Latest news with #ZTNA
Forbes
7 days ago
- Business
- Forbes
Why Zero-Trust Network Access Requires VPN Technology
Francis Dinha is CEO and cofounder of OpenVPN Inc., a leading enterprise network security company. As businesses increasingly adopt zero-trust network access (ZTNA) as a way to secure their digital environments, a common misconception is emerging: Some believe that ZTNA can replace virtual private networks (VPNs). While it might not be as exciting to explain, the reality is that ZTNA simply cannot function without the support of some kind of tunneling technology—and that means working with VPNs, not against them. Both technologies are crucial in the fight against cyber threats; it doesn't have to be one or the other. That being said, they do both serve different purposes, and understanding their relationship is key to enhancing organizational security. Different Tools, Complementary Purposes ZTNA and VPNs are often mistakenly seen as competing solutions. However, they are not mutually exclusive. A VPN serves as a secure transport layer by creating an encrypted tunnel for communication between users and networks. This ensures that data remains private and protected, even over public networks like the internet. On the other hand, ZTNA focuses on access control. It ensures that only authorized users can access specific resources based on context such as their location, device health or user identity. ZTNA defines who can access what, when and under which conditions. While ZTNA policies enforce strict access controls, the mechanics of secure data transmission still rely on VPN tunneling, even on ZTNA tools. It's clear we need both secure access control and secure data transport, but many businesses still misunderstand this idea. The Role Of VPNs In Zero-Trust Strategies Zero trust is a model where trust is never assumed, regardless of whether the user is inside or outside the corporate network. The central tenet of zero trust is that access should be granted only on a need-to-know basis. To enforce this, organizations implement tools like identity and access management (IAM), multifactor authentication (MFA) and other strategies like device management. Despite these innovations in access control, zero trust does not eliminate the need for secure communication channels. VPN technology remains a crucial component of this model. In fact, 40% of companies still report using a VPN. A "zero-trust VPN" might sound like a contradiction, but it is an essential part of a complete zero-trust architecture. NIST And The Enduring Importance Of VPNs The National Institute of Standards and Technology (NIST), which provides guidelines for cybersecurity best practices, underscores the importance of network segmentation and encrypted tunnels in any zero-trust architecture. In the NIST Special Publication 800-207 on zero trust, NIST states that strong network segmentation and secure pathways remain foundational to zero-trust security models. Without secure transport mechanisms like VPNs, organizations leave themselves vulnerable to cyberattacks, as malicious actors could exploit gaps in the system to gain unauthorized access to critical data. Without VPN tunneling, even the best access controls cannot prevent the interception or manipulation of data in transit. The Shift In Cybersecurity Strategy Rather than seeing VPNs as unnecessary in the face of emerging zero-trust models, organizations must recognize how these tools work together. VPNs are not the problem; they're part of the solution. By evolving VPN technology to support more granular, contextual access controls, businesses can enhance their security posture. As businesses increasingly embrace hybrid workforces and cloud-based operations, ensuring secure connectivity without sacrificing access control will be essential. The combination of ZTNA policies and VPN tunneling provides the best of both worlds, allowing organizations to adapt to modern challenges while maintaining strong security frameworks. Working Together: Best Practices For Combining ZTNA And VPN Technology Zero trust and VPNs are complementary, not competing, technologies. As organizations move toward integrating zero-trust security with VPN technology, strategic implementation becomes essential to avoid common pitfalls and fully realize the benefits of this powerful security model. Here are several best practices and considerations for optimizing deployment: 1. Start with a comprehensive access inventory. Before layering ZTNA policies onto your VPN infrastructure, organizations should begin by auditing all existing access points—including users, devices, applications and services. Map out who needs access to what and under what conditions. Without this clarity, ZTNA enforcement may inadvertently block legitimate traffic or leave gaps in protection. 