Appgate CybersecurityJuly 18, 2021
How to Get Started and Scale Up to Zero Trust Network Access
This blog is the third in our three-part guide to migrating from VPN to ZTNA. Part 1 explains why it’s time to move away from VPNs and provides a quick overview of the five steps for success. Part 2 describes how to prepare for migration and this part covers the how-to of scaling up ZTNA across the organization.
An increasingly sophisticated cyberthreat landscape, combined with work-from-anywhere business models, makes Zero Trust security an imperative. Now is the time to replace or augment your legacy VPN with the robust security supremacy of Zero Trust Network Access (ZTNA).
Transitioning from VPN to ZTNA
Once you’ve identified your existing security stack baseline and ZTNA implementation goals, you need to select a ZTNA provider so you can tackle your first use case ... typically Zero Trust remote access. You should consider various architectures and features that will meet current and future requirements to avoid switching providers mid-roadmap or adding a second ZTNA solution to an already crowded tech stack.
Select a ZTNA Provider
Mature ZTNA vendors are proficient in a wide range of functions:
- Supports all protocols, not just web applications
- Excels in latency, compliance and security dependencies for multi-tenant cloud environments
- Capable of working in heterogeneous environments
- Handles remote access and in-office access from a single platform
- Offers flexibility in deployment options, such as as-a-service or self-hosted ZTNA
- Covers the entire user population with agent and browser-based access methods
- Protects east-west and north-south network traffic
- Offers robust APIs for automation and visibility
- Supports multiple and varying identity stores
- Provides a unified policy model that includes IoT and secure branch office
Robust ZTNA solutions handle more than just Zero Trust secure remote access — find a solution that can handle the breadth and depth of your current and future use cases.
Build Out Your First Use Case
While there is not a “right” or predefined launch point for Zero Trust security, consider these when starting with secure remote access:
- Risk mitigation: The natural question is, “Where does the most risk associated with VPN access reside?” This could be a subset of privileged users who regularly touch sensitive resources. This business case is about preventive measures and how to avoid a costly breach, which averages $1.52 million per incident, according to Ponemon’s 2020 Cost of a Data Breach Report.
- Productivity gains: Another logical starting point is to improve operational efficiency. This could be a subset of frustrated users experiencing VPN drawbacks resulting in more help desk tickets and admin burdens. Or it could be with DevOps, which requires the right access to hybrid resources at the right time for fast-paced application delivery.
- Budget cycle: A major VPN hardware refresh planned for a budget cycle presents an opening for a “replacement vs. upgrade” secure access dialogue. VPN software renewals and maintenance expirations provide similar compelling times for review.
- New initiatives: New digital transformation initiatives or cloud migration projects are prime reasons to adopt ZTNA, a foundational building block for a Zero Trust security strategy. Partnering with business units to accelerate these initiatives—strengthening security rather than sacrificing it—proves out ZTNA as a catalyst for digital transformation.
More on Choosing the Right ZTNA Solution
Here are a few more pointers to aid in the vendor selection process:
- Infrastructure selection: Choose between self-hosted ZTNA solutions that require light deployment for gateways and controller (unified policy engine) or “as-a-service” ZTNA solutions that can be quickly deployed and reduce the need for complete IT support by relying on the provider’s cloud hosting.
- Policy creation: Your identity store must be unified for user groups due to ZTNA’s identity-centric approach for policy creation. So, your ZTNA provider must support multiple disparate identity providers. Then you can set a few simple policies that can include risk-based context such as time, date, location, MFA, etc.
- User onboarding: Your first use case and user group will determine if you need a client installed for device posture checking and protocol support or browser-based access for web applications. A ZTNA solution that can deliver both is ideal, so you have the flexibility of choice for future use cases.
- Automation: Decide where automation will reduce complexity, improve agility and ease admin tasks, which may include automating integration with an ITSM, endpoint protection tools, MFA or business support system.
Measuring success of your first use case will help validate expansion of Zero Trust remote access across the organization. Consider tracking user satisfaction and adoption rates or reduced help desk calls. Additional metrics might include user and IT admin productivity gains, open port and firewall rule reduction or a time-to-install comparison of ZTNA vs. VPN. Measuring and reporting results to key stakeholders will clear the runway for the final step.
Ensure you have a way to measure the success of your ZTNA implementation as it relates to your larger Zero Trust security goals.
Scale Up Zero Trust Remote Access
Horizontal scaling adds more users. Vertical scaling covers new use cases and adds integration and automation. Full ZTNA implementation can move as fast or as slowly as your plan requires.
Zero Trust remote access scale up might encompass use cases like DevOps, cloud migration, server-to-server (i.e., east-west traffic), IoT devices or a full-bore café-style network. Successful scaling depends on keeping the policy engine unified and centralized. ZTNA solutions with flexible deployment and access options help you maintain a unified approach by making slight architectural adjustments to achieve all use cases. For example, third-party vendors may not allow a client install at their endpoint. But a full-feature ZTNA solution enables least privilege access from third-party browsers without requiring a new solution or policy management GUI.
Then as your deployment matures, you can unlock more features:
- Automate policies: Leverage data from identity and directory systems and environmental metadata to dynamically create or extend policies and entitlements
- Automate infrastructure: Control, build and manage infrastructure-as-code with Terraform, the GitHub SDP operator
- Orchestrate workflows: Integrate with existing enterprise operation or business support systems, such as IT service management or ticketing platforms
- Enhance posture checking: Integrate with endpoint solutions to ensure a “trusted device” or user behavior analytics to ensure “trusted user” as risk criteria for access
- Put data to work: Push detailed access log activity to other tools and pull intelligence as access criteria from TIPs, SIEMs and UEBAs
Make the Move to ZTNA
Start small but think big when defining Zero Trust remote access security goals. Apply key learnings from the first use case to incremental enterprise-wide implementation. This ensures stakeholder support, better user adoption and minimal business disruption.
To aid in your Zero Trust security journey, find a trusted partner who has helped organizations of all types make the switch from VPN to ZTNA. Our leading Zero Trust Network Access solution, Appgate SDP, delivers the complete range of security capabilities:
- Control access with identity-centric micro-perimeters
- Secure access for all users, devices and hybrid workloads on a single platform
- Provide a seamless experience with concurrent access
- Make exposed ports invisible to reduce your attack surface
- Restrict access for risky devices with posture checking
- Keep policies in sync with dynamic infrastructure
- Integrate secure access into the fabric of your organization with APIs