Chris ScheelsMay 3, 2021
ZTNA Guide, Part 4: Top 5 ZTNA Implementation Considerations
This blog is the final installment of our 4-part guide to Zero Trust Network Access (ZTNA) implementation. Part 1 provides a ZTNA definition and general conceptual overview, then part 2 describes the different architectural approaches, and part 3 explains what you should look for in a ZTNA solution. This final installment reviews the top considerations you should keep in mind during ZTNA implementation.
As discussed in part 3, answering the fundamental questions of ZTNA implementation narrows down the list of ZTNA solutions and vendors that will meet your core requirements. A variety of additional considerations will emerge from that list that impacts your specific ZTNA implementation process and results.
Need help with your ZTNA implementation?
Here’s everything you need to know to implement ZTNA. Read our eBook.
Top 5 ZTNA Implementation Considerations
Exposing Ports or Hidden Infrastructure
Attack surface reduction is a critical component of Zero Trust Network Access and is the first line of defense against adversaries running port scans as part of reconnaissance campaigns. Your ZTNA solution should actively cloak your ports, making them—and the resources they allow entry to—invisible. This is achieved using single packet authorization (SPA), which uses proven cryptographic techniques to make internet-facing servers undetectable to unauthorized users. Only devices that have been seeded with the cryptographic secret will generate a valid SPA packet and subsequently, establish a network connection.
Your ZTNA solution should hide your entire infrastructure until properly authenticated access is granted.
Dealing with Device and User Risks
Access control granularity is a crucial feature of ZTNA and should be focused on during implementation. Based on risk level, one can use ZTNA to surgically remove access to specific critical or privileged resources by blocking or denying access to specific resources depending on the organization’s risk requirements. This is in stark contrast to traditional tools with an all-or-nothing approach to access, which can prevent a user from getting any access, stall work and create headaches for your help desk. Instead, ZTNA’s precision-based approach weighs the factors when making critical access control decisions. Ultimately, it comes down to tailored risk management control to determine the next course of action.
These decisions typically revolve around risky users and devices. A person might behave in a suspicious way, such as logging in at 2 a.m. when the workday is 9 to 5. Does this mean the user’s account has been compromised or are they just working late? A fine-grained ZTNA policy calibrates and grants appropriate entitlements based on limiting risk. For example, suppose a user is not behaving as expected. ZTNA can automatically restrict access to all but the most basic digital assets, such as email, but prevent the user from accessing sensitive data or resources until the security team can determine if the user presents a greater risk. Devices are handled in a similar way. If an infected or stolen device exhibits suspicious behaviors, the ZTNA solution can dynamically restrict access to minimize risk exposure from a potentially compromised device.
ZTNA implementation makes it possible to create dynamic policies that are automatically calibrated to risk—an essential security measure for distributed workforces.
“Up Rules” vs. “Down Rules”
Access requirements can get complicated as enterprises are complex entities with unique circumstances, requirements and regulations. Many ZTNA solutions work well in use cases that require user/device policies called “up rules” for resource interactions, such as when a user’s mobile device needs to access a database.
However, most sophisticated security teams also have to support the opposite: “down rules” that deal with interactions between a server, service or resource “down” to the user device. Remote desktop support and centralized endpoint protection platforms (EPP) are good examples as they must securely update clients. This is also the case for Voice over IP (VoIP), where access control must flow in both directions.
Remember: All ZTNA solutions support “up rules,” but not all support “down rule” policies. If you require “down rules” today as a part of your future Zero Trust implementation strategy, look for a ZTNA platform that supports both.
Broader Security Ecosystem Integration
A solution like ZTNA will invariably be part of a much broader, cohesive collection of tools that comprises an organization’s cybersecurity and IT operation. ZTNA doesn’t operate in a silo ... at least, it shouldn’t. During the ZTNA implementation, it needs to integrate with threat intelligence tools, security incident and event management (SIEM) solutions, endpoint detection and response (EDR) platforms, IT service management (ITSM) solutions and more.
