ZTNA and the Distributed Workforce: Hype vs. Reality

By Timothy Liu, CTO & Co-Founder, Hillstone Networks

ZTNA, or zero-trust network access, seems to be one of the hottest cybersecurity buzzwords right now, at least as measured by the coverage it’s been receiving. At its core, ZTNA is a fairly straightforward construct that purports to improve security across the board, especially for the distributed workforce. Its basic premise is to eliminate implicit trust in users, devices and other network elements, which will theoretically reduce overall attack exposure including multi-level, multi-phase threats. Is all the buzz warranted, though? At Hillstone, we believe the answer is a resounding ‘Yes,’ with a few qualifications.

But First, A Look Back

Before examining ZTNA in detail, it’s important to understand why this new model is being proposed and promoted. Achieving a means of secure remote access has been an objective of IT professionals almost since the very first data networks were developed.  In the early 1990s, several early methods of securing remote access arose, such as SIPP. In the mid-1990s the secure sockets layer (SSL) protocol was released and it became the underlying technology for the enterprise-class SSL VPNs that are still in wide usage today.

(Author’s note: Though most in the industry still refer to this type of secure remote access as SSL VPN, technically the technology is now based on transport layer security (TLS), which superseded SSL in about the mid-2000s.)

SSL VPNs are available as stand-alone appliances, as part of next-gen firewalls (NGFWs) and other security products like Hillstone Networks’ solutions, and as cloud services. Early in the pandemic, when governments attempted to lock down their populations to prevent the spread of COVID-19, many corporate IT teams turned to SSL VPNs to support workers who suddenly needed to work from home.

Now, however, the distributed workforce has become a reality rather than a phenomenon, and the need to support remote workers in large numbers has brought certain issues and limitations of SSL VPN to the fore, including:

Common Vulnerabilities: Over the years, numerous vulnerabilities in enterprise-class VPNs have become apparent, raising red flags for many cybersecurity professionals. In 2021, for example, multiple U.S. federal civilian organizations faced the potential of data breaches via the Pulse Connect Secure VPN vulnerability. Two years earlier, in response to active exploitations of certain VPNs, the U.S. National Security Agency issued an advisory.

Licensing Costs and Expansion Limitations: Usually, commercial SSL VPNs are licensed per-user and per-capacity, meaning that scaling to support additional remote workers can be expensive both in purchase of licenses as well as in IT staff labor. Physical SSL VPN appliances might also require the purchase of additional modules in order to expand capacity.

User Authentication: Visibility into users and devices that are connected to the network is one of the bedrock principles of cybersecurity. A typical enterprise VPN will perform authentication just once, on initial login and set-up of the VPN tunnel, and then access is granted for all the network resources for which the user is pre-approved.  This can create a security risk if, for example, user credentials are stolen by an attacker.

As mentioned, SSL VPNs are in broad use; the market in 2021 was estimated at nearly $5b USD. There’s a cost connected with a forklift upgrade to a new secure remote access technology, but with the issues and concerns raised above, many security teams are considering ZTNA as another option.

ZTNA: Basic Definition

At its most basic, the mantra of ZTNA is ‘never trust, always verify.’ To expand upon that, ZTNA is intended to abolish absolute trust of devices and users and to allow only the minimum access and authorization based on user role, position or other factor. Under ZTNA, authentication is constant and ongoing – a change in the user’s or device’s security posture can result in revocation of access, for example. If it’s executed well, ZTNA can deliver extremely fine-grained visibility and control with improved scalability, flexibility and reliability.

From a technological viewpoint, ZTNA employs a user-to-application approach, rather than the traditional network-centric focus, which completely inverts the concept of authentication.  With ZTNA, users and devices are examined at a deeper level – encompassing identity as well as the context of network and application resources being requested.

It’s important to note that the user-to-application approach expands security past the network perimeter to any resource connected to the network. This can include cloud applications and resources, for example, or remote physical or virtual applications and data.

Industry analyst firm Gartner has promoted the concept of the secure access service edge (SASE), which includes ZTNA as one of its elements. SASE, another hot topic in the cybersecurity world, consists of cloud-based security infrastructures to serve the new distributed workforce. Two closely related key benefits of SASE are reduced latency and an improved user experience.

A Practical Path Forward

Given the wide adoption and usage of SSL VPN, any conversation about transitioning to ZTNA must account for the older technology. There’s just too much current investment in platforms, IT staff time, and education of end-users to simply discard existing SSL VPN solutions. Luckily – and partly by design – ZTNA easily lends itself to a more stepwise approach.

For example, Hillstone’s ZTNA solution leverages Hillstone NGFWs as well as the Hillstone Security Management (HSM) platform to overlay ZTNA authentication over SSL VPN capabilities. The combined solution can leverage a wide range of authentication protocols and provides tight controls over users and devices with role- and context-based policy enforcement. Another possibility is to leverage the security capabilities of SD-WAN (another of the elements of SASE) alongside SSL VPN services to serve as a bridge to ZTNA and SASE later.

Conclusion

Ultimately ZTNA is a nascent cybersecurity technology – though it seems to be maturing quickly. Development efforts will eventually lead to consolidation and standardization, which will give manufacturers and security pros alike a set of table stakes to shoot for. For now, whether ZTNA is just the latest hashtag or the real deal will depend upon how it’s implemented. It will require careful consideration of how it can co-exist with the existing security framework, support and enhance security policies, and better secure and defend the entire network from core to endpoint to cloud.

About the Author

Timothy Liu is Co-Founder and Chief Technology Officer of Hillstone Networks. In his role, Mr. Liu is responsible for the company’s product strategy and technology direction, as well as global marketing and sales. Mr. Liu is a veteran of the technology and security industry with over 25 years of experience. Prior to founding Hillstone, he managed the development of VPN subsystems for ScreenOS at NetScreen Technologies, and Juniper Networks following its NetScreen acquisition. Mr. Liu is also a co-architect of the patented Juniper Universal Access Control and holds an additional patent on Risk Scoring and Risk-Based Access Control for NGFW. In his career, Mr. Liu has served in key R&D positions at Intel, Silvan Networks, Enfashion and Convex Computer. He Liu holds a Bachelor of Science from the University of Science and Technology of China and a Ph.D. from the University of Texas at Austin.

Tim can be reached online at @thetimliu  and at our company website https://www.hillstonenet.com/