Secondly, was the executive order US President Joe Biden signed on May 21^st 2021.  With the stroke of a pen, the Office of Management and Budget mandated federal agencies adopt a ZTNA strategy by the end of fiscal year 2024.  The impact of this order will cascade from government institutions and roll across to the general public as well.  Section 3 of the order specifically calls out organizations which supply the Federal Government to “ to modernize [their] approach to cybersecurity” by accelerating the move to secure cloud services and implementing a Zero Trust architecture.”  

These are seminal events.  Together they will lead to a greater series of changes over the next 5 years for how IT departments build, operate and secure their LANs, WANs, Remote Access Networks as well as Data Center Networks. How?  

ZTNA Anywhere

One area the SSE Forum, of which I am a co-host for, recently discussed was campus networks.  Based on a research article by Gartner Analyst, Andrew Lerner, the SSE Forum debated how Zero Trust and remote work can also change the way we build campus and branch networks.  My co-host, Jaye Tillson, and I recently sat down and did a LinkedIn Live event on this topic.  Together we covered the seven items below:

1. The evolution of the campus networks

2. Technologies created to secure networks

3. Zero Trust and networking 

4. The operational burden of supporting a technology for remote work and a technology for securing the campus network

5. Challenges with returning the workforce to the campus LAN after 28 months

6. How to align your remote work solution with the campus LAN

7. The future of the WAN and Zero Trust

You can watch the recorded event here.

In summary, zero trust will transform how enterprises build networks over the next five years.  Zero Trust will become an essential component for the LAN, the WAN and the Data Center.  Trust must be removed from the side of the firewall which says “Trusted”.  Doing so will require the network engineer to transform the way they architect, design, build and operate their technologies.  It is a time of great opportunity.  So, if you are network engineer, get excited.  This will be your golden hour, your heyday!  

Want to learn more about ZTNA ? Download the Definitive Guide to ZTNA Adoption to get in-depth guidance on how you can move forward with a Modern Day ZTNA solution.

The post ZTNA, It’s Not Just a Remote Access Thing Anymore… appeared first on Axis Security.

Since 2017 the total number of vendors offering ZTNA has blossomed from around 10 to now over 40. I was speaking with Gartner about this just earlier this week. It’s clear that the value of ZTNA is immense, but how do IT leaders suss out the vendors and shortlist the 2-3 they will ultimately bake off in a POC?

Throughout my career at Zscaler, where we designed the world’s first ZTNA service and now Axis, where we offer a world class second generation ZTNA service, I have met with over 550 enterprises. Most of which were Fortune 2000 organizations like Brinks, National Oilwell & Varco, Manpowergroup, Unilever, BBC etc. – and all looking to adopt ZTNA. I’ve been in the unique position to hear from CxO, architects, and IT admins from every one of them and learned a ton from working with them across the various stages of their journey.  Now I want to help anyone embarking on a ZTNA journey, or who may have selected a ZTNA 1.0 solution and are now left longing for a bit more functionality, understand what to look for.

Modern Day ZTNA solutions are game changers, but are still relatively new. So, here are ten things to ask the ZTNA vendor on your next discovery call that almost every IT leader doesn’t know they should ask, and why they matter.

1. Is the ZTNA service part of a larger Security Service Edge (SSE) platform that you offer?

• Here’s why: Some ZTNA vendors only offer ZTNA, and have no solution for external traffic proxying or digital experience monitoring. Some have ZTNA, but the service is separate from the SWG, CASB and Digital Experience solution they offer. And even fewer offer a full Security Service Edge solution with all key SSE components built into a simple UI, and with a single governing policy across all of them. Decide which works best for your needs.

2. Is the service delivered as a service, or is it hosted on-premises?

• Here’s why: Most organizations I’ve worked with prefer the as-a-service model because it offloads the management of the ZTNA service to the vendor, and not their often undermanned team. ZTNA services that are fully hosted on-prem can feel similar to managing a firewall appliance and will lack the footprint most large enterprises need for scale.

3. Do you support all private applications – even the legacy ones like VOIP, ICMP and IBM AS400 apps?

• Here’s why: Sadly one of the biggest realizations that companies have after they have deployed a ZTNA solution is that if the vendor does not support common legacy protocols they will need to keep their VPN or VDI service around. While these apps may be the minority (especially given the emergence of apps like Zoom), almost every single large company I have worked with has apps with these protocols running in their environment (compliance software on end user devices, call centers etc.). Some retail companies have AS400 apps where they are using mobile computers to scan inventory items.  Make sure the ZTNA service can support them if you have them!

4. What does the policy set up look like?

• Here’s why: Complexity is the killer when it comes to policy. Look for automation and ways to flatten the policy framework. Don’t get marooned on “Wildcard Mode Island” where you leave the ZTNA solution in discovery mode, discover apps, but have no way to actually build and adopt least-privilege policies. Remember that’s one of the biggest promises of ZTNA – more granular segmentation. ZTNA vendors with user group pairing, APIs, policy tags, and application tag features can help dramatically simplify policy setup. If you are looking for a full SSE platform, select the ZTNA vendor that allows you to set ZTNA, SWG and CASB policies all within a single policy rule (yes this exists).

