Business & Technology

Why ZTNA in the Cloud Isn't Enough

By Peter Newton | May 25, 2022

Trying to secure an increasingly dispersed workforce isn't easy. Work from anywhere could be just as accurately described as work from everywhere. Employees use their own devices to access critical business applications deployed in multi-cloud environments and on-premises corporate assets from home, office, and the road. Many organizations are managing complex ecosystems that are increasingly difficult to defend. And the problem is compounded when organizations attempt to rely on an array of rigid, outdated security tools.

To support work from anywhere, organizations use SD-WAN and tools that support the zero-trust network security model, particularly Zero Trust Network Access (ZTNA), which is used to secure application access. At a high level, zero-trust is based on the principle that a user or device can only be trusted after explicitly confirming their identity and status. It focuses on users, devices, and the specific resources being accessed, utilizing segmentation and zones of control. Every request for access must be authorized and continuously verified. Even once they have been granted access, users and devices only can access the resources required to do their job and nothing more.

The need to secure access any time and from virtually any place means ZTNA has become crucial to nearly every security strategy. A comprehensive zero-trust implementation needs to cover everything and everyone, no matter where they're located. And because hybrid IT architectures aren't likely to disappear for the foreseeable future, a cybersecurity approach that supports both cloud-delivered and on-premises is critical.

How ZTNA Works

Unlike a VPN, which assumes that anything that passes the network perimeter controls using an encrypted connection can be trusted, ZTNA takes the opposite approach: no user or device can be trusted to access anything until proven otherwise. At a high level, ZTNA has three pieces. The first is a client agent on the employee's device. The second is a policy engine that determines whether the person is allowed access and what they are able to access. The ZTNA application access policy and verification process are the same whether users are on or off the network.

The final piece is the enforcement part, which needs to happen as close to the application as possible. Once a user has provided appropriate access credentials, they are given what is known as least privileged access, which means the person can access only those applications that they need to perform their job and nothing else. ZTNA operates in terms of identity rather than securing a place in the network, which allows policies to follow applications and other transactions end to end.

ZTNA Isn't Just for Cloud Access

The ZTNA implementation from many vendors is limited to cloud-based applications, but cloud-only ZTNA doesn't work for those organizations that have a combination of hybrid cloud and on-premises applications.

From an IT standpoint, setting up client-based ZTNA offers better visibility and control of devices, and you can perform application firewalling within the agent. So, if a security issue is detected, a file can be sent to the sandbox, or quarantine can be requested.

There's also a performance aspect. Some vendors do enforcement from their cloud, which may work for certain SaaS applications, but isn't great if you're accessing resources in a data center. In that case, traffic needs to go back to the data center to do the enforcement, or it’s on-premises with edge compute.

A better approach is to have enforcement built into the firewall, which is distributed across the entire network through appliances or virtual machines. This design offers significant advantages from an efficiency standpoint.

All Firewalls are Not Created Equal

Some vendors have proclaimed that firewalls or even the entire network are "dead." Or they'll say you can’t put too much on the firewall because it will degrade performance. But it depends entirely on the firewall. A FortiGate can run Next Generation Firewall (NGFW) security, ZTNA, an access point controller, 5G controllers, and SD-WAN, which means you have one appliance, not five, and still deliver better performance than competitive offerings.

Legacy firewalls based on commercially available, generic CPUs can't handle multiple applications, but the Fortinet FortiGate NGFWs can run ZTNA quickly and efficiently. ZTNA can sit in a FortiGate at a branch office and run proxy enforcement there. As an example of this branch architecture, some retailers now are putting edge compute in their retail outlets.

Networks are very much alive, even in cloud-centric environments. Security must be seamlessly converged with the underlying network to enable protections that can dynamically adapt to a constantly shifting network. In this environment, the network firewall becomes the foundation of a converged security and networking platform.

To provide exceptional performance for both security and networking functions, Fortinet uses custom ASICs that deliver an average of 15x more performance for the same price point of competitive solutions. The same engineering codebase that enables these physical security processors (SPUs) also enables the delivery of virtual chips (vSPUs) that provide similar acceleration in private and public cloud deployments.

Network and Security Convergence

To adapt to the shifts in the workforce and threat landscape, organizations need consistent converged networking and security that is available both on-premises and in the cloud. Trying to meld yet another point solution into an already complex networking situation is confusing at best. But Fortinet ZTNA provides application access and continuous verification of users with enforcement available everywhere using NGFW that you may already have. Today, users need access to all of their applications, no matter where the application or the user is located. ZTNA should be everywhere with everything secured through consistent policies and controls across all operating environments, including both on-premises and cloud.

Learn more about Zero Trust solutions from Fortinet that enable organizations to see and control all devices, users, and applications across the entire network.