Hello, welcome to the webinar, Unlocking Zero Trust Network Access. My name is Alejandro Leal. I'm a research analyst at KuppingerCole. And today we're gonna explore the topic of Zero Trust Network Access. From now on, we're gonna refer to it as ZTNA. About a month ago, at the end of January, I published a leadership report on ZTNA. So for this webinar, I wanna share with you some of the main findings and insights.
However, I encourage all of you to go on our website to take a look at the report, and you will find way more information there. Before we begin, I'd like to share some information. So all of you are muted centrally. No need to mute or unmute yourself. We're also gonna be conducting three poll questions, and we'll be discussing the results at the end. There will be also a Q&A session at the end of the webinar.
However, you can enter questions at any time using the CEvent control panel. And yes, we're gonna be recording the webinar, and we're gonna be sharing it on our website together with the slides in the coming days. So stay tuned. Here's the agenda for today. But before I begin talking about ZTNA, I'd like to take a step back and first talk about what Zero Trust is. Then I will examine the ZTNA market and talk about some of the challenges. For the second section, we'll talk about the evaluation criteria.
We're also gonna discuss some of the required capabilities, and we're also gonna introduce the vendors that participated in the Leadership Compass Report. And for the third section, we're gonna talk about the categories of assessment and the methodology. And last but not least, in the fourth section, we're briefly gonna talk about trends and innovations.
But first, here's the poll question. And the question is, what do you perceive as a primary benefit of implementing ZTNA solutions?
A, enhanced security posture. B, improved user experience.
C, simplified access management. D, compliance with regulatory requirements.
Of course, all of these are important, but what do you think is the main benefit of ZTNA? I'm gonna give you guys maybe 10 more seconds and then we'll move forward.
Okay, according to our research, the ZTNA market will reach 7.3 billion in 2025, with a compound annual growth rate of 17.4%. You can check out this research once you get to download the slides by clicking on this slide, or you can just go on our website, look for our press release on ZTNA, and you'll find more information there. So as we can see, the ZTNA market is growing.
But first, what is Zero Trust? And where can I buy Zero Trust today? We could say that it's a marketing buzzword. Despite many vendors trying to sell you Zero Trust, there is simply no product or service that can modernize and secure your entire enterprise. It's kind of like big data, or cloud, or the blockchain, or AI. There's no silver bullet here. Zero Trust is more of a journey. It's a strategy. And as a concept, it requires a major shift in many aspects of IT, and even the core processes of your business. Zero Trust is not an IT modernization project.
So you don't need that next generation VPN. You should focus instead on your existing tools and redesigning your processes and policies. And there is more than one way.
As I said, Zero Trust is a strategic goal, and there are multiple methods to reach it. Here's a quick history of Zero Trust. The term was first introduced in the 1990s.
However, it was during the early 2000s when the IT and security community engaged in discussions about the perimeterization. Even before the cloud and the use of mobile devices within the enterprise, the security community was talking about how to redesign the network and how to address digital transformation smoothly. It was in 2009 when Google introduced BeyondCorp, a sort of security framework. For example, BeyondCorp shifted the access controls from the perimeter to individual users and devices. And in the same year, the principles of Zero Trust were first introduced and popularized.
So during the next decade, so let's say the past decade from 2010 to 2020, we saw a rise of vendors and products talking about Zero Trust. In 2020, NIST SP800-207 clearly defined Zero Trust. But it wasn't the only case. For example, in 2022, the U.S. Department of Defense introduced a Zero Trust strategy model where they discuss the building blocks of Zero Trust and how can organizations move forward in the journey. In the same year, the Biden administration published a memorandum on authentication, on authorization, and how Zero Trust is the path forward.
However, it's important to say that the U.S. is not the only country that is trying to incorporate Zero Trust in their national security. Other countries are following as well. And in 2024, where are we now? Is it the end of the hype? I'm not sure. I think people are wary of passwords and they're looking for concrete solutions. And I think ZDNA can address some of the challenges that many organizations face.
It's important to note that each organization, and I'm gonna be stressing this during the webinar, every organization has different needs and requirements, different deployment models, and different use cases. I'm not gonna go too deep into this slide because we have a limited amount of time, but these are the seven principles of Zero Trust. All decisions are per resource. Resources are any device or data source. All communication is secure, end-to-end encryption of all traffic. Least privileged access, percession and no implicit trust.
