Gartner recommends that SSE implementation should begin by prioritizing high areas of risk by replacing remote access VPN with a modern ZTNA solution. In fact, Gartner predicts that by 2023, 60% of enterprises will phase out VPN technologies in favor of ZTNA.

Gartner says that “Remote working and digital business enablement is driving the adoption of security service edge (SSE) technologies to reduce complexity and enhance security for access to the web, cloud services and private applications.”

Gartner, Hype Cycle for Cloud Security 2021

This would explain the mass number of inquiries about ZTNA. In a recent session “Why Hybrid Work Killed VPN”, security and networking leaders shared the burning questions they had about ZTNA technology. Below are six of the questions that came up:

Security

Q: What happens if the ZTNA provider is compromised? Is my organization still secure?

A:  Every ZTNA provider architects their product different. There are two main “forms” of ZTNA: self-hosted and as-a-service. Self-hosted is very similar to an appliance, all deployment, management, and upgrades are the responsibility of the customer. This type of architecture is often less desirable as any compromise of the ZTNA product would fall on the responsibility of the customer. ZTNA as-a-service is the recommended architecture as it simplifies the deployment of zero trust for IT, while security reliability and compromise protection is upheld by contractual obligations of ZTNA providers. Further, ZTNA providers will often have fail-over measures to ensure that customer traffic is never routed through a compromised ZTNA node.

Axis’ as-a-service ZTNA offering consists of 350 Global PoPs hosted on the world’s most reliable cloud to prevent this very issue. Axis’ unique architecture has baked in cyberthreat protection as well as stringent contractual obligations and policies, and compliance/controls to prevent breaches.

Q: Does ZTNA technology support cloud hybrid IT environments compared to VPN and is it more secure?

A: Any good ZTNA technology should absolutely support hybrid IT environments (Including on-premises, data center, AWS, Azure, etc). Axis’ support of all IT environments is provisioned through the deployment of lightweight Connectors that front-ends the application a user is attempting to access.

The connector only responds to authorized users, never bringing users directly onto the network, but rather bringing access to an authorized application down to a user.

Unlike VPNs, connectors provide access on the application layer, automatically brokering authorized users with access to authorized applications hosted in any environment. Axis supports more than just private applications; access to SaaS apps also provides heightened security with advanced threat protection as well as advanced control and visibility for IT.

Q: Is Axis considered to be a ZTNA? or is it just a supplementary to ZTNA?

A: Yes, Axis offers a full ZTNA service, however ZTNA is just one element of our holistic security service edge (SSE) platform. Axis has multiple differentiators that distinguish our ZTNA service from other options. Such as having the greatest number of cloud PoP locations globally, agentless capabilities (web, RDP, SSH, Git etc.), inspection of private application and SaaS traffic (even for access to VOIP and ICMP). This also makes Axis ZTNA the ONLY full VPN replacement on the market – Learn more here.

Management

Q: ZTNA provides agentless access options but what do you do if you already have a client on the device, is it best to remove them?

A: When it comes to endpoint requirement that’s where it can get a little tricky. Since many ZTNA solutions either require the deployment of a client or have limited clientless support, that restricts the flexibility for IT.

Axis provides the most extensive agentless access functionality with support of VOIP and RDP with just a browser. This also means that employees or third parties never have to download or remove an existing client if they don’t want to or if they are unable to.

Q: Since ZTNA implementation enables the business to operate on a least-privileged basis, doesn’t that drastically increase IT workloads and management?

A: No, it does not! Now that isn’t to say that there isn’t a ramp up period for ZTNA deployment, but in enabling ZTNA least-privileged access correctly you have a greater ability to scale your business while minimizing IT maintenance and upkeep. Implementation of zero trust and least-privileged policies work in a couple steps:

• Step 1: Stop users from accessing the corporate network – Only enable application access not network access. Unlike VPNs, the network, and business applications, are cloaked by the Axis ZTNA service, which masks the application from potential Internet threats. Not only will IT effectively keep users off the corporate network but can also make all business applications invisible to unauthorized users – while still allowing application access to authorized ones.
• Step 2: Discover accessed applications – Axis makes this easy through automatic application discovery. Once a user attempts to access an application the app is identified and known to IT admins. At this point IT can apply granular policy on who can access based on identity, function, device, device posture, etc. IT admins can also group users or applications together to make higher level policies (ex: Finance team cannot access applications for the Engineering team).
• Step 3: Continued refinement with automatic recommendation of least-privileged policy. Axis has AI/ML “learning” capabilities will identify what users are accessing and start recommending least-privileged policies that can be implemented. Additionally, with SCIM integration access can automatically be cut off if employee/contract status changes. These always-on functions aid IT and minimize the manual workload and management taken on.

Reporting

Q: Does ZTNA provide granular reporting / experience monitoring?

A: While we cannot speak for all ZTNA solutions, the majority have some form of granular reporting, however, only some ZTNA / SSE platforms have digital experience monitoring.