5. How many edge locations does the service have, and are they hosted in a datacenter, public cloud, or multi-cloud backbone?

• Here’s why: Minimizing latency is critical to delivering a strong end user experience. The more points of presence, the better. But there are some important caveats. Make sure that each point of presence can handle both private and external traffic. This is not the case for all SSE platforms. Also, there are advantages for platforms that have multi-cloud PoPs. They can select from providers like AWS, Google, Oracle etc. and use latency data to determine which is the optimal path for user traffic, and will automatically select it. This will also protect you from unplanned downtime or outages. Pro Tip: A bonus question to ask the vendor is do they plan to offer both public edges as well as private service edges? There could be compliance standards that do not allow fully cloud-based security, or users in China where on-premises deployments are ideal, or even latency reduction needs for highlighting sensitive applications (media applications at BBC for example).

6. Do you have the ability to inspect private traffic should I need it? I.e. logins, commands used, files downloaded, logouts.

• Here’s why: Visibility into exactly what an employee or third-party is accessing is incredibly important for risk avoidance, data leakage prevention, and auditing for compliance. Make sure the ZTNA vendor can inspect all internal traffic (and also gives you the option to turn it off) for all apps (not just web applications). If they don’t have inspection, ask them why not.

7. Is continuous monitoring, automatic session termination, and SCIM 2.0 supported?

• Here’s why: The more you automate the more you will celebrate. Continuous monitoring will ensure that policies automatically adapt based on changes in context. This could be the location of a user is from a country you blocked, or the user changes user groups, or is no longer part of the organization at all. Minimizing the delay between the service’s recognition of the change, and the actual policy change to zero is critical for zero trust. Automating this also removes any human error. So those contractors working 3-month projects, or disgruntled employees, their access is automatically revoked once the project is over and they’ve left the org.

8. What’s your cybersecurity mesh positioning?

• Here’s why: There are no god platforms that are best in class for IDP, endpoint security, policy enforcement etc all in one. Run if someone says they are. Integrations are critical, and cloud services offer the ability to integrate incredibly easily. Ask them who they can integrate with, and which services they provide themselves. For example do they offer their own identity service (this can have massive cost savings implications and not have to pay for 3rd party licenses) or integrate with vendors? So do they provide some device posture management themselves or do they rely fully on Crowdstrike, Sentinel One or another endpoint security service (some ZTNA vendors are much more robust here than others)? Understanding the answers to these questions will help you make the most out of any prior investments you may have made in identity and endpoint security. Master the mesh.

9. Do you offer an Application Connector component?

• Here’s why: In order to mask a private service from the Internet there needs to be a layer of obfuscation. The Application connector acts as an invisibility cloak for the private application. The connector can’t be port scanned or DDoSed and only speaks with the ZTNA service. These provide vital capabilities like performing the backend DNS connection with the service, and load balancing across the environment. Most ZTNA services have connectors, but what you need to ensure is that they have adequate connector telemetry data so you can track memory, disk utilization, and uptime. Make sure there are automated alerts so you know when it’s time to deploy more connectors! Connector management can be a massive headache without this telemetry. Also, the connectors should always be deployed in pairs and should be freely given to the customer. Doesn’t really cost the vendor anything so never pay for additional connector pairs.

10. What does the end user experience feel like?

• Here’s why: It doesn’t matter how great the ZTNA service is. If the users complain, it’s dead on arrival. Make sure to ask the vendor if they support both agent-based (typically for employees with managed devices) and agentless (typically BYOD and third-parties) connectivity flows. You will need this flexibility, especially if you have third parties (example healthcare workers are not always hospital employees and won’t want to deploy an agent on their device just to update their timesheet at the end of week). There are also pesky use cases like captive portals when employees are working from hotels or airports? Business travel is resuming again, so this is key.  Ask the vendor if they can automatically recognize captive portals as part of the service. Lastly, ask if they offer a user portal where all apps that a user is authorized to access can be displayed. If that portal has a bookmark link to add to your IDP vendor, or the user’s browser, that’s even better. And when the user is connecting via agent or agentless, if there are different policies set for each status the portal should auto-adapt as the agent is toggled on and off.

So there you go. Now you’re equipped for the next time you speak with a ZTNA vendor. Even if you are already a customer of that vendor. I hope this was helpful as you look to explore ZTNA for your zero trust project. I’m always open to chat if you would like. Also happy to connect you with Jaye Tillson, who has had hands-on experience deploying a ZTNA 1.0 service at TT Electronics.

Want to learn more? Download the Definitive Guide to ZTNA Adoption to get in-depth guidance on how you can move forward with a Modern Day ZTNA solution.

