A Zero Trust Edge (ZTE) solution applies zero trust to authenticate, sanitize and monitor network connections across a cloud security and network service fabric. The ZTE model envisions Zero Trust Network Access (ZTNA) replacements of VPNs leading early adopters to secure remote workers access to the cloud and corporate applications.
Future enhancements will add software-defined web gateway (SWG), cloud access security broker (CASB), intrusion prevention system (IPS) and sandboxing capabilities to the cloud security service stack. In addition, limitations in software-defined WAN (SD-WAN) technologies will eventually be overcome to one day authenticate, sanitize and monitor remote users, retail branches, remote offices, factories, and data center network connections into the Internet and public clouds.
The COVID-19 pandemic accelerated the growing shift to remote work. In the midst of the pandemic, many organizations moved most or all of their employees to telework. As things return to normal, many organizations have realized the benefits of remote work and plan to support it indefinitely.
This creates new business and security challenges for organizations. Employees need to be connected and able to work from anywhere while protected against cyber threats. However, traditional methods for achieving this – such as adding more point security products to address specific use cases – are unscalable and impair security teams’ efforts to maintain visibility into and secure their environments.
In January 2021, Forrester analysts David Holmes and Andre Kindness released their vision for a network fabric where security is delivered from the cloud in the paper Introducing The Zero Trust Edge Model For Security And Network Services. This vision complement’s Gartner’s secure access service edge (SASE) model for the future of security, noting how SASE implements zero trust at the network edge by converging networking and security services.
Forrester sees ZTE first adopters applying ZTNA (zero trust network access) principles to securely connect remote users and offices to the Internet and to corporate applications they connect with. This improves performance by moving the security stack closer to the user and the application. In his blog Take Security to the Zero Trust Edge, David Holmes notes that “the ZTE model is a more secure on-ramp to the internet for organizations’ remote workers and physical locations”.
Forrester acknowledges the model is not fully available, but organizations can start taking steps to implement it. During the COVID-19 pandemic, many organizations expanded their VPN infrastructure to support a suddenly remote workforce. However, this is a stopgap measure with significant implications for network performance and security.
As remote work becomes part of business as usual, organizations need to plan for the longer term. Applying ZTNA to secure remote worker connections is a core component of this and a first step in implementing the ZTE security stack.
One of the main differences between ZTNA and VPNs is that ZTNA offers zero trust access to applications, while VPNs provide users with full network access. As companies move into an appliance refresh, they will consider ZTE as an alternative – and better – solution for connecting remote users and branch offices to applications.
With ZTNA in place, future technologies like SWG, CASB and DLP will be integrated into the cloud-delivered security stack. Today, large data centers and enterprises are not using SD-WAN as a transport to ZTE networks. However, organizations will eventually transition to sending all traffic through these ZTE networks.
SD-WANs, which solve remote branch office connection challenges to the Internet and to cloud applications, work automatically, using predefined policies in order to pinpoint the most efficient route for application traffic passing from branch offices to company headquarters, the cloud, and the Internet. This approach solves the latency and user experience problems caused by legacy practices of backhauling traffic from the branch to the Internet over MPLS circuits to the corporate office.
According to Forrester, ultimately retail branches, remote users, remote offices, data centers and factories will be connected to ZTE networks which will use Zero Trust technologies and approaches.
In October 2019, Check Point introduced Harmony Connect (formerly known as CloudGuard Connect), a solution for securing remote users and branch offices connections to the Internet and cloud applications with Check Point NGFW delivered as a service from a global cloud network. Harmony Connect integrates with leading SD-WAN vendors to secure their local Internet breakout, thus optimizing the user experience to cloud applications and securing remote users from known and zero day threats with NGFW, SWG, sandboxing and data loss prevention.
For application security Check Point protects cloud and on-premises applications. Harmony Email and Office is a CASB service that uses cloud-native APIs to protect cloud mailboxes and Microsoft Office suites. In November 2020 Check Point acquired Odo, a ZTNA company and added this to the Harmony Connect portfolio. Harmony Connect Remote Access prevents data breaches since it eliminates implicit trust from your organization’s network perimeter, and, rather, builds explicit trust in people, devices, assets, and data wherever they are located.
The complete Harmony solution protects mobile, endpoint and remote branch office Internet and cloud connections from sophisticated attacks while ensuring Zero-Trust Access to corporate applications. To see Harmony Connect in action, request a demo. You’re also welcome to try it out for yourself with a free trial.