Analyst Chat

Analyst Chat #138: Jumpstart Your Zero Trust Strategy With Zero Trust Network Access (ZTNA) Solutions

Zero Trust is rapidly gaining popularity as a modern alternative to traditional perimeter-based security. While it is (rightfully) mainly considered a concept rather than a product, a new market segment has developed. Those solutions apply this concept to network-based access to existing applications and other systems by creating a logical identity- and context-based overlay over existing (and presumed hostile) networks. Alexei Balaganski has examined this new market for KuppingerCole Analysts research and talks to Matthias about how this can speed up ZT deployments. 

Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm Lead Advisor and Senior Analyst with KuppingerCole Analysts. My guest today is Alexei Balaganski. He is Lead Analyst with KuppingerCole Analysts. We have been talking just recently about the Feng Shui of Zero Trust and today we want to talk about Zero Trust again, but this time on the occasion of the publication of your Leadership Compass Zero Trust Network Access. But if I remember correctly, we said that Zero Trust is not a product, it's a concept. But now we are looking at a market segment Zero Trust Network Access. How does this work out? How does Zero Trust come into a market segment?

Well, first of all, hello, Matthias and thanks for having me again. And of course, welcome to all of our current and future viewers. Yes, my Leadership Compass on this topic Zero Trust Network Access was finally being published. It took an unusually long time and a little bit more effort than I initially anticipated. But now it's out. And I wholeheartedly recommend to everyone to sit in the subject to read it, because some of the findings are indeed very interesting. And yes, you're absolutely right. The topic of Zero Trust in general have been discussed to death, really. And yes, every time you have to explain to our potential customers or viewers that Zero Trust is not actually a product, you cannot buy Zero Trust, you have to build your own architecture. But with ZTNA we are actually coming as closest as possible to a turnkey Zero Trust solution, at least for a specific area of your IT infrastructure. So first of all, Zero Trust in a nutshell, do not trust anyone. Encrypt all of your connections, authenticate every access attempt, and basically enforce least privileged principle. So you should only be able to access exactly what you need to and nothing else, right? This is the whole idea of Zero Trust as a concept. Zero Trust Network Access, actually take this guidelines, this basic principles and apply them to a number of existing technologies which enforce these principles on to anyone, like a user device or servers, accessing a network based resource anywhere. And this is why it's extremely important because Zero Trust Network Access, among other interesting things, completely extracts the physical location of that resource meaning that you can easily access from home, or be in somewhere, in a coffee shop, on a flight, or in a different country. Which is exactly what the whole mankind actually needed desperately two years ago, when this whole COVID pandemic started, suddenly everyone was working from home. The existing VPNs just did not work anymore because VPNs don't scale, VPNs are insecure, and most importantly, they're extremely inconvenient. And ZTNA has promised a secure, convenient and really unlimitedly scalable alternative to VPNs.

Okay. So you already described the market segment a bit. It's about encryption, it's about authorization processes. It's authentication. But what constitutes a product that really fits into this market segment? What are the capabilities that are mandatory when it comes to saying, okay, this is a ZTNA product and how do they really look like?

Well, again, kind of fundamentally, every ZTNA solution has to implement this basic principle that any network is always considered hostile and untrusted. So every attempt to access anything over this network should be authenticated, secured, and then ideally also constantly validated, whether it's remains secured and authenticated. And as soon as you no longer need this access, it's just terminated as if it has never existed before. And of course, if a policy gives you access to a resource X, it absolutely does not give you access to any other resource unless it's explicitly specified in the same policy, right? As opposed to VPN, which basically gives you access to the whole subnetwork, over an existing LAN, for example. How do you do that? Well, first of all, since you cannot trust any existing network, you have to create a separate, isolated virtual overlay on top of this physical network. Usually, it's done with a combination of transport encryption. So anything that you send over the network is placed into an encrypted tunnel, usually within an existing protocol like WireGuard, which is known from VPNs, for example, or just TLS, the same protocol we use for our browser, for our secure browsing. And then of course you need a combination of software or hardware gateways or agents, basically endpoints which terminate those secure tunnels. So any time a user from a device wants to access a resource, there must exist this tunnel terminated between those two ends. And the additional idea in this tunnel is never incoming. It's always outgoing. And this help solve this remote access problem because usually the most routers or firewalls or any other network devices, they prohibit incoming request but will allow outgoing ones. So the idea is that you have two completely separated planes, if you will, one in the data plane, this virtual network overlay which actually transports your data and the other one is the control plane, which enables this policy management and enforcement and orchestration of those connections. So basically, usually this translates into a pretty simple idea that you establish one tunnel from the customer/client end, to somewhere, maybe an on-prem gateway or maybe a security cloud somewhere. And at the same time your ZTNA agent establishes another tunnel from the resource end and the platform takes care of connecting those two tunnels together. And as soon as this happens the traffic can flow, you can access your resource. And of course it's always combined with multi-factor authentication, user management in an existing directory, for example, Azure Active Directory or Okta or anything else. And of course it's usually combined with some network security tools to ensure that your connection is not only authenticated but even but also secure as it is clean from malware, safe from whatever security or compliance policies your organization has and so on. So for example, you might define the policy that only a device which is managed by your company, is allowed to connect to a resource at all, and it also has to have all the latest Windows updates, and it also has to have an active antivirus which reports that there are no malware on the device. And you should not be, let's say, in a hostile country in the moment. And for example, you can define additional policies like you can only access during the normal working hours and you have to actually be physically you on the other side because there is a biometric process which monitors your typing on your keyboard, which can tell whether it's you or a hacker impersonating you. And when you combine all these technologies, which have existed for probably a decade, into a single product and you make sure that this product can be deployed and scaled to every possible use case, on-prem, in the cloud or hybrid, you get a ZTNA product, which is basically a turnkey Zero Trust solution.

