The Evolution of Remote Access to Applications

Peter Newton, Sr. Director of Products and Solutions

Agenda

• What is Zero Trust?

• Where is ZTNA in the Fortinet Security Fabric?
• Why do customers care about ZTNA?
• What is ZTNA?
• How does ZTNA work?
• How is Fortinet ZTNA better than the competition?
• What do you need to deploy ZTNA?

© Fortinet Inc. All Rights Reserved. 2

Enterprise Access Trends

Single Continuous Verification Growth of Remote Work

Authentication of Identity & Risk

By 2024, 70% of application access will Workforce shifts from 4% teleworking to

use MFA, up from 10% today1 30% teleworking by end of 20212

BYOD IoT Transition to Dynamic Hybrid Cloud

On-prem On-prem Private Public

Data center Data center Cloud Cloud

By 2025, there will be 12B installed Since nearly every organization needs it,
IoT devices3 hybrid IT use-case requirements have become
more common among Gartner clients.4
1 Gartner Magic Quadrant for Access Management, 12 August 2019
2 Global Workplace Analytics
3 Gartner IoT Forecast
© Fortinet Inc. All Rights Reserved.
4 Gartner Magic Quadrant for Public Cloud Managed Services, 4 May 2020
3
Architectures Change

Remote SaaS

DMZ Remote HQ

Data
Campus
Center
Private
Branch
Cloud
Data
Center
Public
Cloud

© Fortinet Inc. All Rights Reserved. 4

Zero Trust Principles
For users and devices

• Verify
• Authenticate and verify– on an ongoing basis ü
• Give minimal access
• Segment the network to create small zones of control
• Control access to applications, data, resources
• Grant least privilege access based on need or role

• Assume Breach
• Plan as if attackers are inside and outside the network
• Forget the concept of a “trusted zone”, e.g., ‘in the office’

© Fortinet Inc. All Rights Reserved. 5

Fortinet ZTA, FMC and ZTNA in Context

Zero Trust Model Fortinet ZTA – Pillar

• Endpoint Access & Control
• Devices
• Device Access (NAC)
• People
• Identity Management
• Networks
• Workloads Fortinet ZTNA
User application access control
• Data
• New secure-remote access method replacing VPN
• Visibility & Analytics
• Automation & Orchestration
Fortinet Fabric Management Center
• FortiMonitor
• FortiAnalzyer, FortiSIEM
• FortiSOAR, FortiEDR
• FortiAI

© Fortinet Inc. All Rights Reserved. 6

 Fabric Management
Center

Fortinet NOC SOC

Security
Fabric
Adaptive Cloud
Security
Broad
visibility and protection of the entire
digital attack surface to better Zero Trust
Access
manage risk
FORTIOS
Integrated
solution that reduces management
complexity and shares threat
intelligence

Automated Security-Driven
Open
Ecosystem
Networking
self-healing networks with AI-driven FortiGuard Threat
security for fast and efficient Intelligence

operations

© Fortinet Inc. All Rights Reserved. 02012021 7

Zero Trust Access

Endpoints Multi-Cloud
Knowing and
Mobile Controlling
Campus
Data
Center Everyone and
Home
Everything on and
Factory
Call
Center off the Network
Ensures consistent security
Operational
Technologies
policy across the network, the
cloud, and off-network
Branch
Edge Compute

Partners
IoT
Customers

© Fortinet Inc. All Rights Reserved. 8

Zero Trust Access Shift

<2021 With 7.0

Zero Trust Access Zero Trust Access

Users & Device Access Users & Device Access

Identity & Access Zero

VPNTrust User
Tunnel Network Access Identity & Access Zero Trust Network Network Access
Management (IAM) Access (ZTNA) Control (NAC) Management (IAM) Access (ZTNA) Control (NAC)

User Authentication Remote Access

Application Access Device Access User Authentication Application Access Device Access