2. Integrate identity and context-aware controls early. ZTNA relies heavily on identity verification and context (e.g., device posture, location, time of day, etc.). Ensure that your VPN solution is integrated with robust identity and access management (IAM) systems and supports context-aware enforcement. This ensures the VPN is not just a static tunnel but a dynamic, policy-enforcing conduit. 3. Avoid the 'lift-and-shift' mentality. A common stumbling block is trying to bolt ZTNA onto legacy VPN architecture without rethinking how access policies should change. ZTNA is not simply a wrapper—it's a shift in mindset. Legacy VPNs often provide broad, implicit trust once connected; zero trust demands explicit, granular permissions. Transitioning to this model requires redesigning network segmentation and access scopes. 4. Ensure visibility and logging across all layers. When combining VPN and ZTNA, ensure you have complete observability into user sessions, device health, policy enforcement outcomes and data flows. Look for solutions that integrate with SIEM platforms or offer centralized dashboards to track both access requests and transport-level activity. This visibility is critical not only for threat detection but also for compliance and incident response. 5. Prioritize user experience. One challenge many organizations face is user friction during authentication and access. If the ZTNA-VPN setup is cumbersome, users may seek workarounds—potentially undermining security. Minimize complexity by using single sign-on (SSO) and adaptive access policies that reduce the number of re-authentication steps when risk levels are low. 6. Adopt a phased rollout strategy. Implementing ZTNA on top of VPN infrastructure is complex. Start with a pilot program focused on a specific user group or application, and gradually expand. This allows IT teams to test policies, monitor behavior and fine-tune configurations before rolling out organization-wide. As the threat landscape continues to evolve, businesses must embrace the combination of ZTNA-powered VPNs to ensure both secure connectivity and precise access control. The future of cybersecurity lies in this integration—where trust is never assumed and data is always protected. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Forbes
11-07-2025
- Business
- Forbes
Zero Trust's Weak Spot: SaaS Apps Aren't Playing By The Same Rules
Brian Soby is CTO & co-founder at AppOmni, a leader in SaaS security, with more than 20 years of security experience. The boundaries of modern enterprise networks have dissolved, making zero trust an essential cybersecurity framework for modern organizations. It's no surprise that many organizations are implementing zero-trust network access (ZTNA). And while it's a valuable component of zero trust as a whole, there's a pervasive and dangerous misconception that it alone equates to a complete zero-trust architecture. But the hard truth is that ZTNA primarily secures the pathways to your applications, not the applications themselves. And this gap creates critical risks that undermine the integrity of the entire zero-trust architecture, opening businesses up to cyberattacks and breaches. The ZTNA-Only Fallacy ZTNA solutions secure perimeters, ensure safe user transport to applications and inspect traffic, but their security coverage predominantly ends at the application's boundary, failing to extend principles like granular control and continuous verification through applications. ZTNA implementations typically provide binary, access-focused security controls—either access to the application is granted or denied. However, once users gain entry, their activities within the application often remain unchecked and unmonitored. Focusing on these solutions alone can inadvertently re-create a perimeter-centric mindset, neglecting security within applications. This is particularly problematic when we consider the modern enterprise's reliance on cloud and software-as-a-service (SaaS) applications. SaaS platforms are no longer auxiliary tools; they are the backbone of operations, repositories of sensitive data and hubs of collaboration. When zero-trust strategies emphasize access controls to these applications but ignore their internal security posture, they leave a gaping hole, which undermines the entire security architecture. The Real Threat Landscape: Data Resides In Apps, And Attackers Know It Securing your applications themselves is critical because, based on what I've seen in the industry, most sensitive data now resides in SaaS applications. Organizations that rely solely on ZTNA or similar network-focused defenses often mistakenly believe their SaaS applications are protected. Yet, time and again, we observe these critical applications being entirely