Overcoming Barriers to ZTNA Adoption

7 Effective Steps for Implementing Zero Trust Network Access by Gartner

Implementing a Zero Trust Network Access (ZTNA) strategy is one of the best decisions you can make to protect your company resources, but it does require a bit of planning upfront. 

Gartner recently laid out some key insights about how companies should approach ZTNA adoption in its report 7 Effective Steps for Implementing Zero Trust Network Access. Gartner argues that the reason companies have a difficult time making the switch is because they fail to make the paradigm shift that ZTNA requires. 

“Historical architectural behavior remains consistent amongst remote access buyers and this behavioral gap creates a challenge for zero trust network access (ZTNA) adoption,” Garnter explains. “ZTNA is not a “fire and forget” technology; it is inherently dependent on a continuous iterative process, which requires the access policy to adjust as the business and risk levels change.”

The key reason that a continuous iterative process is recommended is because you are providing granular permissions to individuals or groups. Let’s say your company has an on-prem server called server-west-7. 

At first, it may make sense to provide everyone in the sales team access to that server since it houses a key customer database. Later on, however, you discover that only a few people in sales access this database, and the majority of the usage comes from customer success. In that case, you may decide to pull access for most of the sales team since they aren’t using it.

Taking this step will ultimately make that server more secure since the number of people allowed to access it within the organization is smaller. If a threat actor were to steal a sales person’s login credentials, and successfully access the company network, they would be restricted from accessing that server and causing significant damage to the business.

That’s just a simple example, but it shows how powerful it can be to restrict access only to those who need it–and regularly reevaluating those access permissions. 

How often permissions should be reevaluated depends on the company and its specific risk tolerance. Nevertheless, all companies can easily adopt these recommended steps, which Gartner calls the Zero Trust Network Access Life Cycle:

The Gartner ZTNA Life Cycle in Action

Imagine we’re working on the security team for a company that sells car parts, and we want to deploy a ZTNA solution company wide. But the CEO and CFO are failing to see why the switch to ZTNA is necessary, and they worry it sounds complicated. The VPN is working after all, so why not just renew the contract and keep things the same? A new solution means training, deployment, and potential hiccups. 

Define Objectives and Scope

We listen to their concerns, but we emphasize the advantages of using the new system. How the micro-segmentation by groups or individuals makes company data more secure. We also emphasize that ZTNA with continuous verification for both managed and unmanaged devices would hamper attempts by threat actors looking to damage the network.

Then, to top things off, we explain how the total cost of ownership for a ZTNA solution is significantly lower than a legacy VPN. Plus, we can scale up and down as needed without worrying about oversubscribing. 

Align, Focus, Map, and Cleanup

Our company already has a well-defined identity management system with single sign-on support, but now we have to understand what our continuous verification checks should include, and how we are going to provide granular access in a way that doesn’t prevent people from doing their jobs. 

One thing we don’t want to do is grant everyone access to all applications. That defeats the purpose of using ZTNA in the first palace. 

Access use cases and permissions must be based on identity, context, as well as who needs access to which resources to carry out their daily tasks. 

To start, we decide to focus on implementing ZTNA only for the field sales team as the team’s access requirements are fairly limited, and they make a good proof-of-concept test group. Next, we look at the applications they will need access to, and during this time we also improve application access for the team by cleaning up irrelevant access permissions. This includes people no longer with the company, as well as a few that were promoted and whose jobs no longer require access to some of these sales materials. 

Operational Complexity and Validation

With access mapped and assigned, we train our IT team so they’re prepared for any potential trouble tickets during early deployment of the new solution. Once the solution is up and running, we make sure all access controls are working, that everyone has the permissions they need, and that resources are properly isolated. 

A few weeks later, we’ll reassess how the system is working, and we’ll look at rolling out the solution to the rest of the company, with regularly scheduled assessments to ensure that all access controls are properly allocated. 

While it does take some planning, ZTNA is ultimately a better approach than traditional VPNs. To read more about Gartner’s recommendations download a complementary copy of the report.

If you’d like to see how Perimeter 81 can make it easy to set-up and manage zero trust rules from a single pane of glass, book a demo today.

Gartner, 7 Effective Steps for Implementing Zero Trust Network Access, 3 October 2022, Dale Koeppen, Neil MacDonald, John Watts. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.