Major Use Cases and Capabilities
Major Use Cases
Work from Home
ZTNA solutions enable secure remote access to corporate resources for employees working from any location, including remote offices, home offices, or while traveling. By implementing fine-grained identity-centric access controls and contextual policies, ZTNA ensures that only authorized users with compliant devices can access sensitive applications and data.
Secure Cloud Access
As organizations increasingly adopt cloud-based applications and services, ensuring secure access to cloud resources becomes essential. ZTNA solutions provide secure access to cloud applications by authenticating users and devices and enforcing access policies based on user identity, device posture, and contextual information. This helps organizations protect sensitive data stored in the cloud and prevent unauthorized access from compromised devices or accounts.
Zero Trust Segmentation
ZTNA solutions support Zero Trust segmentation strategies by enforcing micro-segmentation policies that isolate and protect critical assets and sensitive data from unauthorized access. By implementing granular access controls to individual resources, ZTNA solutions naturally subdivide existing networks into the smallest possible segments. This helps organizations reduce their attack surfaces and prevent lateral movement of malicious actors within their networks.
Bring Your Own Device (BYOD)
With the proliferation of personal devices in the workplace, organizations face challenges in securing access to corporate resources from a wide range of devices, including smartphones, tablets, and laptops. ZTNA solutions help organizations implement BYOD policies by enforcing security controls that authenticate and authorize devices based on their compliance with corporate policies, such as device health and security posture.
Capabilities
Secure Connectivity
All communications between resources must be secured, regardless of their locations, using end-to-end encryption of any network traffic between resources. The assessment in this category examines the fundamental capabilities of the solution, including its support for secure point-to-point connections, complete cloaking of the underlying network architecture, legacy VPN solutions, and management of inbound connections. The examination also delves into the encryption standards used, explicitly questioning the support for modern transport-level security standards and the deprecation of legacy encryption protocols like TLS 1.1.
Access Management
This section focuses on the solution's compatibility with external systems for authentication and authorization, emphasizing supported standards or integrations. This evaluation explores critical aspects of the solution's ability to manage and enforce access policies. It examines the user interface for creating and editing policies, policy auditing tools, access control principles, and more.
Strong Authentication
Must be dynamic and strictly enforced. This includes the use of strong multi-factor authentication, scanning for cyberthreats, and re-evaluating trust before each transaction. It is driven by dynamic policies that continuously evaluate the state of the resource, requester, and other contextual attributes. For example, this assessment looks at support for various authentication protocols, including FIDO 2.0, U2F, UAF, FIDO authenticators, and security keys. It examines continuous authentication capabilities, step-up authentication support, graphical visualization, and risk assessment policy configuration. Overall, this evaluation provides organizations with valuable insight into the solution's device and authentication intelligence capabilities, helping them make informed decisions for their Zero Trust strategies.
Client Risk Posture
Each access decision is made based on real-time risk evaluation that may include behavioral analysis, environmental conditions, history of previous accesses, etc. performed either using the platform’s own agent or by analyzing the telemetry collected through partnerships and integrations with third-party security vendors.
Monitoring and Analytics
Information about the current state of assets and their communications must be collected, analyzed, and used to improve the organization’s security posture. The integrity and security of all assets must be continuously monitored and deviations in security posture must be mitigated promptly. This section assesses the solution's capabilities in providing comprehensive insights, real-time visibility, and analytical tools for effective management.
Audit and Compliance
Security data retention and comprehensive compliance reporting are the basic capabilities here. Out-of-the-box support for regulatory frameworks like GDPR, HIPAA, or PCI is a major differentiator for many customers.
Performance and Scalability
ZTNA solutions must be able to withstand massive spikes in demand and adapt to complex, distributed deployments, and, of course, provide native support for cloud and hybrid scenarios.