For the Hybrid Workforce, SASE-Delivered Zero Trust Is a Must

In the early days of the pandemic, organizations relied on virtual private networks (VPNs) to link remote employees to their networks. However, legacy VPNs don’t provide the most efficient way to connect to network assets. And now that we’re in the age of the hybrid workforce, organizations are looking for a better and more comprehensive approach to securing their work-from-anywhere (WFA) employees.

Enter secure access service edge (SASE), which combines SD-WAN functionality with cloud-delivered security to apply enterprise-grade protections across all network edges and to secure WFA users.

SASE protects users regardless of location through zero-trust network access (ZTNA), an access control method that provides access via continuous, session-based identification and authentication. For many organizations, leveraging ZTNA to protect WFA users was a primary motivation for adopting SASE, and this continues to be a driving factor for SASE adoption.

Explicit Verification with ZTNA

When a user is off-site and employing a legacy VPN connection, they are provided with an encrypted tunnel to an edge of the network. Unfortunately, the VPN permits the user unfettered access to the entire network. This means that if an attacker steals log-in credentials, they can access the entire network. With a ZTNA solution, the user gets an encrypted tunnel directly to the application, but only after it explicitly verifies who the user is. And the access is only granted for that particular session.

In short, ZTNA does not permit wide access to the network and continuously verifies the user.

Access is granted based on the role and the identity of the user. Furthermore, ZTNA makes sure that users and devices are in a good and appropriate state, whether it’s time of day, geolocation, or other factors to access that particular application. As a key component of SASE, ZTNA provides a much higher level of cybersecurity and reduces risks for WFA users and their organizations.

The Rise of Universal ZTNA

As ZTNA adoption has grown, more enterprises have understood its benefits and realized that granular, session-based access is important for all employees, not just remote workers. It should be applied across entire networks. This approach is called Universal ZTNA.

ZTNA is usually the first project to bringing zero-trust principles into an organization. This is a big step forward. An organization will often add more zero-trust solutions to address the broad attack surface of application access. If you think about it, your data is delivered through those applications. So, you’re also applying zero-trust principles to data protection.

Universal ZTNA addresses both the shortcomings of VPN security as well as significantly reducing risk when it comes to the most common thing that employees are doing—using applications. It seems organizations everywhere are talking about zero trust and wondering how they can bring more zero-trust security into their organization.

We are seeing the benefits that come with ZTNA apply across all the industries that deploy it. This has led to its strong adoption by government agencies, financial institutions, service providers, manufacturing firms, and education environments.

Because of its strengths, ZTNA is where the market is going. It’s a driving force toward SASE adoption. For those looking to improve their WFA users’ access and security in general, ZTNA is the right next step.

Common Challenges

The most demanding aspect of deploying ZTNA is not particularly difficult. It’s just that because ZTNA is delivering granular access, the IT team needs to go application by application to create specific access policies for each. Creating each policy isn’t hard and doesn’t take much time, but there are a lot of them to handle. It’s administratively burdensome.

Your IT organization can prioritize what applications it wants to look at. Typically, organizations start with their high-priority applications, and they define the policies are for them. They learn how to configure with ZTNA and how to get that application and access working. Now, they have both VPN and ZTNA networks available to them.

ZTNA at Fortinet

As organizations add more applications to their ZTNA controls, they will eventually get to the point where all their application access is controlled by ZTNA. At this point, VPN effectively just sits in the background, not being used. This is the current dynamic at Fortinet. We’ve rolled out ZTNA over several months and we now have the vast majority of our applications utilizing ZTNA processes.

We don’t have 100% of our applications using ZTNA—and we probably never will—because some applications are not frequently used nor used by many people. However, for common applications that are important to the organization, adding them is a simple process.

Deploying FortiSASE ZTNA

IT organizations can deploy FortiSASE ZTNA whenever they have the time. Fortunately, it’s not a flip-the-switch, cross your fingers on Monday, and hope everybody still has access to their applications. It’s a much more gradual, very controlled easy-to-manage process that gets organizations onto a zero-trust footing. It’s done in a way that ensures everyone maintains the network connectivity they need with the cybersecurity that they should have.

For those searching for VPN replacement solutions, Fortinet certainly has a great one.

Written By Peter Newton