In this blog, we go through the findings by Gartner’s analysts Lawrence Orans, John Watts, and Neil McDonald after their discussions with early adopters of ZTNA that informed the recently published research notes titled "Best Practices for Implementing Zero Trust Network Access".
The limitations of VPNs could be summarized as follows:
ZTNA overcomes those limitations, and therefore VPN replacement has quickly become the first step in an enterprise's journey towards zero trust. ZTNA solves for more than user-to-app macro, micro, and nano segmentation on-prem and offsite (the needs of the hybrid workforce). For example, it addresses workload-to-workload segmentation. But VPN replacement is typically the use case that drives early adopters to start the journey to a zero trust architecture.
A ZTNA deployment can be quick and straightforward when there’s a strong identity foundation in place and by choosing the right solution. But regardless of the capabilities of the selected ZTNA platform and the robustness of the identity system, there’s always room for deployment mistakes and missed opportunities if there’s no proper prep work ahead of the rollout. Like one of our early customers always says (he quotes Seneca): “Luck happens when opportunity meets preparation.” So, without further ado, these are the five best practices to get lucky when the opportunity (and need) of replacing traditional VPNs shows up.
To fully realize the benefits of zero trust, you should not grant users access to all applications like a VPN deployment would. VPNs grant excessive trust and were designed under the old implicit trust model. To explicitly grant just-in-time right-sized access to the right users or user groups to the right applications, ZTNA solutions like Elisity® Cognitive Trust® for Workforce Anywhere enable macro, micro, and nano-segmentation from the start. Before turning on the lights on the ZTNA deployment, you can already draft the contextual policies to protect mission-critical applications and data from unauthorized access. Identify your crown jewels, and build policies to ensure that only the right identities within the right context can access them.
Also, it is a best practice reported by early adopters to study and document the existing relationships between users and applications ahead of deployment. While you will be able to enter observation mode after you turn on the lights on the ZTNA platform by leveraging the discovery and analytics tools provided, they recommend starting early to identify which users need access to which applications. To stay ahead of the curve, you will need to interview business leaders of each department to gain knowledge and understanding of those user-to-app relationship needs. Having that conversation also enables those teams to embrace the zero trust mindset and progress more rapidly with the ZTNA deployment.
While you are at it, interviewing the heads of departments and documenting application usage ahead of a ZTNA deployment, clean up access and update access rights. Take the opportunity to get ahead and hit the ground running when you turn the ZTNA lights on. You will likely discover that users have moved departments, left the organization altogether, or that third parties (suppliers, contractors) no longer have a business relationship with the company. Change or eliminate those access privileges ahead of time, as it will accelerate the journey to the ideal zero trust architecture when your ZTNA platform goes operational. Minimizing risk should not wait. When you reach ZTNA D-Day, you will have an easier, smoother, and faster path ahead. Or, if more practical (depending on your risk tolerance), you can wait and implement those changes through the ZTNA platform on D-Day.
Once you’ve gone live with the ZTNA solution, the work is not over. On the contrary, this is when you start operationalizing zero trust. While you may have hit the ground running and saved a lot of time with good preparation, ZTNA is not a “set and forget” approach to access policies. Instead, there’s a constant need to fine-tune remote access policies as the business needs evolve: users leave the organization, move to different teams, new suppliers require access to the network, new applications are deployed or discovered, and so on. The good news is that the work is easy: much easier than dealing with firewall rules or VPN configurations.
With a platform like Elisity Cognitive Trust for Workforce Anywhere, policies follow users. The user access privileges change by just moving a user to a different group in the IDP source (i.e., in Okta or Active Directory) without even touching the ZTNA policy orchestrator. In the same way, if an application moves (i.e., to the cloud or a different server), the users would still have access (depending on the policy configuration, of course). Furthermore, with AI-based policy alerts and recommendations, the workflow is simplified and productivity enhanced. With the visibility and control empowered by the ZTNA platform and AI assistance, you will always be a step ahead in reducing the attack surface and minimizing risk with each new policy created.
There may be a few user experience hiccups here and there when implementing ZTNA. Objections can be prevented during preparation work, but you must be prepared to address them correctly and effectively if they do arise. You will need to advise leaders and users that the ZTNA model allows for greater flexibility than traditional VPNs. User experience only becomes better over time, much better than what VPN would ever be, and all the while improving the organization’s security posture. There are bypasses to constant identity verification that, thanks to contextual attributes, enable skipping re-authentication. For example, multi-factor authentication (MFA) can be skipped to access a mission-critical resource from a corporate-owned and managed device, from the usual location, usual time, and when the device’s health meets policy requirements.
The main lesson shared by early adopters could be described as follows: “Learn how to drive before you buy your first car, and do not start your journey without knowing where you’re going.” Design a strategy, secure buy-in, prepare by visualizing and understanding the current state and the ideal state, select your ZTNA platform, and start your journey towards zero trust nirvana with confidence.
Elisity Cognitive Trust is a new security paradigm that combines Zero Trust Network Access and an AI-enabled Software Defined Perimeter. With this transformational approach, enterprises can proactively protect their data and assets while ensuring access without compromise to any application, data, or device, by any user, anywhere.
Check out Elisity Cognitive Trust for Workforce Anywhere and learn how it can help you or your MSP start the zero trust journey in your organization.