© Fortinet Inc. All Rights Reserved. 9

Evolution from Traditional VPN to ZTNA

VPN ZTNA
Cloud
Access Proxy
Client DCFW Client
Cloud

Data Center ON/OFF Network

OFF Network
Data Center

One Time Trust Check Continuous Trust Check

Access Entire Network Access Specific Applications

Generic Rule Set User Contextual Rule Set

© Fortinet Inc. All Rights Reserved. 10

ZTNA Business Drivers

Work From Ransomware

Cloud Journey
Anywhere (WFA) Attacks

Users Access Applications unaffected Granular Application

unaffected by by Location Access
Location

Improved User Flexible Reduced Attack

Experience Administration Surface

© Fortinet Inc. All Rights Reserved. 11

Supporting Work From Anywhere (WFA)
A better user experience

• Access from in or out of Office

Campus Branch

• Automatic secure tunnels to applications

• SSO Supported Traveling

• No need to know applications location

Home Coffee Shop

© Fortinet Inc. All Rights Reserved. 12

Supporting the Cloud Journey
Controlling access to hybrid cloud architecture

Data
Center

• Applications located anywhere

Private
Cloud
• Centrally managed across on-prem or remote
enforcement points

Public
• User groups enable bulk configuration Cloud

• Granular modifications available

© Fortinet Inc. All Rights Reserved. 13
Reducing the Attack Surface
Granular Control to Applications

• User Identity Authenticated per connection

• Strong Authentication (MFA) & Single Sign-on (SSO) Supported
• Device Identity verified per session
• Device Posture verified per session
• User access allowed only to necessary applications and data
• Applications hidden from Internet behind Access Proxy

© Fortinet Inc. All Rights Reserved. 14

ZTNA Flexible Architecture
Data Center
Public Private
Cloud Cloud
Wherever the application is

Access
Verified user identity and
Proxy device posture prior to access
FOS
Policy

Wherever the user is

Branch Remote
Campus
© Fortinet Inc. All Rights Reserved. 15
ZTNA Automatic Secure Connections

Data Center Public Private

Cloud Cloud

Leveraging Existing
Infrastructure

FortiClient EMS
Policy Continuous Reassessment
& Enforcement

Auto-on secure ZTNA tunnels

(HTTPS/SSH)

FortiClient FortiClient FortiClient

Campus Branch Remote
© Fortinet Inc. All Rights Reserved. 16
ZTNA Process

Data Center Public Private

Cloud Cloud

ZTNA Telemetry
Fabric Sync
Tunnel & Posture
Check

FortiClient EMS Access

Policy

FortiClient FortiClient FortiClient

Campus Branch Remote
© Fortinet Inc. All Rights Reserved. 17
Fortinet’s ZTNA
What’s it made of? Existing Fortinet Security Fabric Products

Core Elements

• FortiGate builds the secure tunnel, maintains user group/application

access table (FOS 7.0)
FortiGate

• FortiClient EMS configures the ZTNA agent in FortiClient for the secure
FortiClient / FortiClient EMS
connection back to the FortiGate (FortiClient 7.0)

• Authentication Solution

• FortiAuthenticator, FortiToken or any 3rd party supported by the Security Fabric

© Fortinet Inc. All Rights Reserved. 18

Fortinet ZTNA advantages
Complete coverage vs. other ZTNA solutions

• Leveraging existing investments in on-prem Firewalls

• Most ZTNA solutions are SASE-only options with expensive charges
for company-wide coverage
• Leverage SD-WAN, SD-Branch capabilities

• Improved Security (“Secure ZTNA”)

• Extend FortiGate protection to wherever you are
• Traffic traversing Industry-leading FortiGate technology

• No Licenses Required
• Simply a feature in FOS & FortiClient to turn on!

© Fortinet Inc. All Rights Reserved. 19

Evolution of VPN tunnels
Bringing Zero Trust principles to remote access

• Ongoing verification
• Per session user identity checks
• Per session device posture checks (OS version, A/V status,
vulnerability assessment)

• More granular control

• Access granted only to specific application
• No more broad VPN access to the network

• Easier user experience

• Auto-initiates secure tunnel when user accesses applications
• Same experience on and off-net
© Fortinet Inc. All Rights Reserved. 20