The Fast Mode spoke to Camille Campbell, Senior Product Marketing Manager at Cradlepoint on the impact of traffic visibility on ZTNA networks. Camille joins us in a series of discussions with leading cybersecurity and networking vendors, assessing the evolution of ZTNA technologies, the roadmap for ZTNA deployments, the benefits of ZTNA for enterprise and telco networks, and the need for real-time traffic visibility technologies such as DPI for ZTNA.
Ariana: What do you consider are the core features (must haves) of ZTNA?
Camille: Zero-trust network access is a critical WAN security architecture that reduces the network attack surface and prevents lateral movement by providing isolated user-to-resource access. This access is based on least privilege and only granted on a per session basis.
To achieve this, there are many features that a ZTNA solution must provide:
Flexible deployment models: Although ZTNA started as a remote work solution, it is important that the solution support frictionless access to applications from wherever the user is working (office, home or other).
Continuous monitoring of endpoints and traffic: ZTNA solutions continuously monitor the user / device looking for changes in context such as log-in location, time of day, device posture etc. It is also important that the ZTNA solution monitor the traffic from the user device to the application, looking for any signs of malicious activity or malware.
Unmanaged device support: ZTNA solutions need to support granular device profiles. In addition to corporate managed devices, there are typically unmanaged devices from third parties or contractors that need access to assets or applications on the WAN, visitors accessing guest Wi-Fi services, partially managed BYOD devices, and IoT devices. Each of these scenarios requires a different profile.
Obscuring of all IP addresses: ZTNA solutions need to reduce the potential attack surface by obscuring all IP addresses in the network. This can be achieved through a carrier-grade NAT function that can convert all IP addresses to names, thus making IP scans by malicious actors ineffective.
Simple, unified policy management: Since ZTNA solutions are “deny all by default,” creating the policies required to enable least privilege access can be difficult without a simple way to provision policies at scale. In addition, having a single policy engine for SD-WAN and additional security features (web security, firewalls, etc) can reduce latency, improve performance, and can simplify deployment and management.
5G optimization: As 5G networks become more prevalent in enterprise networks, additional functionality will need to be considered. A highly efficient tunneling mechanism that reduces double encryption will be more important. Being able to leverage SIM-authentication to support unmanaged devices that can’t run a client, will also be a requirement.
Ariana: What challenges do you see across ZTNA deployments?
Camille: Some of the challenges we see when it comes to ZTNA deployments include:
Having a clean identity source: Since ZTNA relies on identity, having a single source, regularly maintained Identity Management System that is tied into the ZTNA solution is critical to having a successful implementation. With mergers and acquisitions, it is not uncommon for organizations to have multiple identity providers. Furthermore, with IT teams continually being stretched, maintaining proper hygiene can sometimes be a challenge.
Policy creation and ongoing management: To create policies based on least privilege access, organizations need to understand their corporate traffic flows and who needs access to what, and from where. This ensures they are creating policies that enable authentication under the right context. Once the policies are created, it can be a challenge to evaluate how effective those policies are, determine how those policies need to interact with other security and SD-WAN policies, and maintain those policies in an environment where network security resources might be turning over.
Handling unmanaged device access: There are many types of unmanaged devices in a corporate network. They could be devices used by contractors or other third parties that require access to assets/applications on the WAN. They could be devices used by visitors connecting to guest Wi-Fi services at a remote office. They could also be IoT devices such as PoS terminals, digital signs, and surveillance cameras in a retail location (just to give an example). IT teams cannot enforce the use of clients or agents on unmanaged devices; therefore, clientless access must be supported. IoT devices require special consideration over and above clientless or browser-based access since they are not authenticated through an Identity management system. In the future, leveraging cellular-based SIM authentication could be interesting as 5G takes on a more prevalent role in enterprise networks.
Traffic prioritization for remote access: Some vendors support the ability to implement user authentication and access policies from sites as well as from remote locations. When users are requesting access to different types of applications, if they are at a branch office, they are likely connecting to an SD-WAN device that can prioritize their business critical and real-time traffic across the WAN. However, when users are connecting from home, the airport or even a coffee shop, prioritizing traffic from the client to their applications, becomes a challenge.
Camille is a senior product marketing manager responsible for Cradlepoint’s cloud management and orchestration platform, NetCloud. Camille has almost 20 years of experience in the networking space, working on a number of technologies such as SDN/fabric technologies, IoT, WAN technologies, and zero-trust security.
This interview is a part of The Fast Mode's Next-Gen DPI Traffic Visibility for ZTNA segment, featuring over 40 leading cybersecurity and networking solution providers and their views on the importance of traffic visibility for ZTNA. A research report on this topic will be published in January 2024 - for more information, visit here.
