Zero-Trust Network Access Q&A

Valuable Perspectives from Forrester Senior Analyst David Holmes

ZTNA is a fairly new technology that has generated a bit of confusion. Guest speaker David Holmes, Senior Analyst at Forrester, tackled
this very topic on a live webinar. In this deep-dive follow-up Q&A, David gives additional guidance on the ins and outs of ZTNA.

1. What is ZTNA? How is it different from zero trust?
Zero trust is a model of information security that reduces
implicit trust throughout an organization. Zero-trust
network access (ZTNA) is a specific application of the
larger model. Zero trust has three core prinicples: 1) that
all entities are untrusted, 2) least-privilege access must
be enforced, and 3) comprehensive monitoring must be
put in place. ZTNA is a specific technology that applies
these core principles to provide access to applications
and networks based on the user’s identity, device security
posture, and other attributes.
2. Do I need ZTNA? What is wrong with VPN?
Organizations can use ZTNA to improve their security
posture over legacy virtual private networking (VPN)
access, which nearly always allows too much access.
Attackers who gain access to an enterprise network
through compromised credentials typically have full access
to network all resources. With ZTNA, an attacker using
compromised credentials would only have access to those
resources that the original user had access to.
ZTNA found fast adoption during the pandemic, as VPN
infrastructure became overloaded with millions and
millions of users when everyone was sent home.
3. What is Universal ZTNA vs. “regular” ZTNA?
While ZTNA found fast adoption during the pandemic in
support of remote workers (regular ZTNA), some of those
workers are returning to the office now. With Universal ZTNA,
the user is authenticated and authorized in the same way,
using the same policy, regardless of whether they are local
or remote. Multiple vendors in the community are using this
term (Universal) to describe the same capability now.
4. How do ZTNA and SASE fit together? I hear both solve
remote work issues.
ZTNA effectively split-tunnels traffic (routing only that
traffic going into the data center). This means that a
remote user’s internet-bound network traffic does NOT
go through the enterprise VPN and therefore does not go
through the enterprise security stack, leaving the user with
little or no inline protection.
Secure access service edge (SASE) complements ZTNA
by providing a cloud-delivered security stack to inspect
and secure the user’s internet-bound network traffic. SASE
solutions include ZTNA and many other common security
inspection technologies, like SWGs, CASBs, DLPs and
remote-browsing.
5. What recommendations do you have for how to adopt
ZTNA?
Security professionals who are looking to adopt ZTNA
should consider it in context of the larger SASE model to
ensure that they are protecting their remote workforce.
They should also look for the Universal ZTNA capability if
they anticipate their remote workforce coming back to the
roost in the future.
Security professionals should identify their top
applications, including non-web applications like VDI,
VOIP/SIP and SSH and ensure that the ZTNA solution
they’ve chosen works well with all of them. They
should then deploy ZTNA in front of the most sensitive
applications and the ones used by the largest number of
remote workers. Ideally, the average remote worker can
leave their VPN behind and use ZTNA to access all the
typical corporate applications.

David Holmes
Guest Speaker, Forrester Senior Analyst
David Holmes is a senior analyst at Forrester, advising security and risk professionals about strategy, architecture, and Zero
FEATURING:
Trust. His coverage includes security architecture (Zero Trust edge, SASE, microsegmentation, Zero Trust network access),
network security controls (firewalls, automated malware sandbox analysis, IDS/IPS), distributed denial-of-service (DDoS)
protection, DNS security, and encryption of data in transit. He helps security leaders plan Zero Trust implementations,
select cybersecurity controls, and understand new mitigation technologies. David has presented at industry conferences
like RSA, Infosec Europe, and the Australian Cybersecurity Conference. He has written regularly for industry magazines on
cryptography, malware, and the security community.

© 2023 Fortinet. All Rights Reserved 1