OpenVPN Cloud is now CloudConnexa® — learn more here.
When it comes to achieving zero trust network access (ZTNA), there are many different architectures to choose from for your business’s solution. Today, we’ll discuss several in more detail to help you make the most informed choice possible.
Popular ZTNA Solutions
One option is to place an identity-aware proxy (IAP) in front of web applications. When a user tries to access an application, IAP will authenticate the user and then enforce access control based on the user's identity. This helps to ensure that only authorized users can access applications, even if they are connecting from untrusted networks.
Another approach is called software-defined perimeter (SDP). An SDP is a security architecture that uses micro-segmentation and identity-based access control to grant access to resources.
Cloud Connexa provides a unique approach to zero trust network access by instantly creating an isolated virtual network for a business that can be accessed by connecting to one of its 30+ worldwide points of presence. Application servers and other networks can connect to Cloud Connexa to make their applications part of the overlay network. These applications cannot be discovered because they are isolated from the internet.
Only authorized and trusted devices can connect to the network, and identity-based policies control access to the needed applications. Cloud Connexa routes traffic to the applications using advanced technologies based on application domain names. These technologies cloak the private IP addresses of the application server or the network and do not use IP address routes. Thus, micro-segmentation is automatically applied per application, and there is no risk of lateral movement.
5 Questions to Ask Before Choosing an Approach to ZTNA
While assessing different ZTNA solutions, it is important to check that the solution architecture meets all the needs of your business as you do not want to increase operational complexity by introducing multiple solutions.
Most businesses will start using the ZTNA strategy by first applying it to a specific use case. It is important to consider, at an early stage, whether the chosen ZTNA solution can extend beyond that initial use case and can accommodate various current needs while aiding in transitioning to the future state of full ZTNA implementation. Not all ZTNA architectures and approaches are alike, and each has its advantages and disadvantages.
Before choosing that first use case to pilot a ZTNA solution, ask yourself the following five questions:
1. What are the different types of private applications that need access?
Depending on the type of business and the number of years you have been in business, you could have a myriad of application types in your IT environment. These could range from legacy mainframe applications to the latest Web3 applications — and everything in between.
Ask whether the ZTNA solution you’re considering can handle all the application types that you eventually plan to transition to the zero trust framework. Some ZTNA approaches, like IAP, may work well for web applications but may offer limited support for other application types.
Choosing an approach, such as Cloud Connexa, that provides complete support for any application protocol that uses TCP or UDP over IP might be the better choice to support client-based (for example, RDP) and web-based applications now and in the future.
2. Do any of your private applications require the server to initiate communication with the client?
Pay special attention to the requirement an application may have in terms of sending unsolicited traffic to the application client to be able to carry out some application functions. For example, it could be a request from a device management application server to a target device for applying a software patch, erasing data, etc.
Most ZTNA solutions are built on the premise that the device or application client will always initiate traffic to the application server; most solutions do not account for any cases in which the application server needs to be the one to initiate traffic.
Some SDP solutions even go as far as only opening up a communication path between the client and the application when the device sends a special type of authorization packet. Choose an approach, such as CloudConnexa, that makes server-initiated communication possible if you have such applications in your environment.
3. Will the ZTNA solution work with IoT applications?
Should you consider IoT as part of your zero trust approach? Given the lax attitude that some IoT vendors have towards security, it would be a mistake not to. These IoT devices are an entry point to your IT infrastructure and constitute a portion of your overall attack surface. If you decide to include IoT applications in the scope of ZTNA, check that the ZTNA solution can support these devices or — better yet — handle unattended access to applications.
4. Should the ZTNA solution facilitate internet policy enforcement?
Most ZTNA solutions concern themselves with access to private applications, but should access to the internet and internet applications be included in the scope of ZTNA? Given the prevalence of SaaS business apps, can your ZTNA solution provide another layer of security and augment your defense-in-depth strategy?
A versatile ZTNA solution can bring internet access into the purview of the zero trust framework. For example, here are some of the things Cloud Connexa can achieve in terms of policies around internet access and applications:
- It can provide traffic destined to configured SaaS domains with a local egress source IP address by steering just that traffic to the egress network. This IP address can then be configured as a trusted source IP address for SaaS login restrictions, even though the traffic is being generated by users in various geographies, adding another layer of protection for SaaS usage.
- It can completely restrict access to the internet except to trusted internet applications. This can effectively lock down dedicated devices like Point of Sale (PoS) systems and kiosks from misuse.
5. Can the solution provide for secure communications within or across data centers?
Should you expect your ZTNA solution to cover use cases beyond user access to applications? Consider whether the same ZTNA solution could be used to provide access — and policies around access — to applications from one site to another. For example, can all the computers in a data center get access to only authorized applications hosted in another data center?
Another use case could be providing identity to and enforcing policy around API communications between various servers collaborating with each other to provide a service in the same data center (or private network). One example of this might be a zero trust policy in which access is given to a group of servers, identified as application servers for a particular application, to communicate with a database server.
Thinking Long-Term About ZTNA Solutions
We hope that these questions inspire you to think holistically about all your ZTNA needs. Remember, when testing out a new ZTNA solution, it’s important to look well beyond that pilot use case that seems to be a perfect fit for your current needs. If you plan to introduce a new solution, look for a versatile approach to ZTNA that can fit your needs now and in the near future.
Get Started Today
OpenVPN® is the market-proven leader in secure virtualized networking. Our cloud-based platform enables organizations to maintain secure communication between their distributed workforce, IoT/IIoT devices, and the online services they rely on daily. Built on the market-proven OpenVPN protocol, the solution combines advanced network security, encrypted remote access, and content filtering into a virtualized secure network that provides the best of VPN and ZTNA security.
With over 60 million downloads of our core open-source software and over 20,000 commercial customers, OpenVPN is recognized as a global leader in secure networking.
Ready to take your business to the next level with Cloud Connexa? Work from anywhere and from any device with confidence. Create an account today for three free connections and the secure network connectivity your business needs.