overlooked by zero-trust architectures that ignore the reality of the risk landscape. The consequence? A significant weak point that attackers are keenly aware of and actively exploiting. I've seen incident after incident where companies, despite having secure service edge (SSE) or secure access service edge (SASE) solutions deployed, suffer breaches because attackers bypass these network-centric defenses to target applications directly—by using sideloaded accounts, entering through overly permissive access privileges or exploiting misconfigurations that make single sign-on (SSO) optional. SaaS apps, unlike on-premise systems, are internet-accessible by default—so if settings like SSO, multifactor authentication (MFA) or IP restrictions are misconfigured, users can directly access these apps and bypass the ZTNA stack. These misconfigurations not only weaken zero-trust controls, but they also expose sensitive data, often without oversight or enforcement on corporate devices. This effectively destroys any return on investment from zero-trust solutions. Consider building a fence around 75% of a critical facility. You don't get 75% of the security value; you get very little, because adversaries will simply walk through the 25% that's open. Similarly, if your zero-trust strategy doesn't extend into your critical applications, your expensive ZTNA solutions become a mere inconvenience for sophisticated attackers, not a barrier. Beyond Access: The Imperative Of Securing Applications Themselves A truly robust zero-trust architecture cannot stop at verifying a user and granting them access to an application. It must scrutinize what users—and non-human identities—can do once inside. This is especially true for SaaS environments, which involve a complex ecosystem of internal users, external collaborators, customers and third-party application integrations. ZTNA was never designed to manage the risks arising from this extended surface area, and as a consequence, many organizations are facing significant SaaS security gaps. And while the National Institute of Standards and Technology (NIST) and other guiding bodies emphasize an end-to-end, continuous zero-trust process where authorization decisions are as granular as possible, this contrasts sharply with most implementations that make binary decisions—sanctioned or prohibited, access or no access—at the application's edge. True zero trust requires a deep dive into application-level permissions and activities, not coarse-grain decisions over simply whether access is granted or denied. Complete Your Zero-Trust Strategy To close this critical gap, organizations need to implement tools beyond ZTNA alone. Look for technologies that extend zero-trust principles directly into the application layer, particularly for SaaS environments. Apply the zero-trust principles of verification, least privilege and continuous monitoring directly to application-level interactions and behaviors. This will help address the inherent limitations of network-focused security. In addition to the above, look for tools that do the following: 1. Granular Authorization And Continuous Monitoring: Move beyond simple access decisions to enable fine-grained, least-privilege policies based on specific actions and data interactions within an application. Couple this with continuous monitoring of user activities and data access, which can allow permissions to adapt dynamically based on real-time risk. 2. Deep Visibility And Threat Detection: By continuously monitoring activities within SaaS apps, organizations can detect subtle indicators of malicious behavior or accidental misconfigurations. This visibility is critical for proactively mitigating risks before they escalate into damaging security incidents. 3. External User And Third-Party Risk Management: Extend your zero-trust security controls to external users and third-party integrations interacting with SaaS platforms. This will let you evaluate risks associated with cloud-to-cloud connections and non-human identities. ZTNA is an important step on the zero-trust journey, but it's not the destination. Failing to secure your applications themselves, especially business-critical SaaS platforms, leaves organizations dangerously exposed. Implementing a partial zero-trust strategy is akin to building a chain with missing links—the entire structure is compromised. Enterprises must recognize that true zero trust requires security not only at the point of access, but also within the application itself. For CIOs, the mandate is clear: Extend zero-trust principles deep into the application layer now. It will help you forge robust cyber resilience and realize the real security value of your zero-trust investments. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Techday NZ
11-07-2025