Well, this is fascinating because this would enable an organization to onboard its whole networking infrastructure onto this new type of solutions without making sure that any components need to be built separately. So, as you said, turnkey, but just one question that came across my mind just while we were talking, this is something that has been coined with the term SASE as well before. So providing a complete set of networking functionalities plus the security, plus the network as a whole and in one go, is this comparable? Is this different? Is this a subsegment?

Well, I think the original definition of SASE was, and it's Secure Access Service Edge, which is a technology deployed from the cloud and consumed from the cloud, and also provide a secure and manageable set of network and security capabilities. So, for example, a CASB or a firewall as a service (FWaaS) or some other security capability, next generation web gateway, whatever, there are so many acronyms available now which can be packed to that. But usually, until recently, private access solutions were not included under that banner. But of course now they are because many vendors have realized that their existing quote unquote security clouds are perfect for doing both of those technologies. But in this Leadership Compass we cover SASE as a nice to have add-on capability which is nevertheless not essentially required for a ZTNA solution. And there are some vendors which do both as well as there are vendors who only provide pure play secured access solutions.

Okay. When we look at that market segment and the vendors that are in there, as this is a new Leadership Compass, I assume this is something that we have done for the first time. So, that gave you the chance to underestimate the amount of work to be spent on that. What are the players that we look at when we are looking at this ZTNA Leadership Compass, are these the usual suspects when it comes to network security, providing functionality across the board or other surprises for you and also for me?

Well, first of all, you're absolutely right. This is a new area for KuppingerCole. So we had, of course, as usual, we have aspired to include every possible company in our rating, which we deemed worthy mentioning at all, which in total was about 30 different vendors. Unfortunately, not all companies probably know us well enough to jump on to the effort, to invest effort that they need from their site to participate in our rating. So in the end only have about 16 or 17 companies covered the rating and the rest are only mentioned briefly as Vendors to Watch, as it's traditional for our Leadership Compasses. Some of those companies are of course usual suspects like Google or Cisco or Broadcom, as large veteran vendors. Well, Google basically invented Zero Trust, back then, almost 15 years ago. But there are a lot of smaller, innovative startups which only usually do pure play secure network access. Some of those have actually existed before the term even emerged. They did what used to be called software defined perimeter, or application aware micro-segmentation or any other underlying technologies. But now basically they all have been combined with, as I mentioned earlier, strong authentication, monitoring, policy management, and they're all now being offered as ZTNA, Zero Trust Network Access solutions.

If we turn to leadership, there are these, again, the usual suspects that are capable of providing network segmentation, plus encryption, plus the agent technology on the clients. What would be a few of the leaders? Not to stress one individually, but to give an insight? What are the overall leaders when we look at that new ZTNA segment?

Well, one thing I wanted to highlight before we even jump into specific names is how diverse our rating in this particular market segment is. Basically normally we also measure a correlation between product capability and market presence and innovation with those further capabilities. And we expect those correlation factors to be predominantly high for a mature market. In this ZTNA market, it's like all over the place. It's a clear indicator that the market is not even immature, it's growing, it's an explosive piece. The situation changes probably every month, there are new capabilities emerging, there are new vendors moving out of stealch mode and so on. But of course, if you just focus on the high end of our rating among the overall leaders, we only see those large companies which actually have the resources and the technology to run huge global cloud infrastructures to be present at every city, in every country and so on, like Cloudflare for example, or Broadcom or Cisco or Palo Alto Networks or Google. Again, those are the companies are just big enough to be present, not just be present in every country, in every city, but actually be just like one network hop away from your local computer and this is one of the most important aspects of having the scalable and convenient remote access solution, low latency. And only a company that operates either their own security clouds or rents and a lot of resources from an existing public cloud can actually deliver that. But of course, there are use cases where you actually do not need a cloud presence or even you are actively discouraged from going into the cloud, for example, for compliance reasons. And this is a subsegment, if you will, where smaller startups dominate. A company which probably cannot connect 500,000 users together because they're too small for that, but they can connect your 5000 users in a day. And if this is what you're looking for, then you'll probably be more interested in checking that other end of our overall leadership, the smaller and innovative startups. And again, innovation is another rating which we measure separately. And it's amazing how many innovation leaders we had this time, because every vendor has something unique to offer which nobody else has come up with.

