The Best Approach to Zero Trust Network Access (ZTNA) isn’t Lift and Shift
Published: May 31, 2022
One of the more complicated parts about working in technology is that what works well in one instance will not always be ideal in another. You must always be looking at the specific situation, the specific problem, and producing a solution designed for that problem. There is rarely one size that fits all. This approach is as valid with Zero Trust as it was a decade ago when cloud technology became a driving force within the networking world.
“Lift it and shift it” was a phrase often used in the early days of the cloud. The term has a positive connotation because you can move your application from one environment to a different one without changing it significantly or even at all. In other words, there is not a huge burden to move to the cloud – everything stays the same, except you now have the efficiency and the power of the cloud working for you, so you are better off.
In many instances, the move to the cloud generates sufficient efficiencies to ensure this effort will be worth your while. But while there is a massive benefit of simplicity with this approach, there are still some immediate drawbacks.
Let’s compare it to moving houses. Ask any realtor: They will tell you that you are better off buying new furniture specifically for your new home rather than trying to make sure that the couch that your great-aunt Agatha left you fits in your new living room.
Trying to cram in or utilize everything you have in your previous home in a new house with a new layout is always difficult. Some of it will fit, but chances are you are going to need to change at least a piece or two to make it fully functional. An end table here, a new lamp there, a round dining table instead of a rectangle there. You are forced to make a predictable choice: Do you keep immediate costs down and live in a home with furniture that doesn’t quite fit? Or do you make some tweaks to ensure that your furniture is functional in your house?
This key lesson from the lift and shift approach is that it is cheaper, and you will gain efficiency. But with a bit more upfront effort, you can end up with a better outcome and overall system. Moving an on-premises solution to the cloud installs a non-native application into a new environment. Even if the overall benefit is still worth it, some bumps, inefficiencies, or gaps are guaranteed to come along with it. The furniture doesn’t fit the new house.
Anyone looking at Zero Trust Network Access (ZTNA) will have to make the same considerations. But the goal here should be to turn a perceived weakness into a strength. Change means opportunity.
If you have ever moved, then you know there is no time like moving to realize how much junk you own. Replacing the couch from great-aunt Agatha with a new sectional is not the only thing that needs to change. Maybe you really don’t need those stacks and stacks of old towels? Have you ever used that armoire you got on sale? Why do you have so many Clint Eastwood posters? Maybe you never will frame them. Who listens to CDs anymore? And VHS tapes? Dump them all!
That house-cleaning approach is helpful when it comes time to consider a Zero Trust model. It is important to remember that Zero Trust is not a product and instead is an architecture. Zero Trust is a way of building a high-functioning environment that handles modern security needs at the edge.
Enterprises should keep this in mind: Zero Trust is an opportunity to clean house and build anew. It is a way to rid your system of clutter and update everything to achieve the highest possible level of functionality.
If you lift and shift, you are carrying your problems over to your new system. You often miss the opportunity to unlock your system's full potential. There is some concern that this mindset is taking hold now, as people are using ZTNA just to get away from a VPN model of access.
What’s different about Zero Trust is that it assumes no implicit trust is granted to either your assets or any user accounts. A Zero Trust access architecture creates context-based access control to applications that can´t be discovered by the user unless “published” explicitly to them.
Gartner reports in a recent white paper called “Market Guide for Zero Trust Network Access” that “organizations cite VPN replacement as their primary motivation for evaluating ZTNA offerings, but find that justification comes from risk reduction, not from any cost savings.”
But a move to Zero Trust architecture is about much more than solving security issues associated with VPN limitations. As Gartner cautions, it is also about more than just ZTNA. “Be aware that ZTNA is an (albeit important) component of a zero-trust strategy. Do not assume that purchasing a ZTNA solution (or any product) is the only thing you must do as you implement a general zero trust architecture.”
ZTNA is an architecture, not only a product. You are building a house from the ground up.
Like Gartner, my thought is not to implement ZTNA like it is just another VPN. You should assess your application architecture and usage and adjust your policies. Focus on the needs of remote employees and engineering working groups. And then create a ZTNA overlay for hosted applications.
I know it is a lot of work – more work than lifting and shifting. But if done well, you can integrate ZTNA and keep it easily expandable. It is like owning a house where you can always add a new addition.
Zero Trust is your foundation, but it is like any security architecture that needs to evolve continuously. You must always keep future tech advancements in mind and adapt them as needed. Once again, it is like your house. You might want to build a deck in your backyard or change a chandelier in your home. What matters most is that you have built it on a solid foundation. With Zero Trust, your network access foundation will be strong and secure.