- Business
- Techday NZ
Portnox unveils cloud ZTNA for secure, agentless remote access
Portnox has announced the release of a cloud-native Zero Trust Network Access (ZTNA) solution designed to streamline secure remote access for enterprises. ZTNA approach The ZTNA solution aims to address the traditional challenges associated with remote work, where employees need to access company applications from various devices and locations, sometimes using untrusted networks. This new service is designed to bypass many of the performance and operational issues common in classic VPNs and older ZTNA models. Portnox's product offers a passwordless, agentless approach for accessing web-based applications. Instead of requiring users to download clients or agents, the system is built to allow access via standard web browsers using familiar URLs. Launch details During its launch, Portnox also introduced a free version of its ZTNA solution, which grants access to an unlimited number of web-based applications for an unlimited number of users. However, this version provides only community support. Installation of Portnox's endpoint posture assessment tool, AgentP, is required for use. Future updates are planned to expand access capabilities to a broader range of enterprise resources, including older applications without web interfaces. This planned expansion aims to provide comprehensive cloud-native access control for every user and device, regardless of their location. Security features Key features of Portnox ZTNA include instant access with minimal latency, eliminating the performance issues commonly experienced with legacy solutions. The system conducts continuous risk posture checks on endpoints before allowing access, ensuring devices are compliant with security policies. Automated remediation addresses any non-compliant or risky devices instantly. The solution's access control is based on both user roles and location, limiting resource availability to only those necessary for specific job requirements. Additionally, Portnox highlights that its approach does not require configuration changes to remote worker networks or corporate firewalls, as all communications are outbound only. According to Portnox, this design minimises the attack surface and simplifies deployment for IT departments. Executive comments "Portnox ZTNA fundamentally changes how organizations approach remote access security," stated Denny LeCompte, CEO of Portnox. "We've engineered a solution that not only significantly strengthens security but also enhances the user experience - because the best security is virtually invisible: fast, seamless, and frictionless. By eliminating the reliance on traditional VPNs and streamlining access controls, we empower businesses to embrace a true zero trust model with remarkable simplicity." Unified platform Portnox ZTNA is part of the company's Unified Access Control Platform, which also features RADIUS authentication, Network Access Control (NAC), and TACACS+ in a single cloud-based offering. This consolidation provides organisations with a centralised system for managing and enforcing zero-trust access policies across various hybrid working environments. Intended audience The solution is targeted at end-users, IT decision-makers, and organisations across various sectors, including finance, healthcare, education, and technology. Portnox indicates that users will benefit from fast, simple, and secure access, while IT leaders can maintain greater oversight of access attempts and enforce robust policies. The company asserts that the system's security and management benefits are designed to serve industries with demanding requirements for remote access and data protection.
Techday NZ
10-07-2025
- Business
- Techday NZ
Five use cases that justify ditching VPNs for good
For years, Virtual Private Networks (VPN) have been the go-to solution for secure remote as the digital landscape evolves, the very infrastructure that once offered protection is now proving to be a significant liability. More than half (56%) of organisations experienced at least one VPN-related security incident in the past year, with many experiencing multiple breaches, making VPNs a primary attack vector. Furthermore, backhauling non-local traffic through the VPN just to access the internet leads to poor user experience, high costs, and complex routing. In fact, 22% of users complain about slow connection speeds, and 19% are frustrated by complex authentication processes with VPNs. IT teams also find balancing performance (21%) and constant troubleshooting (18%) to be top VPN headaches. For organisations looking to modernise their connectivity for a hybrid workforce, Zero Trust Network Access (ZTNA) is generally being touted as the superior alternative. However, not all ZTNA solutions are created equal, and to truly move beyond legacy VPNs, organisations should focus on their use cases rather than trying to fit themselves around one technology. Doing this, it becomes obvious that integrating ZTNA with other security tools within broader models such as Secure Access Service Edge (SASE) is the key to finally giving VPNs the boot. Here are five use cases where replacing VPNs with ZTNA can help organisations. 