Axis provides granular application layer visibility in the admin UI and can stream all data to a customer’s SIEM of choice. Admins get real-time application and user experience insights with granular visibility into what is being accessed, and how the experience is. IT admins can even record RDP sessions for later viewing. Best of all unlike other SSE platforms, Axis enables management across a single pane of glass instead of two, three, even four different dashboards or clouds.

At Axis, digital experience monitoring is a top priority. Since users are now anywhere, ensuring the best user experience from everywhere is critical. Having the visibility to identify and pinpoint user experience pain points can ultimately be the driver of business productivity or the straw that breaks it.

Have some burning questions of your own?

For any questions about zero trust, security service edge (SSE), or zero trust network access (ZTNA) reach out to our team of experts. They’ll help provide industry-level guidance as your business looks to embrace hybrid work.

Want to learn more about VPN replacement – See if you qualify for our VPN Buyback program.

The post 6 Questions IT Leaders Are Asking About Zero Trust Network Access (ZTNA) appeared first on Axis Security.

The Problem

Modern Requirements

Organizations need a better way to securely connect users to apps and resources. This is no small task for an enterprise that often has more than 250 different company sanctioned applications in regular use. It is common for a modern enterprise to need secure user access for resources across on-premises data centers, private cloud, and public cloud including access for:

• Email, messaging, file transfer, web apps
• Thick client apps
• VOIP, video, peer-to-peer apps
• Remote desktops
• Databases
• Admin logins
• Developer resources
• Public SaaS & IaaS

A typical enterprise also has to provide secure access to different types of users and a range of devices, including:

• Employees with company laptops
• Employees working from their own devices (BYOD)
• Supply chain vendors and partners with 3rd party owned devices
• Contractors and consultants who may or may not have company issued devices
• Employees of acquired companies and subsidiaries
• Temporary users with their own devices
• Development teams
• Privileged users and administrators

With so many different types of applications, devices, and users that need secure access, organizations are hard pressed to find a simple way to solve for all their use cases. And remember, they still need to secure the enterprise against attacks. As a result, many companies have resorted to using multiple solutions, ending up with a complicated and fractured approach spread across multiple teams — IT Security, Networking, Infrastructure, Identity, and Cloud.

Old Methods

The VPN

The VPN is the most common default method for granting secure access to applications and resources. This is too bad. It is decades old technology. No one likes the VPN. Let me count the ways:

1. Users find it inconvenient to navigate and it is especially bad for organizations with lots of acquisitions as you can only be on one VPN at a time.
2. VPNs are expensive to scale and complicated to deploy, a problem many companies dealt with this year when their VPN’s overloaded with a suddenly all remote workforce.
3. VPNs are very inefficient for cloud. No one likes the idea of tunneling remote traffic back to the enterprise network and then back out to the cloud. The alternative is to use split tunneling which is problematic for security.
4. And speaking of security, VPNs overall are fundamentally not secure enough since they tunnel users directly into the open internal network of the company where a malicious or compromised user can wreak havoc on vulnerable applications and gain access to precious data.
5. VPNs also require agents on the endpoint, except sometimes for web apps, but not every use case is a web app — making it very hard to solve for BYOD and 3rd party owned devices.

What about VDI?

Virtual Desktop Infrastructure is one of the work-arounds for secure access use cases that can’t be solved with a VPN. Specifically all those use cases with users on unmanaged devices who need to access resources and applications that are not web apps. Secure access is not the only reason to use VDI but it is increasingly common for organizations to turn to VDI for what should be a simple remote access requirement.

VDI is problematic, too. Let me count the ways:

1. Users don’t love it because it can tax their productivity with painful, painful latency. The lag time for the user trying to accomplish something on a virtual desktop can be maddening.
2. VDI is expensive and complicated. In addition to the virtual desktop infrastructure with servers, storage, etc, VDI still requires a network gateway to enable remote users to access the virtual desktop where the applications and resources are located. So you have to buy and manage infrastructure and network gateways.
3. And that virtual desktop, where the user ends up, is inside the perimeter sitting in the data center or in the corporate cloud. Also you may not be able to protect those virtual desktops with EDR because auto updates can cause the whole virtualized system to seize up and non-persistent virtual environments may not be around long enough for EDR to work at all. Once again you have a security issue with users getting very close to critical and potentially vulnerable assets.

And then there’s CASB, Web Gateways, and Public Cloud

Neither VPNs nor VDI are friendly solutions for public cloud. So, many organizations add even more secure access solutions into the mix. They turn to inline Cloud Access Security Broker (CASB) or Secure Web Gateway (SWG) capabilities to control and monitor use of public cloud and web apps. They may also try to use native capabilities in individual cloud apps and services. This adds even more complexity to the secure access mix because these solutions are only for public web and cloud apps and services. They come with their own policies, management, visibility and integrations.