If I look at this from the advisory perspective, you've been looking at the market segment, at the diversity of the product, at the services that are around. From an advisory perspective, this sounds tempting to have a solution as you said, turnkey that you can move to, that you choose a solution and you move into that and you implement Zero Trust Network Access. But if you look at the lock-in aspect from your assessment, how difficult, once you've made that step into no matter which service, how difficult is it to get out again and to migrate or to coexist and to get hybrid when it comes to Zero Trust Network Architectures? Is this possible? Is this desirable? What is your opinion there?

If you are talking about potential of vendor locking, I'm pretty sure this is one of those areas where it doesn't matter that much because one of the great advantages of this whole market is that you do not need to invest into hardware or network infrastructure. Again, this is all virtual. This is all software defined, and even better policy defined. Unfortunately, we are not there yet, so we do not have a universal policy language. So you cannot just say, okay, I want to get out from the vendor X and go to vendor Y, so I'm just taking my rules with me and expect them to work flawlessly. This won't happen, but at least you're not losing anything. I mean, there is no hardware to abandon, no appliances, no network devices. You just basically have to create a new account and onboard your existing devices and services once again. And at a small scale at least, when it comes to dozens of applications and maybe like hundreds or thousands of users, this can be done in days. So that's not a challenge I want to think too much about. And of course, a much bigger challenge is, as you mentioned earlier, it's all about identities. So before you even jump into this, you have to have a reliable source of your identities, whether it's an on-prem directory or if it's some complicated cloud based solution, or even if it's something like turnkey, like Azure Active Directory, you still need one source of truth for your identities. And those ZTNA solutions are usually capable to plug in directly to those identity providers, ideally, you can even have more than one and you can design some really flexible, interesting policies.

Awesome. Thank you very much, Alexei. You mentioned that the leadership campus is out right now. So for those who are interested in moving towards Zero Trust and Zero Trust Network Access and are prepared from the identity management perspective, which is of course my favorite topic in that context, then please head over to the KuppingerCole website and look for the LC ZTNA. I think that should be easy to be found through our search engine. So just type in LC ZTNA and try to identify the right solution for you. I just checked the table of contents, it's 16 vendors you've covered and it's 14 Vendors to Watch. So that was really quite some work to do. Thank you again, Alexei, for sharing your insights here. I think this will be a growing and interesting and also disruptive market segment when it comes to securing networks. Would you agree?

Well, it already is. Again, hybrid work is one of those topics which everyone is talking about even after the first COVID pandemic is officially over. Who knows when the second one is coming or something else? So this is a huge topic and it's no longer a nice to have feature. It's a matter of life and death for your business. Especially if it's a complex, geographically distributed one. So, yes, absolutely. This is one of those low hanging fruits where you don't have to think a lot. Well, you just have to reach out and take it and deploy it. And you will be amazed how the quality and productivity of your users will change in that.

Absolutely. And before we close down, I want to mention that we have a security related event coming up in November. So the Cyber Security Leadership Summit will be taking place from November 8th to November 10th in Berlin. And this will connect the globally growing community of data security experts. And I really would like to invite you to check out our website and maybe consider contributing or just taking part virtually or in person there. We will have interesting speakers, including Alexei. Less interesting speakers, including me, and we will have great speakers like CISOs and security experts from organizations like Lufthansa, Deutsche Börse, Deutsche Telekom, MasterCard and Siemens, the German Parliament and many, many more. So these three days will be the epicenter of security events in Europe, in Berlin in November. So please head over to our website also for that reason and consider registering and meeting us in Berlin virtually or in person. Thank you very much, Alexei, for being my guest today and for sharing your experience in creating this Leadership Compass and for preparing it. Thanks again and I'm looking forward to having you soon again. Thanks, Alexei.

Thank you very much, Matthias, for having me. And of course, looking forward to meeting you personally again in Berlin. And of course, everybody is going to join us at CSLS. Well, thank you and goodbye.

Thank you and bye bye.

Video Links

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Zero Trust Is Driving the Evolution of Authorization

Verifying what specific applications, files, and data that a human or non-human entity has access to, is at the heart of cybersecurity in the face of increasing theft of data for espionage or other criminal purposes. Authorization, therefore, is extremely important to security, but it is…

Webinar Recording

Dealing Effectively with Modern, Industrialized Cyber Threats

The cyber threat landscape has become very complex, with state-of-the-art intrusion, ransomware, and cryptocurrency mining tools now readily available through online stores and service providers, and an expanding attack surface due to increased cloud computing and remote working. Keeping…

Webinar Recording

Making Zero Trust a Reality: Basing Decisions on Valid Identity Data

Cloud computing and mobile workforces have resulted in an expanding attack surface and a complex web of identify information. This means that traditional perimeter-based security models are no longer effective. A Zero Trust model of strict access control for every user and device enables…

Event Recording

Practical Zero Trust: From Concepts to Quick Wins to a Strategy

So, you’ve heard a lot of impressive things about Zero Trust, and how implementing it in your organization should solve most of your security problems, especially these days, when people still primarily have to work remotely. Now you would like to start with Zero Trust as soon as…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00