Policy-based access, real-time context-based risk evaluation for each access decision. Integrity and security of assets. It's about continuous monitoring and mitigation. Strong authentication, dynamic, strictly enforced, MFA. And it's about context and metadata, collecting, analyzing the state of assets, network traffic and access requests. In the DoD strategy that I mentioned earlier, they emphasize the building blocks for Zero Trust. They talk about users, devices, networks, systems, applications, and data. But there's not much information on how to get there from a maturity level standpoint.
And that's why we recently published an advisory note, I think two to three weeks ago, on maturity levels on Zero Trust. And here we go more deep into this slide. We take a look at each of these building blocks and we discuss how organizations can get to a high maturity level. So for the users, it's about robust verification of identities. It's about the use of MFA. And on the devices building block, it's about securing and managing devices. For the network, it's about securing network access and implementing techniques such as microsegmentation.
For systems and applications, it deals with improving systems and applications through secure development practices. And for data, it's all about protecting data integrity and confidentiality. It's about data loss prevention and encryption. So at Kuping & Co, we tend to use this five plus two approach. We also added these two supporting pillars that you see at the bottom, visibility and analytics, and automation and orchestration.
I encourage you all to take a look at this advisory note because here we go more in depth into how organizations can embark on a Zero Trust journey and how can they reach the maturity level that they need. So we know that the world is hyperconnected from on-premises to the cloud, to OT environments. Many workforces, they involve contractors, partners, and external third parties. Traditional parameters have all but disappeared long ago. So CT&A solutions, they aim to address some of the challenges that you see here.
So according to our findings in the leadership compass, the CT&A market is diverse and is currently experiencing growth. The market was catalyzed in response to the shift to remote and hybrid work and the limitations of traditional VPNs and perimeter-based security models. It was also fueled by a collective industry realization that securing access to critical resources must be based on continuous verification and authentication.
And most recently, we see the emergence of SASE, the concept of Secure Access Service Edge, which converges network and security solutions into a unified integrated platform. The diversity of organizational requirements depends. As I mentioned earlier, each organization has different needs and requirements, different use cases. So this often leads to a best of breed approach where the strengths of different vendors are leveraged to create a customized CT&A strategy. So when we talk about delivering models to meet the diverse needs of organizations, CT&A can be deployed in multiple ways.
The choice of deployment depends on factors such as the structure of the organization, security requirements, scalability needs, geographical distribution, and also about money. So deployment flexibility is a crucial factor when considering a purchase. Most vendors offer a fully managed cloud-based control plane. While others focus on a SaaS delivery. Organizations operating in highly regulated industries or very large organizations, they might require a fully on-prem deployment.
However, one should always keep in mind that the journey towards zero trust is a never ending one. And that's something that is emphasized on the DoD strategy model and the advisory note that I talked about earlier. Requirements tend to change quickly. Other organizations, for example, securing access to their sensitive data in complex hybrid and multi-cloud environments is very important. So as always, it depends. Here are some of the challenges that I encountered when I was working I encountered when I talked to all these different vendors.
In the leadership compass, there were 17 vendors that participated. I will show them on a slide later on. But perhaps the most important limitation that I think everyone agreed on was that deployment can be perceived as complex. When organizations still rely on legacy solutions or when they have hundreds of different tools, it can seem a bit daunting when they talk to a ZTNA vendor. Another challenge is when they get feature requests and the roadmap alignment.
The third one, and I think it would be perhaps the second most important after deployment complexity would be user education and adoption. I think that many organizations face a problem that the IT people do not communicate well enough with, let's say, the business people. So ZTNA vendors need to communicate well. They need to address the challenges that these organizations are facing. And even us analysts, we need to communicate in the right way. So when IT people want to talk to their business people, they can clearly state the goals and what they are trying to achieve.
Because it's all about cost considerations as well. It's about scalability. And it's also about regulatory compliance. Something that stood out to me was that many of the vendors that I had the chance to talk to, many of them were lacking some security certifications or compliance standards. And I think that needs to change. So here's a second poll question. What are your organization's main concerns regarding ZTNA implementation?
A, data privacy and compliance. B, user resistance and adoption issues.
