ZTNA?
Sashi: Cloud is a key element of a ZTNA architecture because it is well-suited to support the dynamic and distributed nature of modern IT networks that need to support remote users, public cloud infrastructure and global branch offices. Many ZTNA solution providers are delivering solutions and services via the cloud, which enables network operators to ensure:
- Decentralized access with centralized, consistent security policy management – The cloud provides flexibility and global reach for delivering secure connectivity to users and devices everywhere, to access applications and resources anywhere. Cloud-based ZTNA solutions can provide a centralized management portal for ensuring policies and configurations are consistently applied across the distributed network.
- Scalability to grow with your business needs – Cloud offers scalability, allowing organizations to easily adapt and optimize cost as number of users, devices, and applications change and grow over time. As the ZTNA model extends access to various locations and users, the cloud becomes essential for cost-effectively scaling to meet this new demand.
- Resiliency and agility to keep pace with the evolving landscape – Cloud ensures organization can maintain business continuity in the event of adverse condition by restarting or redistributing the ZTNA workload to another region or cloud provider. Cloud-based ZTNA solutions also provide the agility to stay ahead of evolving security threats as they can deliver rapid updates, feature enhancements, and the ability to leverage cutting-edge innovation to strengthen security.
Read more from Spirent here:
Executive Brief: Security and Performance Testing for SASE and Zero Trust
Blog: The Value of Zero Trust Network Access Validation
Webinar: Managing the Complexity of SD-WAN and SASE Deployments
Sashi Jeyaretnam is the Senior Director of Product Management for Spirent where she leads the Security Solutions group. She has over 20 years of experience in networking and cybersecurity technologies, and has been instrumental in driving and introducing market-leading application performance and cybersecurity test solutions for on-premise, cloud and hybrid networks. Sashi regularly speaks at security events and webinars on the importance of taking a proactive and measured approach in mitigating cybersecurity risks. Prior to Spirent, Sashi lead Product Management at Keysight Technologies.
This interview is a part of The Fast Mode's Next-Gen DPI Traffic Visibility for ZTNA segment, featuring over 40 leading cybersecurity and networking solution providers and their views on the importance of traffic visibility for ZTNA. A research report on this topic will be published in January 2024 - for more information, visit here.
