Aug 28, 2023
7 min read

Maximize Risk Reduction with a Phased Approach to ZTNA Deployment

A row of stones signify a phased approach, or one step at a time

In its recently released 2023 Market Guide for Zero Trust Network Access (ZTNA), Gartner® offers the following recommendation for security and risk management leaders:

“Approach deployment of ZTNA as a phased project that requires stakeholder management to reduce operational friction. Identify either highly sensitive applications to secure first in order to maximize the ROI on risk reduction, or low-risk applications and technology-savvy pilot users to minimize any potential operational impact. Implement ZTNA for more applications and users over time.”[1]

At Cyolo, we wholeheartedly agree that ZTNA adoption is best tackled in phases. But while Gartner identifies two potential starting points for the ZTNA journey, our own experience shows that it’s best to start with the toughest use cases. For this reason, we encourage our customers to identify the users who pose the greatest security risk to their business and then concentrate on deploying ZTNA for these users first. This approach not only achieves meaningful results most quickly but it also, as Gartner states, “maximize[s] the ROI on risk reduction.”

Phase 1: Secure High-Risk Users (Often, Third-Party Vendors/Contractors) 

Which users or user groups present the highest risk will vary across organizations, but every business has certain users that must be connected to internal systems despite the potentially catastrophic damage that they could cause. In many cases, it is external third-party users who are deemed most risky. This is a broad category that includes vendors, suppliers, contractors, partners, and any other users who are not direct employees of the organization. Precisely because they are not official employees, third-party users are more likely to work on unmanaged devices and less likely to comply with (or even be aware of) corporate security policies.  

Still, businesses today depend heavily on support from third parties and must connect them to sensitive applications and environments so they can perform the work they were hired to do. Organizations that run operational technology (OT) and industrial control systems (ICS) are especially reliant on the expertise and specialized skillsets of third-party vendors and technicians. Even when they mean no harm, it should be easy to see how users who are unmanaged and largely uncontrolled expose the organization to added risk and increase the chances of an unauthorized account gaining access to the network.  

Another group of users that organizations often identify as “high-risk” are employees with privileged access. Whether their access includes highly sensitive customer data or critical machinery, the compromise of these accounts could lead to disastrous consequences.  

The good news is that regardless of who poses the greatest risk to your particular organization, they likely form a relatively small subset of your user base. Deploying ZTNA for these users first will provide a very substantial boost to your security posture and significantly reduce your potential attack surface as you move on to the remaining phases of your implementation project.  

Phase 2: Secure Medium-Risk Users (Often, Remote Employees) 

Once the riskiest users are connecting to all systems and applications via secure zero-trust access, phase two can begin. The goal remains to maximize the ROI on risk reduction, so this phase will secure the users who pose the next highest level of risk. Again, this can vary from organization to organization but, in our experience at Cyolo, this middle stage commonly focuses on deploying ZTNA for the remote workforce.  

Even as more companies begin to adopt back-to-office policies, it’s clear that significant numbers of workers will continue to work remotely at least part of the time. To access their work resources from outside the office, these users most commonly turn to virtual private networks (VPNs). Devised decades ago as a way to enable corporate access during business trips or other short stints away from the office, VPNs were never meant to be a permanent or widely scaled solution for remote access.

The limitations of VPNs, in terms of security as well as efficiency, are well-documented and in fact serve as a major factor in many organizations’ decision to make the shift to the zero-trust security model. Still, it is important to consider some companies have used VPNs for twenty years or more, and moving away from such an entrenched technology can be difficult—on both the logistical and conceptual levels. What is notable about the Cyolo approach to migrating remote users to zero-trust access is that we recognize this difficulty and do not force customers to immediately cut the cord on their VPNs.  

For organizations that want to begin to experience the benefits of zero-trust access (stronger security protocols, application-level access, more reliable connections—to name just a few) but are not yet ready to commit to a full VPN replacement, the Cyolo solution can be used to augment the existing VPN. Then, as the organization and its users become more accustomed to the new and improved experience of zero-trust access, they can decide when it’s time to turn off the VPN for good. The VPN + ZTNA period may even be viewed as a phase within a phase, further exemplifying the value of letting organizations adopt ZTNA in stages and at a pace that aligns with their unique needs. 

Phase 3: Secure Low-Risk Users (Universal ZTNA) 

By the time organizations reach phase three of their ZTNA deployment, they will have already secured access for the user groups capable of (benignly or maliciously) causing the most harm and therefore realized a very substantial risk reduction. This is the point at which Universal ZTNA comes into play. According to the Gartner Market Guide first referenced above, “universal ZTNA extends existing ZTNA technologies to use cases beyond remote access in order to support local enforcement in on-premises campus and branch locations.” 

But why bother implementing ZTNA inside the office? Aren’t on-premises users inherently secure? After all, these are employees literally sitting at their desks inside the office; what’s the harm in giving them full network access? Unfortunately, in today’s cyberthreat landscape, even on-site users are targeted by phishing schemes, social engineering campaigns, and other nefarious tactics. Implementing ZTNA for on-premises users strengthens the authentication process and ensures the principle of least privilege is enforced, reducing the threat of unauthorized access and limiting what bad actors can accomplish should they manage to enter the system. 

When choosing a specific ZTNA solution, organizations that want to achieve Universal ZTNA should keep in mind that many ZTNA tools are built for the cloud and do not support on-premises deployment. The Cyolo zero-trust access platform, by contrast, was designed for all types of deployment scenarios and can even function in the offline or otherwise isolated environments common to OT and ICS. Universal ZTNA, meaning zero-trust access for all users—internal and external, remote and on-premises—will not be the goal for every organization, but solutions like Cyolo make it a possibility for those that seek it.  

In any case, the completion of ZTNA deployment to all desired users is a laudable accomplishment and will bring many benefits in terms of both security and user experience. However, after the ZTNA rollout, organizations should continue to build and optimize their processes around access and control. Zero trust is indeed a journey, and there will always be tweaks and improvements to be made, even beyond the initial deployment and rollout.

Learn more about the Cyolo zero-trust access solution.

[1] Gartner, Market Guide for Zero Trust Network Access, Aaron McQuaid, Neil MacDonald, John Watts, Rajpreet Kaur, 14 August 2023. 

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. 

Jennifer Tullman-Botzer


Jennifer Tullman-Botzer is a cybersecurity nerd by day and a history nerd by night. She has over a decade of experience in cybersecurity marketing and is as tired as you are of hackers-in-hoodies stock images. Jennifer joined Cyolo in 2021 and currently serves as Head of Content. Prior to Cyolo, she worked in a variety of marketing roles at IBM Security. She lives in Tel Aviv, Israel.

Subscribe to Our Newsletter