Forrester report highlights Zero Trust Edge model for networking and security infrastructure

According to Forrester, ZTE will be most helpful with securing and enabling remote workers while removing the difficult user VPNs.

VPN Security

Image: iStock/ValeryBrozhinsky

Remote work has unleashed an unprecedented wave of cyberattacks that have touched every industry and struck fear among all enterprises. In a new report, analysts from Forrester touted the Zero Trust Edge model as a way for organizations to unify networking and security infrastructure while also securing and enabling remote workers.

SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)

VPNs have become the easiest way for enterprises to provide secure connections to employees, but they are often cumbersome and difficult to manage. In a blog post accompanying the report, Introducing The Zero Trust Edge Model For Security And Network Services, Forrester Senior Research Analyst David Holmes called ZTE the "biggest technological transformation since sliced bread."

"The Zero Trust Edge model is a safer on-ramp to the internet for organizations' physical locations and remote workers. A ZTE network is a virtual network that spans the internet and is directly accessible from every major city in the world. It uses Zero Trust Network Access to authenticate and authorize users as they connect to it and through it," Holmes wrote. 

"If those users are accessing corporate services like an on-prem application or Office 365, they may rarely even 'touch' the internet (except to be safely tunneled through it), and they'll certainly be kept away from the bad parts of town."

SEE: Top 5 programming languages for systems admins to learn (free PDF) (TechRepublic)

Holmes explained that a number of enterprises are looking into ZTE as a way to deal with the thorny problem of securing a majority-remote workforce. 

In the report, the analysts said they spoke with the CISO of a large European-based insurance company who said the company went from a 5% remote workforce to a 95% remote workforce. 

"For companies like theirs, the already rickety VPN infrastructure could not carry the load. VPN technology is just another fissure in the already eroding castle walls," the report said. "Both networking and security teams have struggled to meet new requirements for using cloud and supporting home workers, because the old approaches were based on onsite dedicated software or hardware appliances, unreliable on-premises controls and policy repositories, limiting hardware-centric approach and disjointed security and networking silos."

Even one year into the COVID-19 pandemic, a number of organizations are still struggling to manage the security of a workforce spanning multiple states or countries. 

"These organizations realize that acquiring more VPN licenses during the COVID-19 lockdown was just a stopgap measure to keep people working. Now, they're looking for a ZTNA solution. All ZTE vendors have ZTNA because it's the primary security service of their stack," Holmes said in the blog post. 

"Once enterprises start talking with vendors like Zscaler, Akamai, or Netskope, they realize there are more security services they can consume as a service, and now they're talking themselves into ZTE strategy."

The report said most organizations will turn to ZTE for security use cases involving remote workers but noted that these are still the early days of the technology, and it will take a while before enterprises can have an internet-edge hosted security stack.  

The ZTE model, Holmes and fellow Forrester analyst Andre Kindness wrote, was built to be a "cloud- or edge-hosted full security stack" but the technology is not ready due to limiting factors like bandwidth. 

The researchers said at the beginning of the COVID-19 pandemic, some enterprises with forward-thinking security teams invested in Zero Trust network access instead of VPN technology. 

"Zero Trust protects businesses from customers, employees, contractors, and devices at remote sites connecting through WAN fabrics to a more caustic, open, dangerous, and turbulent environment," the report said, defining the Zero Trust Edge concept as a solution that "securely connects and transports traffic, using Zero Trust access principles, in and out of remote sites leveraging mostly cloud-based security and networking services."

SEE: Black Hat 2020: Cybersecurity trends, tools, and threats (free PDF) (TechRepublic)

"ZTE sets up the security and networking framework around the traffic and services coming from remote locations into the businesses and the services going back to the locations or users."

Holmes and Kindness explained that traditionally, device configurations and security policies existed in different tools, leading to more configuration errors and less efficiency. But ZTE is underpinned by a cloud-based network and security management that allows for "disparate back-end systems to be merged, and configurations can be altered, added, or deleted based on a single configuration management solution."

The system also needs to have cloud-based monitoring and analysis, according to the report, which said that because of the massive amount of information that needs to be collected and synthesized, ZTE monitoring must be cloud based. 

The report explains that ZTE comes in three different forms, including a cloud-delivered service, WAN connection services with ZTE services wrapped around it and a do-it-yourself model.

A number of vendors like Cato Networks offer ZTE cloud-based services while others, like Comcast Enterprise or Akamai, involve "an existing enterprise carrier provider connecting its customers directly to ZTE networks for outsourced security functions." Some enterprises that are technology mature enough may be able to build their own ZTE models so that their specific needs can be met. 

Much of an enterprise's choice depends on its size and needs, and some smaller or mid market organizations may need to rely on single vendors while larger companies can afford a multi-vendor approach. 

SEE: Top 5 things to know about adversarial attacks (TechRepublic)

"For the organizations that have already started on a Zero Trust Edge journey, a typical multi-vendor approach may use Silver Peak Systems for SD-WAN connecting to Zscaler for URL filtering and ZTNA. This will work for the initial use case (securing remote workers), but the migration of other security stack elements into a multi-vendor stack will require serious service chaining, and the APIs between the components need to work consistently and reliably," the report said. 

"Smaller organizations will pioneer the full security stack approach. Forrester expects to see smaller companies try out full stack ZTE vendors, such as Netskope. Typically they will have a lower set of requirements and may find the one-shop vendor easier to engage. Historically, it takes larger enterprise technology groups time to adopt those types of solutions. For example, this has occurred in the Wi-Fi market with cloud-based solutions from Aerohive Networks, now part of Extreme Networks, and Meraki, now part of Cisco."

The report breaks down the two most common types of deployments, one of which involves a single gateway as the main point of security and the other revolving around an overlay that distributes security, generally via agents.

The first, which creates a singular entry point to the internet, helps shrink the threat surface but may only be possible for smaller enterprises with less complicated systems. The second "overlay" model allows organizations to implement ZTE without making changes to the underlying network. 

"But a significant drawback is that installing agents may not be feasible due to policies in sensitive environments like healthcare, manufacturing, and IT/OT," the report said. 

"The Zero Trust Edge model is disruptive—nay, transformative—to the way security and networking have traditionally been consumed. Always in a constant state of evolution, cybersecurity functions have been quicker to move to the Zero Trust Edge. Legacy networks will be much slower."

The report notes that many organizations may struggle to implement ZTE for a variety of reasons related to legacy applications and services, legacy networking tools, capacity, and trust. 

Holmes explained in his blog post that ZTE will be adopted in stages as organizations move on from the emergency tools they deployed at the beginning of the pandemic and formalize new systems. 

"In the future, after other technologies like SWG, CASB, and DLP are integrated into the stack, organizations will look to put all their network traffic through these ZTE networks. And that's where the security and network teams will have to work together, because legacy on-prem networks are heterogenous, and the migration of giant data centers or 12-story hospitals using software-defined WAN as a transport into the ZTE networks will be a challenge," Holmes said. 

"No one I've talked to has done it and honestly, these are still early days for the model. So, we'll solve the tactical problem (remote workforce) first with ZTNA. We'll move on to the larger security challenges next. And finally, we'll address the network. In the end, remote users, retail branches, remote offices, factories, and data centers will be connected to ZTE networks that will use Zero Trust approaches and technologies to authenticate, sanitize, and monitor connections through the network and into the internet and public clouds."

Also see