7 Top Questions to Ask to Find the Best Zero Trust Network Access (ZTNA) Solution
*By Patrick Durand
Finding the best Zero Trust Network Access solution for your business starts with a deeper understanding of your Zero Trust strategy.
You can get started by reviewing the 7 questions below that will help you identify your long-term goals and the ideal ZTNA partner to support you:
1. How will multiple distinct identity providers be managed?
Consolidating identity providers is the goal of any large company, but it is a very complex and challenging project. The reality is that most companies are dealing with multiple identity stores. These providers can contain different users hosted in various locations that support different technologies. The best Zero Trust Network Access solutions can work with all different identity providers and their directories to reduce complexity and provide users with a seamless experience.
2. What is your Zero Trust roadmap?
Another question to ask when embarking on a ZTNA journey is "What do we want to protect?" Most organizations take an incremental approach to ZTNA, so the answer will likely evolve as implementation progresses … and you'll want to avoid over-tooling. In the early stages, the best Zero Trust Network Access solution can secure a limited set of digital assets for a defined user group or role, or it can focus on an area like finance and then expand from there. It is essential to consider the future state of your Zero Trust roadmap so that the ZTNA solution selected for initial use cases can support your future needs. For example, many ZTNA solutions are designed for remote access only. The best ZTNA solutions offer a unified access approach to remote access, local access and even server-to-server.
3. Where do your resources reside?
While the common practice is to start small and then expand, knowing where everything is located at the beginning makes for a smoother transition. For example, are your digital assets on-premises, in data centers, in one or more clouds, or a hybrid combination of all three? Knowing the answers can impact which ZTNA solutions can be implemented and how they are implemented. Ultimately, you may need a unified private access solution that enforces ZTNA policies in a complex hybrid IT environment.
4. How do you want to deploy?
Before adopting ZTNA, it is essential to decide on deployment options. Some solutions are vendor-hosted as a service, while others are self-deployed and some offer a hybrid approach or option. This will affect the variety of ZTNA solutions you can choose from. It is important to consider whether it makes sense to have full control over the ZTNA deployment or whether it would be better to let the vendor manage the ZTNA infrastructure due to resource constraints or internal skill limitations.
5. Which network traffic streams need to be secured?
To which traffic streams do you intend to apply Zero Trust secure access methodologies? North/South or East/West? What is most critical at your current stage of the Zero Trust journey? Most of Zero Trust's long-term journeys incorporate all traffic flows through the network, building a true Zero Trust café-style network and then applying the principles of least privilege access between client to server, server to server and service to service traffic. Service by service refers to machines that communicate with each other but are not guided by a user (eg microservices that use APIs). This type of traffic flow must still comply with Zero Trust principles. That way, if a machine is compromised, there is a much smaller chance of lateral movement within the network.
6. Ultimately, network traffic flow will affect ZTNA's architectural choices.
Some ZTNA solutions only protect north/south traffic, others only east/west. Suppose digital asset protection covers east/west and north/south network traffic. In that case, you need to select a ZTNA architecture that supports both traffic flows with a robust and unified policy engine.
7. What types of applications need to be secured?
Many critical systems are dated or customized in today's businesses, so calculating them is an expensive and resource-intensive project. This is particularly true in finance, government and other industries where organizations have defined operations using legacy applications. This is an issue for some ZTNA solutions because these legacy systems may not support SAML (Security Assertion Markup Language) authentication or other modern modes of authentication. Some ZTNA solutions are only built for HTTP / HTTPS and sometimes secure shell (SSH). However, these standards only apply to web-based applications, not legacy and custom applications. To avoid this, the best Zero Trust Network Access solution will include broad protocol support.
“Implementing Zero Trust is not a 'ready to use' project. It's an ongoing journey toward strong, adaptable, risk-based access controls built into the distributed, agile and hybrid IT framework.”
— Patrick Durand is Cybersecurity Senior Manager at [SAFEWAY]
About [SAFEWAY]
THE [SAFEWAY] can help your organization define the controls necessary to protect personal data by validating the level of adherence and maturity to the requirements of the GDPR (General Data Protection Regulation) and GDPR (General Data Protection Law) considering the business environment in which it is inserted and identifying the main action plans to comply with regulatory requirements, aiming at improvements in the process and gains for the organization.