1. Enable hybrid workers The rise of the hybrid work model has exposed the inadequacies of legacy VPN solutions. VPNs offer limited visibility into application activities, suffer from latency due to traffic backhauling, and grant broad network-level access that allows for unrestricted lateral movements. Unpatched vulnerabilities in VPN concentrators can also act as major attack vectors. ZTNA is a safer and more efficient remote access alternative for hybrid workers, that allows organisations to deploy identity and context-aware least-privileged access among their workforce, and minimise unauthorised lateral movements in case of compromise. It also ensures consistent enforcement of security policies regardless of the user's location by providing real-time visibility into user activities and detailed network and application traffic. Finally, it facilitates the secure onboarding of new devices, enables remote password resets, and ensures only sanctioned devices access critical internal resources. 2. Accelerate cloud migration Digital transformation has led to a tipping point where more workloads reside in public clouds than in private data centres, and ensuring efficient connectivity for users to all environments for efficiency and productivity is key. As they route user traffic through private data centres before connecting to cloud environments or applications, VPNs often deliver a poor user experience. This is why a majority of IT teams (51%) rate 'better application performance' as a key driver of ZTNA programs. But ZTNA doesn't necessarily resolve these complex routing decisions. Organisations considering ZTNA solutions should seek to understand the network on which they are built, and reject architectures that involve hairpinning, or anything that looks like data and traffic will travel further than it should. 3. Facilitate unmanaged device access (when It makes sense) Organisations increasingly need to grant secure access to corporate resources for external contractors, service providers, and partners, and security teams face the challenge of accommodating unmanaged device access without exposing resources. This challenge can't be solved with VPNs, which often grant excessive access. This is a use case where a ZTNA solution sitting within a consolidated SASE architecture makes sense. Enterprise browsers can be easily and remotely deployed to unmanaged devices, extending the organisation's remote access and security policies to those users who can access corporate resources within an isolated and secure browser on their devices, without the need for security teams to duplicate operational effort around policy management. 4. Support remote contact centres While many call centres are adopting cloud-based Unified Communication as a Service (UCaaS), many still rely on legacy on-premises hosted VoIP systems, often routing calls through remote access VPNs. Most cloud-delivered ZTNA solutions currently don't support on-premises hosted VoIP, forcing organisations to maintain both ZTNA and VPN infrastructure. Platforms that converge ZTNA and SD-WAN capabilities can solve this problem, and should include capabilities such as dynamic traffic steering and context-aware Quality of Service (QoS) to ensure a consistent voice and video application experience. 5. Accelerate M&A integration The success of a merger or acquisition is often determined by how quickly the integration of the two entities can be completed, and traditional methods of merging networks are costly, time-consuming, and complex. An overwhelming majority of organisations (91%) find third-party access and M&A integration very challenging using VPNs. ZTNA allows organisations to quickly connect employees, contractors, and advisors to essential resources from day one, and eliminates the need for VPN setup and network merging, enabling immediate and secure integration. While legacy remote access VPNs were once cutting-edge, they now pose significant security vulnerabilities and degrade network performance and user experience. Many ZTNA solutions today offer only partial VPN replacement, leading to a complex mix of infrastructure that can be more complicated than the original setup. When assessing modern alternatives, these compromises are not necessary if the more challenging use cases are recognised upfront, and planned for in architecture selection.
