The Fast Mode spoke to Prakash Mana, CEO of Cloudbrink on the challenges of building ZTNA networks for the hybrid work era. Prakash joins us in a series of discussions with leading cybersecurity and networking vendors, assessing the evolution of ZTNA technologies, the roadmap for ZTNA deployments and the benefits of ZTNA for enterprise and telco networks.
Ariana: What do you consider are the core features of ZTNA?
Prakash: Cloudbrink believes that in the world of hybrid work, ZTNA needs to evolve to meet the needs of a work-from-anywhere workforce. With a large and growing population of staff now routinely working away from the office, and enterprise applications and data moving at unprecedented pace, security challenges are considerably increased. Many of the assumptions that first generation ZTNA depended on have changed. The enterprise no longer controls the means of network access or the connection, firewalls may be too far from users to guarantee acceptable response times, users will likely access a range of cloud-based apps which may or may not be sanctioned by IT, previously anomalous access behaviour is now normal, out-of-office devices are at greater risk of loss, theft and surveillance – in short, the attack surface has increased by an order of magnitude.
To maintain security without constraining the functionality enterprises need to do business, zero trust access needs to be underpinned by automated moving target defense (AMTD) with the following features:
- Constantly rotating security certificates using mutual TLS 1.3 (the latest version of transport layer security). With certificates that expire within a few hours (rather than several months or years in current solutions), attackers have a very limited window for an attack even if they obtain a user’s session.
- Network access through constantly changing [virtual] points-of-presence (PoPs). ZTNA 2.0, VPN and SDP architecture all depend on fixed PoPs which are static targets for attack. Fixed PoPs also mean traffic is taking a predictable path through the network.
With the ever-increasing number of CVEs issued for hardware-based solutions, we must move to a software-based solution that is no longer tied to hardware. This must include the point of presence (PoP). Moving the hardware from a customer into a vendor data center just moves the problem. Too many ZTNA PoPs have outdated hardware. Some provide TLS 1.2 or even 1.3 at the user edge but still use IPSec hardware in the PoPs. With a fully software instantiated PoP (what Cloudbrink call FAST edges) the security risks from hardware appliances are eliminated.
Ariana: What challenges do you see across ZTNA deployments?
Prakash: Performance issues mean that even when application access is secure, the user experience for hybrid workers is critically compromised. Network access issues caused by Wi-Fi and 4/5G and compounded by performance constraints in the “last mile” of the network, can have a severely detrimental effect on user experience and productivity. IT departments can remediate some of these issues with dedicated hardware using wired connection but only if users are working at a fixed location (such as from home). These solutions increase cost and the burden of support. The problem is exacerbated by IT organisational silos. The security teams who take the lead in ZTNA deployments typically have little interest in or responsibility for network performance. Even if the networking team has a voice, it may wrongly assume that nothing can be done about issues in the last mile without upgraded hardware or network connections. In fact, these problems can be mitigated with AI-enabled software that brings fast edge connections closer to end users and addresses issues created by packet loss. Enabling hybrid workers is not just a security challenge, hybrid workers want secure productivity.
Prakash Mana is the CEO of Cloudbrink, which provides high-performance secure application access as a service. He held previous leadership roles at Pulse Secure and Citrix.
This interview is a part of The Fast Mode's Next-Gen DPI Traffic Visibility for ZTNA segment, featuring over 40 leading cybersecurity and networking solution providers and their views on the importance of traffic visibility for ZTNA. A research report on this topic has been published in March 2024 - for more information, visit here.
