The Gartner ZTNA Market Guide for Secure Access

Gartner’s ZTNA Market Guide

With the shift to work from home (WFH) there’s been a lot of talk about VPN and its successor, zero trust network access (ZTNA). But ZTNA is in fact far broader than “just” more secure remote access for your workforce. It describes a whole new access paradigm that’s key to SASE and reflects the changes to today’s business.

Gartner detailed the ZTNA paradigm shift in its updated Market Guide for Zero Trust Network Access. The 18-page document provides an excellent overview of ZTNA technology, where it’s headed, the risks and the opportunities. For a limited time, we’re making copies of this Market Guide available free of charge.

Gartner ZTNA Market Guide provides actionable recommendations

Whether because of digital transformation, closer integration with partners, or the remote workforce you’re probably finding that at least some data, applications, and services need to be accessible anywhere, anytime. This more complex perimeter expands your attack surface area, increasing corporate risk.

How will you protect yourself? Relying on “security by obscurity” simply doesn’t work. Don’t believe me? Take a quick visit to Shodan, the search engine of Internet-connected devices. You’ll see how easy it is to spot exposed webcams, Cisco appliances, Fortinet VPNs, and more.

Users and resources need protection everywhere, all the time, and you’ll likely want that protection to be very, very granular. That’s ZTNA. It cloaks services from discovery and reconnaissance, creating true, identity-based barriers that prove more challenging for attackers to circumvent than older notions of simple obfuscation. See here to learn the simple steps behind how to configure ZTNA in your organization.

The Gartner Market Guide is an excellent starting point for diving into ZTNA. Along with defining the market and the ZTNA players, the Guide identifies:

  • 8 key points shared by all ZTNA offerings
  • 2 major ZTNA architectures and how they differ
  • 11 use cases of ZTNA
  • 7 major risks of using ZTNA
  • 22 factors to consider when evaluating ZTNA,
  • 7 ZTNA alternatives and when they should — and should not — be used

FAQ

  • What is Zero Trust Network Access (ZTNA)?

    Zero Trust Network Access is a modern approach to securing access to applications and services. ZTNA denies everyone and everything access to a resource unless explicitly allowed. This approach enables tighter network security and micro-segmentation that can limit lateral movement if a breach occurs.

  • How is ZTNA different from software-defined perimeter (SDP)?

    SDP and ZTNA today are functionally the same. Both describe an architecture that denies everyone and everything access to a resource unless explicitly allowed.

  • Why is ZTNA important?

    ZTNA is not only more secure than legacy network solutions, but it’s designed for today’s business. Users work everywhere — not only in offices — and applications and data are increasingly moving to the cloud. Access solutions need to be able to reflect those changes. With ZTNA, application access can dynamically adjust based on user identity, location, device type, and more.

  • How does ZTNA work?

    ZTNA uses granular application-level access policies set to default-deny for all users and devices. A user connects to and authenticates against a Zero Trust controller, which implements the appropriate security policy and checks device attributes. Once the user and device meet the specified requirements, access is granted to specific applications and network resources based upon the user’s identity. The user’s and device’s status are continuously verified to maintain access.

  • How is ZTNA different from VPN?

    ZTNA uses an identity authentication approach whereby all users and devices are verified and authenticated before being granted access to any network-based asset. Users can only see and access the specific resources allowed to them by policy.

    A VPN is a private network connection based on a virtual secure tunnel between the user and a general terminus point in the network. Access is based on user credentials. Once users connects to the network, they can see all resources on the network with only passwords restricting access.

  • How can I implement ZTNA?

    In client-initiated ZTNA, an agent installed on an authorized device sends information about that device’s security context to a controller. The controller prompts the device’s user for authentication. After both the user and the device are authenticated, the controller provisions connectivity from the device through a gateway such as a next-generation firewall capable of enforcing multiple security policies. The user can only access applications that are explicitly allowed.
    In service-initiated ZTNA, a connector installed in the same network as the application establishes and maintains an outbound connection to the provider’s cloud. A user requesting access to the application is authenticated by a service in the cloud, followed by validation by an identity management product. Application traffic passes through the provider’s cloud, which provides isolation from direct access and attack via a proxy. No agent is needed on the user’s device.

  • Will ZTNA replace SASE?

    ZTNA is only a small part of SASE. Once users are authorized and connected to the network, there is still a need to protect against network-based threats. IT leaders still need the right infrastructure and optimization capabilities in place to protect the user experience. And they still need to manage their overall deployment.
    SASE addresses those challenges by bundling ZTNA with a complete suite of security services — NGFW, SWG, anti-malware, and MDR — and with network services such as SD-WAN, WAN optimization, and bandwidth aggregation.

  • What security capabilities does ZTNA lack?

    ZTNA addresses the need for secure network and application access but it doesn’t perform security functions such as checking for malware, detecting and remediating cyber threats, protecting web-surfing devices from infection, and enforcing company policies on all network traffic. That’s why the full suite of security services in SASE is a complement to ZTNA.

  • How do Zero Trust and SASE work together?

    With SASE, the ZT controller function becomes part of the SASE PoP and there’s no need for a separate connector. Devices connect to the SASE PoP, get validated and users are only given access to those applications (and sites) allowed by the security policy in the SASE Next-Generation Firewall (NGFW) and Secure Web Gateway (SWG).

    SASE addresses other security and networking needs by bundling ZTNA with a complete suite of security services — NGFW, SWG, anti-malware, and MDR — and with network services such as SD-WAN, WAN optimization, and bandwidth aggregation. Enterprises that leverage SASE receive the benefits of Zero Trust Network Access plus a full suite of network and security solutions, all converged together into a package that is simple to manage, optimized, and highly scalable.

LEARN MORE ABOUT CATO REMOTE ACCESS