Who is selling Zero Trust Network Access (ZTNA) and what do you get?

Enterprise interest in Zero Trust Network Access (ZTNA) has soared over the past two years among organizations trying to enable secure anywhere, anytime, any device access to IT resources for employees, contractors and third parties.

Much of this interest has stemmed from organizations looking to replace VPNs as the primary remote access mechanism to their networks and data. But it is also being driven by organizations seeking to bolster security in an environment where enterprise data is scattered across on-premises and multi-cloud environments, and being accessed in more ways than ever before.

“There are two kinds of firms adopting Zero Trust,” says David Holmes, senior analyst at Forrester Research. “The work-from-home exodus of the pandemic overloaded many corporate VPNs, causing IT to reach for Zero Trust Network Access solutions primarily as a VPN replacement,” he says.

While ZTNA is primarily a security approach, half of the organizations that Forrester encountered adopted it for performance, citing the latency of their VPN technology “You could legitimately say that remote work was the killer app for Zero Trust over the last two years,” Holmes says.

The second kind of organization that Forrester has begun seeing more of recently are those taking a strategic approach to Zero Trust and using it to secure access to their network, applications, and data, he says. “Many federal agencies have a mandate from last year’s Biden Executive Order and we’re working with many of them to create roadmaps to increase their Zero Trust maturity,” he adds. 

What is Zero Trust Network Access?

Zero Trust is essentially a security approach where all access requests to enterprise applications and IT resources are authenticated and monitored on a continuous basis, regardless of whether the access is from inside the perimeter or outside.

The model assumes a default deny position for all access requests and is designed to ensure least privileged access to resources on an as-needed basis. While most organizations are currently applying Zero Trust to network access, the model can also be applied to protect data, applications, and the infrastructure via microsegmentation.

Gartner analyst John Watts says many organizations currently are implementing Zero Trust tactically as a VPN replacement approach. The primary use cases for these organizations are to enable secure access to internal apps for remote workers; to provide remote access for the extended workforce; and to provide secure access to users of privileged accounts. Some are also applying a Zero Trust model for on-premises access, he says.

Zero Trust technologies that support the first use case typically involve the use of an agent, an on-premises or cloud security gateway, and a secure connector between the enterprise and the gateway, Watts says. Technologies for extended workforce access are typically clientless and browser or portal based, while those for the other use cases can include both agent-based and agent-less approaches, he notes.