The Fast Mode spoke to Linda Park, Product Marketing Director of Netskope on the impact of traffic visibility on ZTNA networks. Linda joins us in a series of discussions with leading cybersecurity and networking vendors, assessing the evolution of ZTNA technologies, the roadmap for ZTNA deployments, the benefits of ZTNA for enterprise and telco networks, and the need for real-time traffic visibility technologies such as DPI for ZTNA.
Ariana: What challenges do you see across ZTNA deployments?
Linda: The biggest issue is the coexistence of ZTNA with existing legacy VPN during customers’ transition period. The reason behind this is simple: legacy applications can have a very long tail. This situation leads to IT teams managing both ZTNA and VPN products for longer than planned, and there's often no definite end date in sight for phasing out the old VPN.
The way vendors have marketed ZTNA has contributed to this challenge. It's often positioned as a complete replacement for VPNs, but the reality is a bit different. Many cloud-based ZTNA solutions work on an 'inside-out connectivity' model, meaning they only support traffic initiated by clients. This poses a problem for legacy systems that rely on server-initiated traffic, like older VoIP systems, Helpdesk or Remote Assistance tools, and Endpoint Management & Patching solutions.
Consequently, many organizations find themselves operating ZTNA alongside their VPN hardware until they can fully update their application infrastructure. Another downside here is that these legacy applications remain exposed to the security and performance issues we associate with VPNs.
So, it's crucial to choose a vendor that can support all types of enterprise applications to be able to fully retire – not just partially replace - your VPNs.
Ariana: What do you consider are the core features (must have) of ZTNA?
Linda: To successfully adopt ZTNA, it must deliver a strong end-user experience for access to applications, reduce the attack surface of internal systems and applications, limit lateral movement of threats within a network, and improve an organization’s overall security posture.
In order to provide these benefits, it is mandatory that a ZTNA includes these six core features:
- Continuous adaptive trust: ZTNA should use extensive risk context from users, devices, applications, and data, to calculate the dynamic risk score of a user and continuously verify their trust level for every access request in order to strictly enforce least privilege access on resources.
- Unified security controls: ZTNA should use a unified zero trust access policy engine that is capable of single-pass inspection of all enterprise traffic to detect unwanted activities, including data exfiltration and user behavior anomalies. Typically, ZTNA is deployed as part of a larger security service edge (SSE) solution that offers a unified platform, policy engine, and client.
- Coverage of all enterprise applications: ZTNA should support any TCP and UDP web application, as well as non-web and legacy applications like VoIP and Remote Assistance that require server-to-client, client-to-client, and bidirectional connectivity.
- Support for managed and unmanaged devices: ZTNA should offer agent and agentless deployment method options in order to support internal employee access from corporate managed devices as well as third-party access and employee bring your own device.
- Universal ZTNA: ZTNA should extend beyond remote access use cases and provide local enforcement of policies in traditional on-premises campus and branch environments.
- High performance connectivity: ZTNA should be able to process and optimize more demanding (i.e., high bandwidth) voice/video application traffic - not bypass it - with quality of service capabilities.
Linda Park is a product marketing director at Netskope, where she specializes in Zero Trust Network Access. Linda brings a decade of industry experience covering cloud security, data protection, and zero trust. Prior to joining Netskope, she held marketing roles at several leading cybersecurity companies, including Zscaler, McAfee, and Symantec.
This interview is a part of The Fast Mode's Next-Gen DPI Traffic Visibility for ZTNA segment, featuring over 40 leading cybersecurity and networking solution providers and their views on the importance of traffic visibility for ZTNA. A research report on this topic will be published in January 2024 - for more information, visit here.
