George WilkesSeptember 28, 2022
Redefining Network Access Control: Zero Trust for the Corporate Network
While VPN replacement and secure remote access is often the primary use case for implementing a Zero Trust Network Access (ZTNA) solution, that’s only part of the story. Now many organizations are turning to the widely heralded features of ZTNA– least privilege access enforcement, resource cloaking and microsegmentation–to secure all network access, including on-premises, IoT/OT, WAN and campus networks.
As the debate over returning to the office vs. working remotely plays out globally, it’s too early to know where things will ultimately settle. But it’s not too early to see that hybrid work models are here to stay for the foreseeable future. This means it’s time to fully extend the benefits of Zero Trust to your entire corporate network.
Think about it: Why wouldn’t you want to deploy ZTNA benefits to every device and user that connects to your network? Why wouldn’t you want identity-centric authentication and a unified security policy for your network access controls? And why wouldn’t you want to unburden your security team from the complexity of managing different network access control solutions?
No more NAC for network access control
For IT security professionals, network access control means two different things. First, it’s the definition of their job ... protect their organization’s network and resources by enforcing strong user and device access controls. Then there’s the formal industry term Network Access Control or NAC ... a product intended to do what the name suggests, control network access.
Large enterprises employ NAC to protect their campus networks, which was fine when a majority of the workforce was in the office. But now off-network users are operating outside of NAC’s protection. This requires administrators to manage two different network security models and make them interconnect. So, with hybrid workforces in play, ironically NACs can’t really achieve full network access control.
NAC flaws: Single purpose, hardware-based, inflexible, expensive, complex
NAC was designed to protect a physical on-premises network, or the perimeter as we knew it, 10-plus years ago. Now it’s not only complex to implement, but relatively ineffective given the high utilization of cloud hosting and the fact that users and the corporate network can be everywhere. What’s more, a major hurdle in deploying NAC is the hardware requirement. This introduces a major CAPEX hit when hardware is in short supply and, in some cases, the lead time is more than one year.
Additionally, NACs don’t extend to the cloud and add zero value for remote users. In fact, siloed NACs—and VPNs for that matter—introduce policy management complexity often leading to wide-open networks ripe for lateral movement. Asking the IT and security teams to manage access policies unique to VPNs, NACs and cloud-based workloads is an absolute nightmare. Complexity is the enemy of security and NACs do us zero favors.
Frankly, the world that NAC solutions was intended to serve no longer exists and they need to be phased out of the CISO’s budget ... likely a welcome idea given the hefty price tag and incomplete nature of most NAC deployments.
It's time for ZTNA everywhere
Asking stretched-thin security teams to manage different network access control architectures and a myriad of tools is asking too much. With consolidation on everyone’s mind, organizations should seriously consider replacing NAC with ZTNA. Your response might be, “What? Why?!” But, if you’re thinking Zero Trust Network Access is only a VPN replacement for remote access, think again. Yes, ZTNA played a big role in pivoting away from risky VPNs during the pandemic, however it’s been proven that ZTNA successfully solves a lot more than just remote access, including securing access to the cloud and corporate networks.
In fact, earlier this year Gartner published a report introducing the idea of universal ZTNA or ZTNA everywhere. Our response is simple ... “PREACH!” The idea is straightforward and something Appgate has been reinforcing and demonstrating for years now, having achieved this for many large complex enterprise corporate networks and branch offices.
All ZTNA solutions are not created equally
While ZTNA everywhere is appealing, not all ZTNA solutions can handle the double-duty of remote and campus networking. In its report, Gartner identified several issues that might apply to a limited ZTNA solution, such as:
- Lack of protocol support
- Securing headless devices, such as IoT
- Lack of support for bi-directional security rules
Also, because many ZTNA solutions rely on cloud security POPs, adopting such a solution in an on-net environment introduces latency by requiring traffic to follow a “hairpin” route. It’s also worth noting that the nearly overnight shift to fully remote workforces in 2020 had enterprises scrambling. Some picked ZTNA vendors in haste, focusing on use cases such as remote access or securing web apps. Now, they face challenges to secure access across the network for on-site campus workers, legacy apps and non-HTTP protocols.
Fortunately, there is one ZTNA solution that addresses all use cases: Appgate SDP. Specifically, it does not rely on proxies for specific tools such as SSH or FTP; instead, it supports protocols such as TCP natively, in addition to UDP, GRE, ICMP, AH and others. At the control plane, it can reach in or reach out of a network, so security rules can be directed up or down, or both. Not to mention that it supports devices with no users and Kubernetes clusters, plus the Appgate SDP architecture includes direct access ... no hairpinning or cloud routing required.
More importantly, Appgate SDP delivers the same experience for your users and administrators, regardless of whether they are remote or local, and regardless of whether the resources are on-premises, in the cloud or somewhere in between. Appgate SDP lets you quickly deploy a single, software-based architecture that is network-agnostic and overlays on your existing networks. This allows you to implement Gartner’s concept of universal ZTNA ... or as we like to call it, ZTNA everywhere for any user, any resource, any location. Quite simply, it is a single Zero Trust access solution for all users, devices and workloads spanning the modern definition of a corporate network.
Additional ZTNA everywhere resources
Podcast: Zero Trust Access for the Corporate Network
Solution brief: Zero Trust Access for Corporate Networks
Video on-demand: Kill the NAC – Zero Trust Access for the Corporate Network
Infographic: Appgate SDP vs. NAC - Top 9 Reasons SDP is a Better Alternative