Integrating ZTNA requires a programmable and extensible solution. In particular, the ZTNA platform needs APIs that can connect with other solutions or scripting capabilities to enable bi-directional interoperation with the broader security ecosystem. It’s even possible to achieve “security-as-code” leveraging some ZTNA solutions. In this scenario, reference code is stored in a secure repository such as GitHub and used to configure, manage and run all ZTNA operations. Running ZTNA-as-code can scale or deploy new infrastructure and configure all access policies and entitlements. This provides more agility and supports rich integrations.
ZTNA implementation does not require a rip-and-replace of your entire security stack. Instead, when you implement ZTNA, it should be fully integrated into the broader ecosystem.
Scalability should be a major consideration with ZTNA implementation. While it is a best practice to start with a single-use case and deploy ZTNA incrementally, at some point, the solution must handle the organization’s full access control load. It must also be ready to take increased load levels within an expanding footprint, whether planned or unforeseen. The ZTNA solution you choose can’t cause a bottleneck in network access or a drag on performance. A complete ZTNA solution scales up linearly to manage the entire enterprise employee base for all applications across your network and cloud ecosystem.
The pandemic has made it clear that ZTNA scalability is a non-negotiable requirement. It must support remote users, new devices and applications, even when these needs arise unexpectedly.
Getting Started with Your ZTNA Implementation
ZTNA offers a proven way of managing access control in the distributed modern world. It augments, and at times supplants, legacy “connect first, authenticate second” approaches to network and application access. ZTNA implementation involves considering your current and anticipated security and IT ecosystem and resulting platform requirements. Robust solutions such as Appgate SDP prove enterprises can address all the top considerations and implement ZTNA to achieve a scalable and sustainable high-security posture.
ZTNA must be viewed as more than just a component of cybersecurity. It is also a driver of digital transformation. At the same time, it’s important to understand the different flavors of ZTNA available, their benefits and how they work into your organization's long-term security and IT vision.
Next Step: Implement ZTNA with a Trusted ZTNA Vendor
When evaluating vendors to implement ZTNA, ensure all your organization's current and future needs can be met by the ZTNA solution they offer. According to Gartner's How to Select the Right ZTNA Offering report, "organizations typically start by evaluating ZTNA vendor capabilities and ignore the broader alignment to strategy and use cases. Organizations that start this way tend to run into ZTNA implementation roadblocks due to configuration challenges or a suboptimal ZTNA offering selection."
Here are key features to look for in advanced ZTNA vendors:
- Full Zero Trust access across the corporate network: Remote and in-office users; BYOD, corporate-issued and IoT devices; cloud-native, legacy on-premises and traditional cloud workloads; campus networks
- Single packet authorization (SPA): Cloaking ports makes them invisible to any user or device on the network and reduces the attack surface, limits lateral movement and protects valuable resources
- Concurrent access: enables users to access resources in multiple environments without logging in and out of various access solutions
- Micro-perimeters: Identify-centric role, time, date, location and device posture factors to inform least privilege access entitlements
- Robust APIs: Integration with existing systems can promote automation, enforce risk-based access and and break down silos
Why Trust Appgate SDP for Your ZTNA Implementation?
- Strengthened security
- Reduced complexity
- Improved end-user experience
- Streamlined automation
Appgate SDP was positioned highest for current offering in the 2021 Forrester ZTNA New Wave. And in the Nemertes Real Economic Value study, Appgate SDP customers reported a 119% average increase in accelerated digital transformation initiatives, a 9.5 out of 10 rating for “most strategic to Zero Trust” and an average 66% reduction in help desk tickets. We regularly hold live demos of the Appgate SDP solution, so come see the benefits first-hand by registering here.
Ready to get started with your ZTNA implementation?
Read the eBook to understand how to implement ZTNA.
Ready to see how the Appgate SDP ZTNA solution works?
Schedule a demo