No one reading this blog will be surprised by the statement that the workplace has changed dramatically in just the last few years. Some organizations have fully embraced remote work, while others have adopted a hybrid work model. But whatever their exact circumstances, nearly all organizations are in need of a reliable solution to safely and securely connect users to the resources they need to do their jobs.
Zero Trust Network Access (ZTNA) is a key technology that allows organizations across industries to both enable and secure the “work from anywhere” model. While ZTNA was initially seen primarily as an alternative to VPNs for securing remote access scenarios, it has been demonstrated in recent years that the right ZTNA solution can bring secure access to on-premises and hybrid work set-ups as well. Universal ZTNA is achieved when all users and devices, regardless of location, are governed by zero-trust access policies.
According to the 2023 Gartner® Market Guide for Zero Trust Network Access, “a desire to provide more secure and flexible connectivity for hybrid workforces is heightening interest in the zero trust network access (ZTNA) market.”1 The same report states, “Universal ZTNA extends existing ZTNA technologies to use cases beyond remote access in order to support local enforcement in on-premises campus and branch locations.”
Benefits of Universal ZTNA
The advantages of Universal ZTNA are multifold. End users benefit from a consistent work experience whether they are at the office, at home, or elsewhere. Security and IT teams have only one secure access tool to manage (rather than one for remote workers and another for everyone else) and can streamline access controls across the full user base. And, perhaps most importantly, the organization can be confident that all users and devices are connecting to sensitive resources only via secure zero-trust access, limiting the risk of both internal and external cyberthreats.
So, why hasn’t everyone seen the light and adopted Universal ZTNA? While the benefits of Universal ZTNA are substantial, the implementation can be difficult unless the right vendor and platform are selected. Let’s examine some common work models that can be difficult to secure in the absence of a true Universal ZTNA implementation partner.
Challenges of Universal ZTNA
Challenge 1: In-Office Workers
As noted above, ZTNA was not initially envisioned as a universal access solution. Even today, a majority of ZTNA products are designed around the needs of remote users who are accessing resources from outside the corporate network. The result is that these tools may not integrate smoothly with on-premises infrastructure and may require complex configurations to accommodate office-based users.
A related issue is that ZTNA solutions frequently rely on cloud-based services and micro-segmentation techniques. When employees are in the office, they might need access to local network resources or legacy systems that were not originally integrated into the ZTNA architecture. This can lead to access issues as well as substantial delays, ultimately causing a decline in productivity.
Guaranteeing the same standard of fast, seamless access for on-premises and remote users is the first challenge that Universal ZTNA platforms must overcome – but it is hardly the sole challenge. Universal ZTNA should also extend to operational technology (OT) systems and third-party vendors and contractors.
Challenge 2: OT/ICS Environments
Most ZTNA products currently on the market were built not only to serve remote users but also to ensure secure access specifically to cloud-based applications. To function properly, these tools typically require connectivity to a cloud routing service as well as an installed agent. This limits their use in many OT and industrial control systems (ICS) environments, which often prohibit unnecessary external connectivity. Products classified as Universal ZTNA should be able to bring secure zero-trust access to any environment – cloud-connected, cloud-averse, or even fully offline.
Identity authentication is another significant obstacle when it comes to securing OT systems. The verification of user and device identities with multi-factor authentication (MFA) is crucial to enforcing ZTNA; however, the older legacy systems that are prevalent in OT environments generally do not support MFA or other strong authentication methods. Fortunately, this challenge is not insurmountable. A true Universal ZTNA solution like Cyolo can retrofit existing legacy infrastructure to enable MFA functionality.
Finally, OT systems prioritize availability over everything except human safety. Whereas IT applications can be patched and updated without much inconvenience, the disruption caused by these processes is more than most OT environments can tolerate. Even short periods of downtime lead to, at best, operations slowdowns and lost revenue and, at worst, risks to physical safety for workers and equipment. Universal ZTNA solutions must be able to provide their full utility under these demanding conditions.
Challenge 3: Third-Party Vendors and Contractors
Modern companies rely heavily on third-party vendors, contractors, and partners to perform a variety of specialized tasks. The business value that third parties provide is clear; however, connecting external users to sensitive internal systems (often with little or no oversight) creates inherent risk. Universal ZTNA is an excellent way to lower this risk and ensure that access privileges for third-party users are tightly controlled. But, again, not every ZTNA solution can address this need.
First, enforcing application-level access is critical when it comes to securing third-party vendors. While it may seem like a timesaver, giving contractors access to the full corporate network can easily lead to both malicious and accidental data exposure. Instead, third-party access should always be granted according to the principle of least privilege, with users receiving access to the systems and applications they need for their assigned tasks and nothing more.
To ensure the security of their most sensitive assets, organizations that work with third parties should choose a ZTNA platform that not only provides pinpoint application access but that also makes it easy to assign and manage user group permissions. The ability to record sessions and monitor activity in real-time are additional features to look for.
Last, agented ZTNA products are as problematic for third parties as they are for OT environments. Vendors and contractors typically work on their own devices, which is precisely what makes it so crucial to secure their access. However, these users may work with tens or even hundreds of businesses, and they can hardly be forced by each one to download a different agent. Universal ZTNA tools must therefore offer an agentless version in order to accommodate scenarios like third-party and OT systems access.
The Cyolo Solution for Universal ZTNA
At Cyolo, we are fully committed not just to the zero-trust security framework but also to the idea that zero-trust access can be extended to any environment. In other words, we believe that all obstacles to Universal ZTNA can be overcome and that zero trust should have zero exceptions.
For these reasons, our solution is purpose-built to bring zero-trust access to OT systems and critical infrastructure. Despite the deployment challenges highlighted above, OT/ICS environments hold the lifeblood of many organizations and therefore demand the same standard of security (if not a higher standard) than that which is commonly applied to information technology (IT) networks and systems.
In contrast to many other ZTNA providers, who may claim to offer Universal ZTNA but actually exclude important use cases from their scope, Cyolo fully supports all the myriad ways work happens today. As a genuine Universal ZTNA platform, Cyolo:
Enables remote workers to quickly and easily connect to any resource, either cloud or hybrid, without changing their expected workflows;
Gives in-office workers the same level of service and speed they would achieve while working remotely, including the ability to connect directly to on-premises applications or resources;
Extends identity-based zero-trust access into OT/ICS environments (including offline environments) and protects legacy systems with multi-factor authentication;
Validates and continuously authorizes third-party users and devices, with no need to install agents or configure complicated access management policies;
The Cyolo solution proves that Universal ZTNA, along with all its benefits, is achievable. To discover how it works in the real world, read this case study.
[1] Gartner, Market Guide for Zero Trust Network Access, Aaron McQuaid, Neil MacDonald, John Watts, Rajpreet Kaur, 14 August 2023.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