C, integration with existing security infrastructure. D, cost implications and return on investment. I'm gonna give you 10 more seconds and then we can move on. Okay. So now we're gonna jump into the second section, the evaluation criteria. So here are some of the required capabilities that we consider when we had the chance to talk to these vendors. No reliance on inbound connections. These are ZTNA capabilities that we consider that they might be a little bit more expensive ZTNA capabilities that we consider that they must be supported at least on a baseline level.
Separation of control and data planes. Cloud only on-premises or hybrid deployments. Scalable decentralized architecture. Centralized unified deployment and management across hybrid networks. Unified network agnostic access policy management. Encryption of all network connections. Strict identity verification for each session. Device posture validation. MFA and SSO support. And continuous session monitoring. Now for the evaluation criteria, I'm gonna talk more about this on the next slide. But these were the main categories that we use to assess each vendor.
And in the third section of the webinar, I wanna talk more about how we do the leadership compasses. What's our methodology and what are the things that we look at? But for ZTNA, these were the main categories that we analyzed. So in the leadership compass, we have a chapter, a written chapter dedicated to each product, to each vendor. Then we have a list of main challenges and main strengths of each product within the chapter. And then at the end, we have a spider chart, which shows the strength of the product's capabilities vis-a-vis the evaluation criteria. So here's an example.
I would like to talk more about it, but I believe I'm running out of time. So I'm just gonna jump into the third section on leadership compass categories and methodologies. So these are the list of participants in the LC on the left side, the rated vendors, 17 of them. We see a combination of established vendors, but also we see some small, but highly innovative companies. On the right side, we have a vendors to watch section that usually covers these vendors and it's at the end of the LC report. So essentially, what we look at are nine dimensions.
These five dimensions focus more on the product and the service. For example, the security one. Does the product meet the security requirements? Does it address the security challenge? That organizations face? For functionality, for example, we look at the features.
Also, we look at the roadmap and how they aim to get there. We look at deployment. How is it delivered? Is it easy to deploy? Interoperability. Does it work with other services, with other products? We also look at usability. So how easy it is for admins, for users and for analysts to use. The other four dimensions are on this slide. The innovation is also related to the product and this can benefit some of these small, but highly innovative companies that I mentioned earlier.
They might not have the market presence of some of the established vendors or the financial strength, but they can introduce some innovative approaches that can address certain use cases. They could find their own niche and they can leverage that and that can make them score well in these reports. But when we look at market, ecosystem and financial strength, this is not much focus on the product itself, but more on the market presence of the vendor. So how many customers have deployed the product, right? How many industries are targeted? Which regions?
For ecosystem, we look at how many partners they have and how are they globally distributed. And then for financial strength, we look at if the company is profitable, if it's a new startup or if it's a large startup. So these are the nine dimensions that we assess during the LC. And by exploring these dimensions and by assessing them, then we come up with four leadership categories. Number one is a product leadership category. So we take more of a focus on the functionality of the product. We look at innovation aspects. We look at usability.
For market leadership, we also look at the number and geographic distribution of customers. We look at the financial strength. These dimensions that I mentioned in the previous slide. And then we have the innovation leadership. Many small vendors often appear highly on the innovation leadership, but they could be rated a bit low on the market leadership. And then at the end, we have the overall leadership category where we basically sum up all of these different categories and we have one overall leadership category. So how does the process work when we do leadership compasses reports?
The timeline depends. It depends on the number of vendors that participate, but usually we, as analysts, we first identify the vendors of the market segment. We send them a questionnaire with lots of questions, and then we get a briefing with them where they show us their product, where we discuss some of the questions from the questionnaire and they also show us a demo of the product. Then we use all this information to start writing a draft. Then we send the vendors those drafts so they can make sure that everything is accurate.
And if they want to discuss something, we can always have a fact check call with them where they can review and make any updates. And then we publish the report, which you can find on our website. Usually the process, like I said, it depends, but it could take between three to four months, maybe less, maybe more.
So, here's the next poll question. It's not very, let's say, related to C10A per se, but we're just curious to know which cyber attacks are you most concerned about? Phishing attacks leading to credential theft? PBCA exploits? Identity spoofing and impersonation?
Or, spoofing and impersonation? Session hijacking? Business email compromise? I'm gonna give you 10 more seconds and then we can move forward.
Okay, so now we'll go to the last section of the webinar, which is about trends and innovation. So, how to update the technology?
