Chris ScheelsApril 26, 2021
ZTNA Guide, Part 3: How to Find the Best Zero Trust Network Access Solution
This blog is part 3 of our 4-part guide to Zero Trust Network Access (ZTNA). Part 1 provides a ZTNA definition and general conceptual overview, then part 2 describes the different architectural approaches. This part explains what you should look for in a ZTNA solution and part 4 reviews the top considerations you should keep in mind during ZTNA implementation.
Before embarking on your Zero Trust journey and evaluating Zero Trust Network Access solutions, it’s important to consider your current and future-state requirements. No two organizations are alike, so to find the best ZTNA solution you should select a provider that offers robust feature sets and the flexibility to meet your long-term needs.
Find out everything you need to know about ZTNA so you can choose the best Zero Trust Network Access for your enterprise.
Top Questions to Ask When Looking for the Best Zero Trust Network Access Solutions
Finding the best Zero Trust Network Access solution for your business starts with a deeper understanding of your Zero Trust strategy. Start by reviewing these questions to help identify long-term goals and the right ZTNA partner that can support them.
How will multiple, disparate identity providers be managed?
Consolidating identity providers is the goal of any large enterprise but is a very complex and challenging project. The reality is that most enterprises are dealing with multiple identity stores. These providers might contain different users hosted in various locations that support different technologies. The best Zero Trust Network Access solutions can work with all disparate identity providers and their directories to reduce complexity and provide users a seamless experience.
What is your Zero Trust roadmap?
Another question to ask when embarking on a ZTNA journey is “What do we want to protect?” Most organizations take an incremental approach to their Zero Trust strategy, so the answer will likely evolve as implementation progresses ... and you will want to avoid over-tooling. In the early stages, the best ZTNA solution might protect a limited set of digital assets for a defined user group or role, or it might focus on an area such as finance and then expand from there. It’s essential to consider the future state of your Zero Trust roadmap so that the ZTNA solution selected for initial use cases can support your future needs. For instance, many Zero Trust Network Access solutions are designed for remote access only. The best ZTNA solutions offer a unified access approach for remote access, on-premises access and even server-to-server.
Where do your resources reside?
While common practice is to start small and then expand, knowing where everything is located at the start makes for a smoother transition. For instance, are your digital assets on-premises, in data centers, in one or more clouds or a hybrid combination of all three? Knowing the answers may impact which ZTNA solutions can be implemented and how they are deployed. Ultimately, you may need a unified private access solution that applies ZTNA policies across a complex hybrid IT environment.
How do you want to deploy?
Before adopting ZTNA, it’s essential to decide on deployment options. Some Zero Trust Network Access solutions are hosted by the vendor as-a-service, while other ZTNA solutions are self-deployed and some offer a choice or a hybrid approach. This will impact the variety of ZTNA solutions from which you can choose. It’s important to consider whether it makes sense to have complete control over ZTNA deployment or if it would be better to let the vendor manage the ZTNA infrastructure due to resource constraints or in-house skill limitations.
Which network traffic flows need to be protected?
To which flows of traffic do you intend to apply Zero Trust secure access methodologies? North/south or east/west? Which is more critical at your current stage of the Zero Trust journey? Most long-term Zero Trust journeys incorporate all traffic flows across the network by building a true Zero Trust café-style network and then applying principles of least-privilege access between client-to-server, server-to-server and service-to-service traffic. Service-to-service refers to machines that communicate with one another but are unguided by a user (e.g., microservices that use APIs). This type of traffic flow should still abide by the principles of Zero Trust. That way, if a machine is compromised, there is a much smaller chance for lateral movement within the network.
Ultimately, the flow of network traffic will affect ZTNA architectural choices. Some ZTNA solutions only protect north/south traffic, others only east/west. Suppose the protection of digital assets will encompass east/west and north/south network traffic. In that case, you need to select a ZTNA architecture that supports both traffic flows with a robust and unified policy engine.
What types of applications need to be protected?
Many critical systems are dated or custom-built in today's enterprises, so refactoring them is an expensive and resource-intensive project. This is particularly true in finance, government and other sectors where organizations have defined operations using legacy applications. This is a problem for some ZTNA solutions because these legacy systems may not support security assertion markup language (SAML) or other modern modes of authentication. Some Zero Trust Network Access solutions are built just for HTTP/HTTPS and sometimes secure shell (SSH). However, these standards only apply to web-based applications, not legacy and custom apps. To avoid this, the best ZTNA solution will include broad protocol support.
Implementing Zero Trust is not a “one-and-done” project. It is an ongoing journey toward strong, adaptive, risk-based access controls embedded into the fabric of distributed, agile and hybrid IT.
Select the Best ZTNA Solution
After evaluating Zero Trust Network Access solutions, finding your optimal ZTNA solution is more than selecting the one with the most features. Ultimately, it’s about finding a ZTNA solution that meets your organization's current and future needs. The only way you can determine “best fit” is by diving deep into your specific requirements. Appgate SDP, Appgate’s ZTNA solution, is a comprehensive, scalable and highly customizable platform built for enterprise organizations. Covering every ZTNA use case, Appgate SDP provides the components needed to support your enterprise on the journey to Zero Trust.
Want to learn more about what the best Zero Trust Network Access solutions should provide?
Get the ZTNA Everything You Need to Know eBook.
Want to see how our ZTNA solution works?
Schedule a demo