The concept of zero trust is gaining traction as organizations seek to strengthen their security postures in response to the rise of remote and hybrid work policies. The traditional perimeter-based defenses that were once relied upon are proving inadequate in the face of new access threats. Zero trust, at its core, revolves around the idea that no user or device should be automatically trusted, even when connected to internal networks.
To combat the security risks posed by dispersed workforces, businesses initially turned to Zero Trust Network Access (ZTNA) solutions. ZTNA tools emerged as a popular choice in recent years, with the promise of replacing virtual private networks (VPNs). While VPNs are widely used, their network-level, encryption-based security is thin and leaves corporate networks vulnerable to malware, distributed denial of service (DDoS), and spoofing attacks.
ZTNA, on the other hand, offered a “never trust, always verify” security approach that required constant authentication. This spoke to Chief Information Security Officers (CISOs) and their teams who were overwhelmed by the multitude of new access threats that arose due to the pandemic. However, the hasty adoption of ZTNA has led to complications, false starts, and wasted budgets for early adopters.
One of the major challenges with ZTNA is its implementation. It is not a simple “plug and play” operation. Instead, organizations are faced with the task of redesigning their network architecture from scratch. This means establishing an encrypted tunnel between the user and the target application, often involving external traffic routing through third-party cloud services. This re-engineering process is time-consuming and can lead to latency issues, disrupting productivity. As a result, many organizations find ZTNA implementation unfeasible, thereby hampering the growth of zero trust adoption.
While ZTNA addresses security concerns for remote access, it falls short when it comes to securing physical wired and wireless networks in the office. Although hybrid work arrangements have become common across industries, full-time remote work has been limited for many companies. ZTNA’s narrow focus on remote access means that companies need to adopt additional tools, such as network access control (NAC), to enforce authentication and authorization policies for on-site users. Managing multiple tools introduces complexity and increases the threat surface.
Another critical aspect neglected by ZTNA is monitoring the risk posture of endpoints after they connect. Devices are a common entry point for compromising enterprise networks and systems. Without proper endpoint risk monitoring and remediation, organizations are left defenseless against vulnerabilities such as outdated anti-virus software or disabled firewalls. Moreover, ZTNA’s application-focused approach leaves room for lateral movement across the network if a user is sophisticated enough, making organizations more vulnerable than they realize. Once again, NAC can fill this security gap by monitoring and remediating endpoint risks.
Despite these challenges, there is hope for zero trust security. Organizations need to expand their mindset and move away from patchwork solutions like ZTNA or NAC. Instead, they should invest in unified, cloud-native, and frictionless solutions that can address all key zero trust use cases in a centralized and scalable manner. “Universal zero trust” is an emerging technology that extends zero trust access control to networks, applications, and infrastructure for both on-campus and remote employees, guests, and contractors. This comprehensive approach covers all critical IT assets and embodies the “never trust, always verify” security model, which ZTNA alone cannot achieve.
In conclusion, while ZTNA initially offered promise as a solution for remote access security, it falls short in various aspects. Its implementation complexity, lack of support for physical networks, and failure to address endpoint risks highlight the need for a more holistic approach to zero trust. By embracing “universal zero trust” solutions, organizations can achieve a comprehensive and effective security posture that encompasses all aspects of their IT environment, regardless of network location or device.