So, the first thing is to have a good idea for the era of serial trust. It needs to be identity-driven. It needs to be dynamic and intelligent. It should leverage automation and orchestration capabilities. It should have an ubiquitous deployment and as a bonus, a serial footprint. But of course, there's no silver bullet, as we mentioned earlier. There's no ultimate solution but serial trust and ZDNA should be seen as a sort of journey, as a strategy that it requires step-by-step implementations and conversations across different teams. Here's some of the emerging trends that we observe.
So, organizations across various industries are increasingly adopting serial trust frameworks as a fundamental approach to security. Not only businesses and organizations, but as I mentioned earlier, also governments. They are setting serial trust as a sort of national security standard across their federal agencies that they have. Another trend is that agent-based ZDNA is increasingly being deployed as part of a larger SASE or SSE solution.
ZDNA solutions are incorporating micro-segmentation techniques to divide network environments into smaller, isolated zones and thus reducing the attack surface. With increasing adoption of cloud services, ZDNA solutions are evolving to provide seamless integration with cloud-native environments and flexible connectivity for hybrid scenarios.
Also, OT environments, all the devices that are used there, they're becoming more prevalent in enterprise networks. ZDNA solutions are extending their capabilities to include these scenarios as well. KC OpenSelect. In the next month or two, we're gonna release a KC OpenSelect version on ZDNA. It will help organizations to optimize their decision-making process and to adjust their own needs and requirements to the vendors and products that appear on this report. I would also like to remind you that the European Identity and Cloud Conference is gonna take place in June of this year.
There are gonna be lots of topics discussed and some sessions on ZDNA will be there as well. I'm actually gonna be doing a session on ZDNA on the market. You can also sign up online. Here's some related research. So when you get a chance to download the slides, you can just click the links here. You can see the leadership compass that we published in January. There's a very good white paper from my colleague, John Tolbert on OT environments. And then there's this advisory note that I was referring to earlier, the maturity level for serial trust.
It was published just a couple of weeks ago and I think he received positive feedback. And there's also a good blog post from my colleague Warwick on serial trust. You can also find these online on our website or you can just wait to download these slides. And here's some of our services. We'll do events, webinars, such as this advisory projects and research. And here's a little bit more about ZDNA. And here's our advisory projects and research. Thank you. Now we're gonna take a look at the poll results and then we're gonna check out the questions.
So, wow, that's, yeah, that's a very overwhelming response. It's about security. I don't think there's much to discuss here. Maybe we can take a look at the second poll. So what are your organization's main concerns regarding ZDNA implementation? Integration with existing security infrastructure.
Second, we got user resistance and adoption and then data privacy. Seems like many organizations that still rely on these legacy applications and have hundreds of tools. They wanna make sure that ZDNA solutions can integrate well. Maybe we can take a look at the last question. Which cyber attacks are you most concerned about? Phishing attacks leading to credential theft. And that's something that we keep seeing increasing in the world today. There's also CEO credential theft going on lately. Okay. Now we can take a look at some of the questions from the audience.
One of the questions says, what is the most important factor when selecting a ZDNA vendor? Well, as I said earlier, it all depends on the organization that we're talking about. They all have different needs and requirement, different use cases, different focus areas. So it's really about taking into account what the organization wants. Also the maturity level of the organization and what they are trying to achieve. What's their timeline?
So it's important that organizations talk to different vendors so they can make sure that they are all addressing the needs and requirements that they want to have in their organization. Let's see if there's any other question. Okay. What was the most surprising thing you discovered during your research? That's a good question. I think I was surprised at the diversity of vendors. What was interesting to me is that they all had different backgrounds. Some of them had more of a identity and access management background.
Some of them were startups that have only a few years of existence and they're doing very well in some aspects. So I think that was quite surprising to see how passionate they all were on their solutions and how they all have different strengths but also different challenges. And the last question is, which ZTNA deployment model is more suitable for organizations? I think that also depends on the organization we're talking about. Some large organizations might require on-prem deployments or hybrid environments to facilitate the transition but we see an increasing adoption of SAS.
So I think it really depends on what the organization is trying to achieve. And it seems we have no more questions. So I'm gonna go ahead and close the webinar. We have some questions from the audience. So I would like to thank you all for attending this webinar and I encourage you all to go on our website, take a look at the Leadership Compass Report and you will find more information there. Thank you very much.
