Why the ZTNA "Café Model" is Not Enough

The modern workspace has seen some significant changes in the last few years in the wake of the coronavirus pandemic of 2020. Many companies have settled somewhere on the spectrum of the hybrid workforce, with employees spending part of their time working remotely and part of their time in the office. ZTNA solutions have become increasingly popular in the last few years as these hybrid workspaces have become more normal. ZTNA works incredibly well for securing cloud-based workloads and assets, allowing workers from anywhere to access the workloads that they need. This method of security focuses on user-managed devices, as each connected device is required to run an agent that allows access to corporate resources. This works for the remote workforce, and quite well, but how does this work for securing your campus or branch when users return to the office?

Well, it doesn't. There are several issues with what we have coined the "Café Model Approach." This name comes from the notion that employees would regard the office as they would a place like Starbucks. You come in to the office, fire up your ZTNA agent on your pc or laptop, and get to work with access to cloud-based and datacenter resources as if you were working from a café. 

These are some of the issues that we are going to cover here that arise from this approach:

The Local Corporate Network is Unsecured by ZTNA

The primary issue that arises is that ZTNA does not enable microsegmentation on your local network. This means that any unmanaged devices that do not have the capability to run a software agent are left unprotected and present a security risk. Devices like printers, gaming consoles, security devices, and a host of IT and IoT technology can not be controlled and properly segmented.

Are you curious about how microsegmentation can enhance your network security? Our latest blog post, What is microsegmentation and how does it work?, delves into the details of this security technique and its role in today's interconnected and complex digital landscape. From the technologies and tools used to implement microsegmentation to the benefits it offers, this post covers everything you need to know about this important security strategy. Don't miss out on this opportunity to learn more about microsegmentation and how it can benefit your organization. Check out the blog post now!

Local Users Accessing Local Resources Through ZTNA is Inefficient

There is an interesting caveat here with how ZTNA solutions handle users accessing local resources. Similarly to how these providers secure cloud workloads, they can extend this capability to on-premise workloads as well. This gives users the ability to access local resources through their service, and they can even control access to specific devices through their solution using "User-to-Hostname" or "Source IP to Destination IP" mappings. However, there are several glaring issues with this approach when applied to the local network.

• This user-centric approach still does not address unmanaged device-to-device or device-to-application traffic. Endpoints are required to run an agent, and many user-less devices don't have this capacity. Unmanaged devices can be compromised and without limitations to lateral movement, can wreak havoc.
• Forcing local users to access local resources through a ZTNA solution creates unnecessary complexity, potential bottlenecks, and availability concerns. Traffic would be sent from the local user, through the cloud-hosted ZTNA service, back down to the local asset, and return traffic takes that same path.This is much less efficient than allowing users to access resources locally. 
• Creating access policies for local resources requires thorough inventory and understanding of devices present on the local network, but ZTNA solutions don't provide the tools to discover and inventory these assets.

Lack of Visibility and Analytics on Corporate Network

Visibility and Analytics data are increasingly necessary for making informed decisions about network policy, and are a requirement for many compliance standards for both local and cloud workloads. While ZTNA solutions can provide this for traffic that routes through their service, they are limited on providing this telemetry for local networks. 

The difference between Elisity and ZTNA

The primary difference between Elisity and your ZTNA solution can be answered by one question: What are we securing?

Where ZTNA solutions primarily secure access to your cloud-hosted assets, Elisity provides microsegmentation on your local network for any managed or unmanaged asset by discovering every user, device, and application connected to your corporate LAN. We glean identifying data about any assets, whether IT / OT / IoT / IoMT, and compile all this data like device class / type / model / vendor into asset inventories. You can then use these inventories to group assets into policy endpoints based on identity rather than network constructs to quickly and efficiently deploy granular, identity-based segmentation. 

Elisity and ZTNA solutions secure different domains, and can therefore co-exist to enhance security posture both on-prem and in the cloud. 

Reach out or request a demo at the top of the screen to learn more about how Elisity can bring microsegmentation to your network. Below is a short "demo before the demo" showing a preview of our solution in action.