If you’re in IT, chances are you’ve probably heard the terms zero trust, zero trust network access (ZTNA), and SASE (aka “Sassy”) mentioned recently. For those who haven’t, no doubt you soon will. The question many are asking is whether these terms are merely buzzwords or do they solve real problems?
The Way Things Were
For the longest time, VPNs, RDP, VDI (and virtualization in general) have been the de facto way of providing remote access for workers when they were away from the office. For VPNs, an agent installed on each endpoint would connect to a server, with all traffic passing from the worker’s machine over that connection and through to the corporate resources that needed to be accessed. VPNs are meant to connect trusted networks and trusted endpoints — and with the enterprise-trust model being stretched past its breaking point, businesses have been forced to reevaluate their remote access strategy.
Legacy Connectivity Is No Longer Enough
VPNs use a hub-and-spoke architecture, with traffic being backhauled to datacenters, where it is processed. Since they were originally intended to provide access to 10 to 20 percent of the workforce at any given time, this wasn’t too much of an issue. With the sudden move to remote working following the COVID-19 outbreak, excessive user traffic saw parts of the network being overwhelmed and resulted in a poor experience for these remote workers. And then guidance was given to either turn off the VPN or enable “split tunneling” to allow direct, uninspected access to internet resources. It was a security nightmare in the making.
Clearly, a better approach to balancing the oft-opposing forces of security, productivity, and cost is needed.
Where Does ZTNA Fit?
ZTNA changes the way trust is established by only allowing access from users to applications each time a request is made. Rather than opening up access to the entire network for an authenticated user (as is the case with VPN solutions), trust criteria are evaluated under the ZTNA model whenever requests are made.
The identity of the user is considered, allowing group permissions to be enforced through identity providers. The context of the request takes into account the suitability of the device being used, its location at that point in time, and the classification of the resource being accessed. Access is granted at the application level, not just the network level. This means that even if a compromise was to happen, the scope of the resulting damage would be limited to the application instance and not the entire network.
How Is SASE Different?
SASE builds on the foundations of ZTNA, namely the ability to replace traditional hub-and-spoke architectures with the experience of direct internet access. They then add the ability to integrate WAN capabilities with security services to protect use cases including branch office deployments.
Hub-and-spoke models are replaced with direct internet access, and security follows the user regardless of where they are or what device they are using. WAN integration allows security to be enforced at the branch level and integrated with the broader enterprise architecture.
By doing so, these solutions combine advanced communications path selection capabilities, automated zero-touch provisioning, and inherent security at the branch level. Many traditional security functions are automated at the branch level, bringing security closer to workers and protecting devices that otherwise would not have dedicated security capabilities.
Where Do We Go from Here?
The benefits of integrating zero trust, ZTNA, and SASE are clear. The goal is to guide the workforce experience and security outcomes to be continuously situationally-aware and contextually risk appropriate.
Transformational edge security solutions are now readily available that enable us to move forward confidently and support a new way of working without compromising security or business productivity.
Learn more about Citrix’s zero trust and SASE solutions.
