Recently, we have seen increased interest in “Zero-Trust,” which has become a huge buzzword in the Networking and Security industry—especially in the last few years. One of the use cases where Zero Trust is most relevant is remote access. It is no secret that traditional VPN solutions worked well for the last two decades or so, when all applications and services were hosted on-premise or in one or two global data centers. But is VPN still relevant for the way we work today?
Over the past 20 years, the way we consume and access applications and data has changed dramatically. First, we saw applications begin to move beyond the perimeter to private data centers and then to the public cloud. Indeed, many young companies in technology-forward industries do not have any servers on-prem – they are totally cloud-based and leverage SaaS and Cloud services to host their resources.
In addition, users today are more mobile than 20 years ago. Working from home or a coffee shop, and using personal devices are very common scenarios now. Employees and contractors working outside of an office require secure access from anywhere. With recent world events we have also seen a massive increase in the number of employees needing to access company resources remotely.
Unfortunately, traditional VPN solutions are complex to manage in this kind of dynamic environment and are inconvenient for end users. From the security perspective, they grant too much access and expose services to the internet, making the attack surface very large. A Zero Trust security model reduces the attack surface.
According to Gartner’s recent Market Guide for Zero Trust Network Access, by 2022, "80% of new digital business applications opened up to ecosystem partners will be accessed through zero trust network access (ZTNA).”
The Basics of Zero Trust Network Access
The Zero Trust concept is quite simple – never trust, always verify. To grant access, a trusted broker mediates connectivity between users and applications, isolating resources from the internet and protecting them from outside threats.
Three of the most important principles in Zero Trust access are:
- Access is granted only after successful user and end-device authentication
- Each user device has a unique identity that is the basis for all access
- All access is audited and logged, for full visibility and analysis
In addition, a zero-trust access solution should be centrally managed, cloud-delivered, and easy for end-users to work with.
Proofpoint Meta Overview
Proofpoint Meta is the technology leader in Software Defined Perimeter (SDP) solutions for secure remote access. With Meta’s Network-as-a-Service, you can instantly provide secure remote access to corporate applications and the internet. As applications move to the cloud and employees, contractors and partners are increasingly mobile, companies need a better solution than the conventional, site-centric VPN. Meta NaaS implements the principles of a software-defined perimeter to ensure zero-trust, identity-based access. Leveraging a cloud-native global backbone, it delivers a great user experience along with always-on corporate and internet security.
Potential ZTNA Use Cases
In the ZTNA market guide, Gartner described several ZTNA use cases that have already been deployed in the field.
According to the guide, ZTNA, which is also known as a software-defined perimeter (SDP) “creates an identity- and context-based, logical-access boundary around an application or set of applications. The applications are hidden from discovery, and access is restricted via a trust broker to a set of named entities. The broker verifies the identity, context and policy adherence of the specified participants before allowing access. This removes the application assets from public visibility and significantly reduces the surface area for attack.”
Use Case 1: Opening applications and services to collaborative ecosystem members, such as distribution channels, suppliers, contractors or retail outlets without requiring a VPN or DMZ.
Proofpoint Meta provides an agentless solution that is ideal for large ecosystems. The browser-based client requires no plug-ins or agents. For example, the ride sharing platform, Via, leverages the Meta NaaS to centrally manage a zero-trust network that covers all their applications and data, and their employees, contractors and customers.
Use Case 2: Normalizing the user experience for application access — ZTNA eliminates the distinction between being on and off the corporate network.
Security should be transparent. End users expect the experience to be the same when accessing resources from home, from the road or from the office. With Meta NaaS, wherever a user is located:
- The user is always connected to the nearest PoP to reduce latency.
- The location of the application or server being access is transparent.
Use Case 3: Carrying encryption all the way to the endpoints for scenarios where you don’t trust the carrier or cloud provider.
With Meta NaaS, all traffic from the user device to the resource in the data center or cloud is encrypted. Meta NaaS is an overlay on top of the internet, isolating the user traffic from the carrier or service provider.
Use Case 4: Providing application-specific access for IT contractors and remote or mobile employees as an alternative to VPN-based access.
With Meta NaaS, users have policy-based access to the specific applications they need. Everything else is hidden. For contractors and personal devices, the agentless approach is ideal, with a simple portal-based user experience.
Use Case 5: Extending access to an acquired organization during M&A activities without having to configure site-to-site VPN and firewall rules.
Meta NaaS is easy to deploy and eliminates problem with IP overlapping. It can onboard a new branch or region to the NaaS with a simple connector and define granular user access policies.
Use case 6: Permitting users in potentially dangerous areas of the world to interact with applications and data in ways that reduce or eliminate the risks that originate in those areas — pay attention to requirements for strong identity and endpoint protection.
Meta NaaS supports adaptive policy controls based on user location. A rich set of posture checks on the end-user device combined with multi-factor identity-based access support safe connections from anywhere in the world.
Use Case 7: Isolating high-value enterprise applications within the network or cloud to reduce insider threats and affect separation of duties for administrative access.
According to the zero-trust model, all network resources are hidden by default. In addition, all access is logged for auditing, alerts and anomaly detection.
Use Case 8: Authenticating users on personal devices — ZTNA can improve security and simplify bring your own device (BYOD) programs by reducing full management requirements and enabling more secure direct application access.
Proofpoint Meta provides an agentless solution that is ideal for personal devices. The browser-based client requires no plug-ins or agents.
Want to hear more about how Proofpoint ZTNA is reinventing the secure enterprise network for the cloud age? Click for more information.