Forbes
08-07-2025
- Business
- Forbes
Coro's Mythbuster Series—Myth No. 13: SMBs Can't Deploy ZTNA
Dror Liwer is cofounder at Coro. Myth: Zero trust network access (ZTNA) is a complex, expensive cybersecurity solution only accessible to large enterprises with dedicated IT teams and massive budgets. Myth Busted: This myth is as outdated as dial-up internet. The reality is that modern ZTNA solutions are not only accessible but crucial for SMBs, offering robust security without the prohibitive costs or complexity of traditional models. What ZTNA Is Imagine your office building. Traditionally, once you're past the main entrance, you have free rein to roam most areas. This is akin to the old "castle-and-moat" security model, where strong perimeter defenses are built and everything inside is inherently trusted. Now, imagine a different scenario: every door in your office, from the main entrance to the broom closet, requires authentication. Even if you're an employee, you only get access to the specific rooms you need for your job, and your access is continuously verified. This is, in essence, ZTNA. ZTNA operates on the principle of "never trust, always verify." Instead of assuming everything inside your network is safe, the goal of ZTNA is to verify every user and device, for every connection, regardless of their location. This micro-segments your network, granting access only to the specific applications and data a user needs and nothing more. This is a crucial concept, especially when you consider that a significant percentage of security incidents involve internal actors. Why ZTNA Has Been Out Of Reach For a long time, the perception of ZTNA was that it required a complete overhaul of existing network infrastructure, demanding specialized expertise and significant financial investment. This was true for early ZTNA iterations, which were indeed designed with large enterprises in mind. The complexities of integration, ongoing management and the need for in-house security professionals made it seem like a distant dream for most SMBs. It's a bit like the "Ferrari Syndrome" we discussed in Myth No. 9. Just because a high-end security solution exists doesn't mean it's practical or manageable for every business. Many SMBs assumed ZTNA was a Ferrari they couldn't afford to buy or drive. The New Reality: ZTNA For Every Business The cybersecurity landscape has evolved dramatically. With the rise of remote and hybrid work models, employees are accessing company resources from various locations and devices. Many SMBs now work with a variety of contractors, freelancers and vendors. Breaches have become more common than ever before. The good news is that ZTNA capabilities have evolved as well, ensuring that every connection is secure, regardless of where your employees are working. It allows you to grant contractors highly granular access to only the specific resources they need, for a limited time, without exposing your entire network. And by limiting lateral movement and isolating breaches, ZTNA helps reduce the impact of ransomware attacks, preventing them from spreading across your entire network. Here's how ZTNA has become more accessible to SMBs: Advancements in cloud-native and SaaS-based ZTNA offerings have changed the complexity traditionally associated with network security. By removing the need for on-premise hardware and simplifying infrastructure requirements, this offers a more manageable entry point for smaller organizations. It's like tapping into services that are maintained and updated externally rather than building your own data center. Many modern ZTNA platforms emphasize usability, with simplified interfaces and integration paths that reduce setup friction. By aligning with existing identity and access management tools, these systems can be incorporated into current environments without demanding deep in-house expertise. For many SMBs, this means security upgrades can be implemented without needing to expand their IT teams. ZTNA can shift the financial model from capital expenditures to operational ones, helping SMBs better manage costs while still improving security. Additionally, by consolidating multiple security functions, ZTNA reduces the need for a sprawling toolkit. This directly counters the "more tools equals stronger cybersecurity" myth. ZTNA's core principles—like least-privilege access and segmenting users from resources they don't need—align well with the types of risks SMBs often face, particularly insider threats and lateral movement by attackers. These controls can help reduce "dwell time," the length of time adversaries remain undetected in a system, even when a breach occurs. As SMBs evolve, the ability to scale security measures without rebuilding infrastructure becomes critical. ZTNA solutions can typically grow in step with the organization—supporting additional users, devices and cloud applications—without requiring disruptive overhauls. Taking Action: Deploying ZTNA As An SMB Implementing ZTNA doesn't have to be a daunting task for an SMB. Here's how to approach it: You don't need to implement ZTNA across your entire organization all at once. Begin by protecting your most critical applications and data and then expand gradually. When exploring ZTNA options, look for providers that specifically cater to SMBs. Cloud-native, easy-to-manage solutions with transparent pricing should also be a key focus, as should an emphasis on integration and automation. These aspects can significantly lighten the load on smaller IT teams. As discussed in Myth No. 9, identify your most critical assets and the primary threats to them. This will help you prioritize your ZTNA deployment and ensure you're getting the most impact for your investment. While ZTNA reduces reliance on individual vigilance for perimeter security, it's still crucial to train employees on good cybersecurity hygiene. This helps combat the "Bagel Effect' we discussed in Myth No. 10 where everyone assumes someone else is handling security. Conclusion The myth that SMBs cannot deploy ZTNA is well and truly busted. For small- and medium-sized businesses navigating today's complex threat landscape, the ability to build a stronger, more resilient security posture is well within reach—proving that advanced cybersecurity is indeed for anyone who wants to protect their digital crown jewels. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