The post 10 things to ask the ZTNA vendor on your next discovery call that you probably never knew to ask appeared first on Axis Security.

The company I worked at previously was an early customer of the Exchange O365. And the company ran on email. Every message, file, PowerPoint and design document was sent via email. If email was not working, the company ground to a halt.

Moving a vital service from the private data center to the Cloud, at that time, was new. While the business benefited from no longer needing to manage servers, patching and support, the challenge became how to measure performance. When a service is in the private data center, you had control of almost every aspect of the service. You had access to every layer of the service. Hardware, virtualization, storage, OS, application and network. All could be instrumented, tuned and, if needed adjusted. And because network challenges were mostly limited to the data center, the issue of latency did not often enter the picture.

Moving to the Cloud flipped the script from a monitoring perspective. The old monitoring tools no longer worked. Instead, you had to leverage the vendor’s portal. Your view into the service was limited. You must trust the provider provisioned their hardware properly, that they tuned their systems to meet demand, that the service was patched and most of all, since the service was no longer in your private, controlled data center, latency now entered the picture front and center.

After a few rounds with the Exchange engineers, my network team determined we needed a self-service tool to simply measure network and application performance and provide this critical telemetry to our Operations team as well as the Exchange team. It was an early version of what we today call Digital Experience Monitoring.

Where is the Problem?

If you are not familiar with Digital Experience Monitoring (DEM), put simply, it is a tool to measure the performance of the application user/device, the network path and the application.  The concept is to gain a view into how the device/user to application interaction is performing.  As performance can be degraded by a number of issues; high CPU on a device, a bad software patch, poor wi-fi, poor Internet performance or an over utilized application front end load balancer to name a few, finding the needle in the technology haystack is a difficult challenge for the modern enterprise.  This became even more apparent over the last 24 months with the rise of the distributed workforce.  Now both applications and the workforce live outside the walls of the modern enterprise company.  Thus, having a tool to measure digital experience is no longer a want or desire.  It is a requirement!

Bringing Harmony to Networks, Applications and the Modern Workforce

Axis, as part of our Atmos 2022 Summer Release is excited to announce the Atmos Experience Solution. The service ensures that the IT Helpdesk remains in tune with end user device issues, like spikes in CPU use, network outages and application challenges. The solution is built on three pillars to enable you to successfully understand how your devices, networks and applications are performing while leveraging our award-winning Security Service Edge (SSE) platform.

3 Pillars of Atmos Digital Experience

Simple – The Atmos Experience solution was built on the principle of simplicity with an eye towards the “shift left” movement for IT Operations.  For far too long, tooling to measure and monitor applications have been complex, hard to understand and targeted at the engineering teams.  Axis understands this and developed a tool which is focused on the critical elements without attempting to “boil the ocean”.  The design intent is to quickly detect the problem, alert the end user, arm them with the relevant information (i.e. your wifi is slow) or quickly escalate to the first level of support for resolution.  Doing so reduces the burden on an already taxed IT staff and promotes self-service as the modern workforce has become more adept at solving IT issues due to the consumerization of technology.

Solid – Rather than acquiring a solution or building yet another product, Axis is leveraging its Zero Trust foundation to bring the Atmos Experience platform to market.  Founded in 2019, Axis’s ZTNA platform utilizes modern componentry; containers, elastic databases, CI/CD pipelines, Service Proxies, Services Buses and distributed storage to name a few.  The result is the platform can run on a number of the major Cloud providers such as AWS, Google Cloud and Oracle Cloud and so on.  The end result, development is fast and the innovation cycle is quick.  While Atmos Experience will focus on users/devices and applications first, adding in additional features will be simple and driven by customer feedback.  That’s right, we are building the product based on feedback directly from our customers.  These are the teams who use the product daily in the field and who are tackling the challenges of distributed applications and now, the distributed workforce!!

Scalable – Built for the future.  The Atmos Experience solution is available across each one of the Atmos platform’s 350 PoPs. At the backend, the solution is pulling from a data lake which includes not only network telemetry but insights from the Atmos agent and security data.  Together, this will allow, long term, for queries into the state of your network, devices and applications.  As an example, an Operations team member will be able to proactively probe the data lake to understand trends which could impact the workforce.  For instance, what if, after conducting a review of recent tickets, the team sees a rise in tickets involving application performance which is not caused by the network or the application.  Instead, the devices are suspected.  What if the operations team had the ability to ask the data lake about the device and it returned a result that 100% of the tickets involved older laptops with minimum levels of memory?  That would be valuable!  This moves the Operations team from a reactive to proactive stance.  Helping the modern enterprise to move faster, at a lower cost and support the demands of the modern workforce is what Axis Atmos is all about.

If you want to hear more about how to bring harmony to your enterprise, reach out to the team at Axis.  We’d be honored to work with you and help you eliminate the complexity at the intersection of networking and security!

The post Digital Experience Monitoring In the Age of Distributed Work appeared first on Axis Security.