When It Comes to Securing a “Branch of One”, Integration and Coordination Matter

cloud computing and big data concept illustration id1226966455 2

Today, the need for security is at an all-time high. Huge, high-profile ransomware attacks hit the news all too often, so it's not a surprise that cybersecurity pros are trying everything to secure their networks. Many people frantically buy every new solution out there but throwing multiple point products at the problem isn't the answer. Too many products inevitably lead to too much complexity. Managing multiple vendors and products with little integration or coordination can turn into a time-consuming mess. A well-integrated platform, especially one designed with open APIs and common standards to enable true interoperability with third-party solutions, is a much more effective strategy. And it's certainly easier to manage.

With more people working from anywhere and the resulting increase in the number of network edges, complexity will only increase because each remote user is effectively a "branch of one." But even these smallest remote locations still need continuous threat protection with consistent security. And whenever you talk about the network edge, you need to think about network access. Traditional VPNs just don't provide the functionality today's networks require. You need to know and control everyone and everything, both on and off the network.

Users on different devices consume a variety of applications from the cloud, so it's essential to make sure you have a consistent security solution able to spans the endpoint across all network edges and the cloud. In today's distributed environments, a collection of point products can never give you the visibility control and management you need. On the other hand, a comprehensive cybersecurity platform provides security from the endpoint, to the edge, to the user, so you have simple and effective management and solid security in place to ensure an optimal user experience, no matter where a user may be located.

It Starts by Trusting No One

The concept of zero-trust has been around for a long time, but it's getting more attention because of the rise in remote work and the dissolving of the network perimeter. Zero trust comes down to a philosophical approach to addressing the user data and applications you want to protect. In today's highly fluid security and network environments, you no longer can afford to simply have a trusted internal zone and an untrusted external zone.

Because users, devices, and even applications can be virtually anywhere, nothing and no one should be trusted until proven otherwise. On a practical level, this means you need authentication to verify users and devices repeatedly and regularly with as granular control as possible. Authentication happens not only when users join the network but also to gain access to assets and applications. Every transaction must be verified because any transaction has potentially been compromised. With a zero trust strategy in place, users and devices have verifiable access to what they need, but no more.

Know Thy Acronym

In learning about the zero-trust model, it's easy to get bogged down in the acronyms. Although they both have zero trust in the name, zero-trust access (ZTA) isn't the same as zero-trust network access (ZTNA). ZTA is about network access for users and devices, whereas ZTNA is about application access. ZTA relates to how users are connecting and what kind of access they receive on the network. But ZTNA refers specifically to controlling access to applications, whether the applications are on-premise or in the cloud.

Unlike a VPN, ZTNA doesn't differentiate between when you're on-network or off-network. It simply creates a secure tunnel automatically, no matter where the user is. And while a VPN usually requires a remote user to create a secure tunnel to the network, ZTNA does it automatically even when a user is connecting from "a safe network." The process is easier and simpler for users than connecting using a VPN. And because zero-trust is so much more secure than a VPN, providing both authentication and content inspection, it's driving the evolution of VPN connectivity.

Making Zero-Trust Work

Because of the number of users, applications, and locations an organization may have, implementing a zero-trust model may seem complicated. And if not done right, it can be. Convergence efforts require converting networking and security into a unified solution. And unfortunately, many vendors claiming to have a zero-trust solution have simply cobbled together disparate products and agreements so they can say they have a "zero-trust" solution. But deployment and management can quickly become a nightmare. Other times, ZTNA solutions are simply secure access service edge (SASE) options with expensive charges for company-wide coverage. But a zero-trust solution doesn't have to involve multiple vendors, outrageous subscription fees, and complex management systems. In fact, it's usually simpler—and more secure—for one company to do it.


Because so many companies have added zero-trust to their cloud-based solutions, there's a lot of confusion about how they are related. Zero-trust plays a critical role in cloud security because when users are working from anywhere in a hybrid work environment, the SASE framework can act as a firewall in the cloud. The remote user gets the experience and protection of being behind a firewall, even in the cloud.

But SASE and ZTNA are different things. While SASE provides the firewall security and connectivity service, ZTNA controls application access. It's about having the right policies in place no matter where the user is, giving them access to specific applications and a secure tunnel to that application, hiding it from malicious outsiders. SASE and ZTNA technologies are complementary because they both deal with security for remote workers. But when you have SASE and ZTNA integrated, with everything functioning under a unified policy, you can provide anytime access to networked resources, including critical applications, for any user or device.

Protect and Stop Breaches

Combining SASE and ZTNA into a unified solution that can provide consistent security and networking and a unified management platform is only possible through a handful of vendors. It requires real expertise in networking, security, and the cloud. And because cybersecurity moves so fast, an effective platform needs to include multiple integrated products that have been independently tested and validated, to effectively protect connections and stop breaches.

This becomes even more complicated as organizations move to hybrid work environments, including multi-cloud. A hybrid approach to security, where each segment—the cloud, the endpoint, the data center, and the branch and remote worker—has its own security strategy simply creates the same challenge of too many vendors and not enough visibility or control. That's where having a solid security strategy in place, built around a single platform capable of being deployed in any environment—one with integrated products that work together and provide automated actions—becomes especially critical. Network segments, like users and devices, don't exist in a vacuum. Any strategy that includes SASE and ZTNA needs to also have a unified ZTA strategy that can seamlessly weave physical and virtual systems into a single, integrated solution, end to end.

Learn more about Zero Trust solutions from Fortinet that enable organizations to see and control all devices, users, and applications across the entire network.


Copyright © 2021 IDG Communications, Inc.