It’s all too much

It is madness that the one simple business requirement for remote secure access has become such a quagmire of complexity and cost. VPNs, network gateways, VDI, CASB, Secure Web Gateway, IaaS, and SaaS are often managed by different people or even completely separate departments. Each system has its own policies, visibility, integrations, and deployments.

The Solution

There’s no denying that organizations need a solution that is cloud friendly but also good for both cloud and on-prem applications, and can also cover users no matter where they are working from. A solution that is agentless most of the time (not just for web apps) makes it much easier to deliver secure access to users on devices not managed by the company. A solution that supports secure access for the full range of applications and use cases. This includes users with thick client apps or using peer-to-peer apps, VOIP, and video. And this solution needs to meet modern security standards so it should be a zero trust approach to protect vulnerable corporate resources.

This may sound too good to be true, but it shouldn’t be.

One Secure Access Solution for All

What if there was a solution that supported all these enterprise use cases with the myriad of different applications, users, and devices? What if you could deliver secure access with a single fast-to-deploy cloud service that is agentless first and doesn’t require you change your network? What if you had one central place for policies; consistent visibility across all users and apps; one place for integrations with your identity, endpoint, SIEM, and other security systems; and one solution that easily scales as your access needs change?

Such a solution now exists. With Axis Security Application Access Cloud’s recent expansion of capabilities, organizations have a solution that scales with them as they grow, providing more agentless options, and supporting more apps and use cases than any other secure access solution. With Application Access Cloud, all of the secure access use cases that once required the complexity of multiple solutions, can all be handled one fast-to-deploy, easy-to-use, zero trust solution. For more information on what Application Access Cloud can now do for you, check out our December 8th announcement.

The post Secure Access Challenges for the Modern Enterprise appeared first on Axis Security.

In this blog, we’ll be going over what CASBs are, how they function, and where you can turn when you need to expand beyond a CASB’s functionality – to protect your private applications.

What is CASB?

A CASB is an on-premises or cloud-based solution that provides security for internet-facing, public SaaS applications. It is designed to sit between the service user and the public applications they are trying to access in order to enforce security and compliance policies.

CASBs help enterprises extend the security controls of their on-premises infrastructure to the cloud and monitor and provide deeper visibility into cloud and SaaS usage. This enables, for example, end-users to access the resources they need while also ensuring that they can’t see any information they aren’t authorized to.

Over the last decade, businesses have been increasingly employing CASB products to address their cloud service risks, enforce security policies, and comply with regulations. But, can CASB solutions protect the private, homegrown applications that your enterprise relies on?

The Four Pillars of CASBs

Before exploring what a CASB can do for your private applications, let’s dive into the main pillars CASBs use to deliver its functionality.

Visibility

In order to have a full picture of who is using their SaaS applications, businesses need to have visibility into user activity, but because users can connect directly with these applications over the Internet, Enterprises lose critical management, visibility and policy controls. CASBs fill this management gap by providing not only audit-level logging but alerts and reports that turn individual insights into actionable security intelligence. Armed with this knowledge, enterprises can fully understand their cloud spend, find redundancies in licenses, and discover all the cloud services in use by everyone inside and outside of their networks.

Compliance

Compliance is a large concern in many industries, but most SaaS vendors don’t offer the needed data protection and visibility tools that enable enterprises to stay compliant with regulatory mandates. A CASB can help safeguard a business against costly data breaches by maintaining compliance regulations set by a specific industry. CASBs are able to encrypt sensitive data to protect it against any malicious attacks. Additionally, CASBs can enforce data leakage prevention policies that are built to control access to sensitive data.

Data Security

CASBs are designed to monitor access to data and vary the level of access users have to public applications to ensure they are protected. They have the ability to enforce data-centric security policies that prevent unwanted activity from users. These policies are applied through a set of controls, such as alerts, encrypted data, audits and blocks.

Threat Protection

The last pillar that defines CASBs is threat protection. CASBs provide protection against threats that cloud application products aren’t equipped to handle, such as user behavior, in real-time. Malicious activity can come from anywhere, so CASBs are built to prevent unwanted devices, users, and other suspicious entities from accessing a business’s public applications.

A CASB is a great tool for gatekeeping public SaaS applications, but what about your private applications?

Is Axis Security a CASB vendor?

While there is some functional overlap, Axis Security is not a CASB vendor. Axis Security extends zero-trust security principles to private, homegrown applications that were built to be internally-facing. CASB technology doesn’t have the functionality to extend to private applications, so, in order to help protect their full suite of applications, businesses turn to legacy solutions like a VPN. As we’ve discussed in previous articles, VPNs move businesses away from Zero Trust and security by aggravating network and application security flaws.

Private applications can be much more vulnerable than public applications because public apps are built to be more defensive in case of malicious attacks. So, on top of the four pillars of CASBs, private application access brokers, like Axis Security’s App Access Cloud, are built with the additional pillars of access and application security.

The post Complementary to CASB: Private App Access appeared first on Axis Security.