As enterprises look into the future of a post-pandemic environment, many CIOs recognize the need for a better strategy that supports a remote and hybrid workforce. While many switched to a work-from-home model as a response to the pandemic, more than 50% of employees want to continue working from home permanently.
Until recently, the solution to secure enterprise networks has been the use of virtual private networks (VPNs) which function like a tunnel back to the company network. However, with the distributed nature of a remote workforce, VPNs possess limitations and security risks. So, what’s the better solution to secure your network and provide access to applications no matter where employees work from? That would be Zero-trust network access (ZTNA).
CIOs see the value of ZTNA to provide their enterprise with the security they need while supporting a modern workforce. ZTNA is the future of enterprise security. Within the next year, 60% of enterprises will phase out traditional VPNs and use a ZTNA model. To date, only 15% of organizations have completed a transition to a zero-trust security model. Let’s take a closer look at two different ZTNA models and why the future is bright for zero-trust network access.
Client-Initiated Or Endpoint-Initiated ZTNA
The first zero-trust network access model is known as endpoint-initiated ZTNA or a client-initiated ZTNA model. This model is software-defined and based on the Cloud Security Alliance architecture which uses an agent on a device to create a secure tunnel to the enterprise network. This agent performs an assessment to determine the security risk of a user’s request to access an application using information such as their identity, device location, network, and the application being used. After building a risk profile, the agent connects back to the application over a proxy connection, and if the information meets the organization’s policy, access to the application is granted. The beauty of this model is that applications can be on-premises or cloud-based Software-as-a-Service (SaaS).
While this model does provide greater security than VPNs, it comes with its own set of challenges. Managing the agents on devices can become a chore for your IT department unless a central management solution is able to coordinate deployment and configuration. Unmanaged devices need to be handled by other means, such as a network access controller (NAC).
The Service-Initiated Or Application-Initiated ZTNA Model
The service-initiated model uses a reverse proxy architecture based on the BeyondCorp model and is also known as application-initiated ZTNA. The biggest difference from client-initiated ZTNA is that this model does not require an endpoint agent. Instead, to create a secure tunnel and perform a risk assessment profile, it uses a browser plug-in.
Where the client-initiated ZTNA can be used for both on-premises and cloud applications, a key disadvantage to the service-initiated ZTNA is that it’s limited to cloud-based applications only. With the application’s protocols needing to be based on Hypertext Transfer Protocol (HTTP)/Hypertext Transfer Protocol Secure (HTTPS), it limits the approach to web applications and protocols, such as Secure Shell (SSH) or Remote Desktop Protocol (RDP) over HTTP. Because of this shortfall, at this time, the service-initiated ZTNA model is not the best option if your enterprise has a combination of hybrid cloud and on-premises applications.
The Future With ZTNA
The first step in implementing a complete zero-trust solution is addressing the need for secure remote access. ZTNA can be applied to remote users, home offices, and other locations by offering controlled remote access to applications that is easier and faster to initiate while providing a more granular set of security protections than traditional VPNs.
Establishing a zero-trust model across vendors can be difficult as components often run on different operating systems and use different consoles for management and configuration. By selecting integrated and automated tools, you can overcome the challenges of implementing ZTNA. Using a service-initiated model with an integrated firewall-based and SASE approach allows for ZTNA capabilities with a simplified management and application policy whether your users are on or off the network.
Fortinet ZTNA Solution Improves Your Enterprise Cybersecurity
With remote work here to stay, it is clear that a traditional VPN approach is no longer enough to provide your enterprise with adequate security. ZTNA solutions are a better way to secure access, no matter where your employees are, and improve controls around application access. To learn how Fortinet can provide your enterprise cybersecurity strategy with the best ZTNA model, contact WEI today.
Next Steps: Download our executive brief, “Critical Success Factors Of An Integrated Security Strategy.”