Share this
Why the ZTNA "Café Model" is Not Enough
by Taylor Colwell on Dec 16, 2022 10:21:04 AM
The modern workspace has seen some significant changes in the last few years in the wake of the coronavirus pandemic of 2020. Many companies have settled somewhere on the spectrum of the hybrid workforce, with employees spending part of their time working remotely and part of their time in the office. ZTNA solutions have become increasingly popular in the last few years as these hybrid workspaces have become more normal. ZTNA works incredibly well for securing cloud-based workloads and assets, allowing workers from anywhere to access the workloads that they need. This method of security focuses on user-managed devices, as each connected device is required to run an agent that allows access to corporate resources. This works for the remote workforce, and quite well, but how does this work for securing your campus or branch when users return to the office?
Well, it doesn't. There are several issues with what we have coined the "Café Model Approach." This name comes from the notion that employees would regard the office as they would a place like Starbucks. You come in to the office, fire up your ZTNA agent on your pc or laptop, and get to work with access to cloud-based and datacenter resources as if you were working from a café.
These are some of the issues that we are going to cover here that arise from this approach:
The Local Corporate Network is Unsecured by ZTNA
The primary issue that arises is that ZTNA does not enable microsegmentation on your local network. This means that any unmanaged devices that do not have the capability to run a software agent are left unprotected and present a security risk. Devices like printers, gaming consoles, security devices, and a host of IT and IoT technology can not be controlled and properly segmented.
Are you curious about how microsegmentation can enhance your network security? Our latest blog post, What is microsegmentation and how does it work?, delves into the details of this security technique and its role in today's interconnected and complex digital landscape. From the technologies and tools used to implement microsegmentation to the benefits it offers, this post covers everything you need to know about this important security strategy. Don't miss out on this opportunity to learn more about microsegmentation and how it can benefit your organization. Check out the blog post now!
Local Users Accessing Local Resources Through ZTNA is Inefficient
There is an interesting caveat here with how ZTNA solutions handle users accessing local resources. Similarly to how these providers secure cloud workloads, they can extend this capability to on-premise workloads as well. This gives users the ability to access local resources through their service, and they can even control access to specific devices through their solution using "User-to-Hostname" or "Source IP to Destination IP" mappings. However, there are several glaring issues with this approach when applied to the local network.
- This user-centric approach still does not address unmanaged device-to-device or device-to-application traffic. Endpoints are required to run an agent, and many user-less devices don't have this capacity. Unmanaged devices can be compromised and without limitations to lateral movement, can wreak havoc.
- Forcing local users to access local resources through a ZTNA solution creates unnecessary complexity, potential bottlenecks, and availability concerns. Traffic would be sent from the local user, through the cloud-hosted ZTNA service, back down to the local asset, and return traffic takes that same path.This is much less efficient than allowing users to access resources locally.
- Creating access policies for local resources requires thorough inventory and understanding of devices present on the local network, but ZTNA solutions don't provide the tools to discover and inventory these assets.
Lack of Visibility and Analytics on Corporate Network
Visibility and Analytics data are increasingly necessary for making informed decisions about network policy, and are a requirement for many compliance standards for both local and cloud workloads. While ZTNA solutions can provide this for traffic that routes through their service, they are limited on providing this telemetry for local networks.
The difference between Elisity and ZTNA
The primary difference between Elisity and your ZTNA solution can be answered by one question: What are we securing?
Where ZTNA solutions primarily secure access to your cloud-hosted assets, Elisity provides microsegmentation on your local network for any managed or unmanaged asset by discovering every user, device, and application connected to your corporate LAN. We glean identifying data about any assets, whether IT / OT / IoT / IoMT, and compile all this data like device class / type / model / vendor into asset inventories. You can then use these inventories to group assets into policy endpoints based on identity rather than network constructs to quickly and efficiently deploy granular, identity-based segmentation.
Elisity and ZTNA solutions secure different domains, and can therefore co-exist to enhance security posture both on-prem and in the cloud.
Reach out or request a demo at the top of the screen to learn more about how Elisity can bring microsegmentation to your network. Below is a short "demo before the demo" showing a preview of our solution in action.
Share this
- Blog (30)
- Cybersecurity (13)
- Zero Trust (12)
- Enterprise Security (10)
- Identity (5)
- Elisity (4)
- Enterprise Architecture Security (4)
- Network Security (4)
- Remote Access (4)
- microsegmentation (3)
- Black Hat (2)
- Identity and Access Management (2)
- blogs (2)
- Adaptive Trust (1)
- MITRE (1)
- News (1)
- Software Supply Chain Security (1)
- case study (1)
- cyber resilience (1)
- October 2024 (7)
- September 2024 (5)
- August 2024 (3)
- July 2024 (4)
- June 2024 (2)
- April 2024 (3)
- March 2024 (2)
- February 2024 (1)
- January 2024 (3)
- December 2023 (1)
- November 2023 (1)
- October 2023 (2)
- September 2023 (3)
- June 2023 (1)
- May 2023 (3)
- April 2023 (1)
- March 2023 (6)
- February 2023 (4)
- January 2023 (3)
- December 2022 (8)
- November 2022 (3)
- October 2022 (1)
- July 2022 (1)
- May 2022 (1)
- February 2022 (1)
- November 2021 (1)
- August 2021 (1)
- May 2021 (2)
- April 2021 (2)
- March 2021 (3)
- February 2021 (1)
- November 2020 (2)
- October 2020 (1)
- September 2020 (1)
- August 2020 (3)
No Comments Yet
Let us know what you think