HITS

Today’s hybrid work model has forced organizations to take a hard look at traditional remote access approaches and, as a result, a growing number of them are turning to zero trust network access (ZTNA) as the replacement for legacy remote access virtual private networks (VPNs), according to Palo Alto Networks and Forrester Research.

ZTNA “might help you out” with your organization’s security strategy and “there’s a lot of buzz on this topic” now, Ashwath Murthy, senior director of product management at Palo Alto Networks, said Feb. 22, during the webinar “Frustrated With VPN? Meet ZTNA. A Conversation Featuring David Holmes, Forrester Research,” presented by Palo Alto Networks.

Noting it’s been nearly two years since mid-March 2020, when many people started working from home, Holmes, a senior analyst at Forrester who focuses on security and risk, said he received maybe 100 calls in the first few months of the pandemic complaining about issues with their companies’ VPNs.

“Ultimately, the problem was our VPNs do not seem to be designed in a way that facilitates a mass remote work situation,” he said. A lot of people experienced bandwidth and latency problems, as well as issues with timing out – “lots of performance stuff,” he noted.

What he tried to tell everybody was “the way out of this is actually not more VPNs; the way out of this is ZTNA,” he told viewers.

He “took a snapshot” of the kinds of specific client inquiries he heard in the fourth quarter of 2020, “in the thick of the pandemic,” and what most clients were asking about was either replacing VPNs with ZTNA or the larger shift to cloud-delivered security services, he said.

“Those kind of conversations were almost more than all other conversations combined,” he noted.

That was in stark contrast to the early days of the pandemic, when he told clients that the way to go would be shifting to ZTNA, he recalled, saying: “They didn’t want to hear that. They just wanted me to help them fix their VPN in those early days.”

But clients became “much more open to this conversation” about shifting to ZTNA 3-6 months into the pandemic, he said.

Now, calls from clients saying their “hair is on fire have died down,” he noted. For many of those clients, the shift to ZTNA represented their “first taste” of the zero trust information model, he said.

With zero trust, it’s assumed that all entities are considered untrusted unless there is “explicit trust” established in a firm’s policy, least privilege access must be enforced, it is assumed there will be a breach through “malfeasance” in the network and “we need to put machinery in place to monitor everything,” he pointed out.

The main problem with a VPN is that it gives too much access, with everybody having access to an organization’s network, including databases, its infrastructure and workstations, he noted. It is possible for somebody to “hack every server you find in there,” he said, pointing out the VPN itself is often compromised.

So, while VPNs were great 15-20 years ago, “there’s a better way now,” with ZTNA, he said, noting that, with ZTNA, users only get access to what they need to get access to and single packet authentication can prevent unauthorized users from even communicating with the zero trust gateway. ZTNA also blocks hackers from getting into an organization’s network entirely, he added.

He recalled that, early on in the pandemic, a client with a staff of about 100,000 people said their firm was only 5% remote before the pandemic started and that quickly shifted to 95% remote after the pandemic started.

When security experts were polled about what the most important security service an organization can have was, zero trust access was cited as the top priority more than anything else, he said. A secure web gateway was number two on everybody’s list, he added.

As many more people return to the office, the remote worker has become king, a survey has shown, he said, noting 65% of those polled wanted 2-3 days of remote work of the 5-day work week, with only 25% expecting a full return to the office

“It varies a little bit by vertical and by geography – but not much,” he said, repeating what he recalled the person who did the survey said the findings showed. After working from home for more than a year, many people realized they kind of liked it and wanted to keep doing it for 2-3 days a week.

The other 10% said “they’re never going back to the office – they’re just not – and if you try to make them, they’re going to work somewhere else where they don’t have to,” he said, noting he had “already seen multiple examples of this happening.”

What that indicates is that 75% of an organization’s workforce is going to be remote at least half the time, he said.

“The takeaway of that is whatever solution you put forth as far as securing and  providing the capability for your remote workforce to work, that has to be your primary use case,” he said. “You can’t treat remote workers like they’re second-class citizens anymore,” he added, noting “that’s just not going to fly.”

Citing the findings of a Forrester poll, he said the most important capability that drove organizations to adopt the ZTNA solution was to support their remote workforce with higher security, selected as an important capability by 37 of the 43 people surveyed.

That was followed by supporting the remote workforce with better performance (cited by 26 respondents), moving away from the “backhaul” VPN for remote access (23) and moving to a zero trust edge or SASE architecture where security functions are cloud-delivered (19).

Asked by Forrester if their organizations had used VPNs for access but now used ZTNA, eight of the same respondents said the ZTNA solution will likely coexist with VPNs indefinitely at their organizations, he went on to say. “That’s actually bad” because ZTNA should replace VTNs, he said.

More promising survey findings were that six respondents said ZTNA replaced VPNs at their organizations, while five said ZTNA would replace VPNs at their organizations within a year, one did not use VPNs, and another one said ZTNA would replace VPN at their organization within three years.

To watch the full webinar, click here.