Zero trust network access (ZTNA) has become a hot topic and a popular IT project. Here are some of the reasons why:
First, organizations are beginning to pursue a zero trust strategy and ZTNA is the first logical step towards a zero trust security program. Second, remote or hybrid work is here to stay. And as a result, now is the time to replace your legacy remote access VPN with a modern anywhere secure access solution for the long term. Third, digital transformation and cloud-first strategies continue to evolve and legacy access methods are not well suited for the cloud environment.
Regardless of the motivation behind zero trust network access initiative, creating a short list of ZTNA solutions to evaluate in a crowded market can be daunting. Last time I checked, there were 42 vendors listed in Gartner’s market guide for ZTNA.
But, not all ZTNA solutions are created equally, so here are some considerations to help you narrow down your list.
1. Platform matters.
Whether you are selecting and implementing ZTNA for remote/ hybrid work, starting an initial project on a bigger zero trust security journey, or you have a fully mapped out vision for security service edge (SSE) and secure access service edge (SASE) architecture, it is best to work with a vendor with a full SSE platform with a single agent, single console, and single policy engine, and support for a multi-cloud environment.
Like most organizations, yours is probably operating in a hybrid cloud, or multi-cloud environment with a mix of applications hosted in private data centers and public cloud environments, as well as using cloud applications (or SaaS).
I am also willing to bet that your current environment is subject to change. For example, you might have an active project to transform your on-premises enterprise resource planning (ERP) system to be hosted in a cloud environment, or to adopt Cloud-ERP.
An integrated SSE platform helps you deliver a seamless zero trust application access with consistent policy controls and a great user experience regardless of where the applications are hosted.
Gartner estimates that “By 2025, 70% of organizations that implement agent-based zero trust network access (ZTNA) will choose a security service edge (SSE) provider for ZTNA, rather than a stand-alone offering, up from 20% in 2021.”*
2. Enable hybrid work from anywhere.
To enable hybrid work from anywhere, coverage and performance are critical. It’s important to select a vendor that has a footprint that can match your global expansion plans and increase enterprise agility. Ensure that you work with a ZTNA provider that has data centers in all major geographic locations where your employees may be connecting. Your vendor selection should not solely be based on counting data centers but choosing one that has the full security stack available in every region—with full compute at the edge close to your users—with low-latency on-ramps combined with extensive peering for the best experience.
Work with a vendor who’s services are backed by Service Level Agreements (SLAs) that provide critical commitments around uptime/availability and performance, as tools for ensuring a superior end-to-end user and application experience. For example Netskope Digital Experience Management (DEM) provides critical monitoring of all user traffic with actionable insights into network and application performance, addressing web, cloud, SaaS, as well as private applications being accessed via ZTNA.
3. Protect data everywhere.
Your ZTNA solution should detect data usage, activities, and behavior anomalies (UEBA), enforce advanced DLP rules and policies, and apply adaptive access policy based on user risks.
ZTNA securely connects users to private applications and resources. Often these resources are the crown jewels of the organization, from engineering code to other forms of proprietary data such as trade secrets. Select a solution that provides multiple options for data protection to help your organization protect sensitive information. For example, a modern ZTNA solution should provide options to inspect traffic and apply DLP rules and policies to protect data. However, some organizations may prefer UEBA and user risk ratings to gain real-time context to minimize insider risks without decrypting traffic.
4. Easy-to-set policies.
In addition to having a single agent, with a truly integrated SSE platfo