3 Common ZTNA Deployment Hurdles and How to Overcome Them

Feb 01, 2022
4 minutes
... views

Most organizations acknowledge the security deficiency of the traditional business VPN. They provide access to entire local area networks (LANs) or groups of applications, can’t independently verify user identity, are publicly accessible, and they don’t inspect user traffic after a user connects. In short, VPNs are a security nightmare.

Zero trust network access (ZTNA) technologies wake up network security professionals from their VPN-induced bad dreams. ZTNA solutions embody the principles of zero trust, and enable users to securely access the data, applications, assets, and services that your hybrid workforce needs.

ZTNA 101

Despite having the word “network” in their name, ZTNA solutions are less about network-level access and are all about restricting user access to only the specific resources they need to do their job. This “just-in-time-and-just-enough” approach gives users access to specific applications, data, assets, and services based on their identity and presumed “need to know.”

Still, many organizations, even after they deploy ZTNA technologies, will continue to use VPNs. 

Like anyone trying to keep a New Year’s resolution knows, old habits die hard. For network security professionals, the VPN is certainly a hard habit to break. And when it comes to implementation, many organizations are finding that ZTNA projects expand past the jurisdictions of the network and security teams to impact both the human resources and legal departments as well. 

Common ZTNA Deployment Hurdles

The common hurdles ZTNA projects encounter include:

  1. The time and effort required to replace products, particularly VPN
    There are challenges with reducing dependencies on open LDAP or identity stores. Likewise, user and group mapping can be cumbersome.
  2. Legal and regulatory concerns
    Compliance, privacy, or other regulatory barriers like HIPAA controls can be a challenge when it comes to synchronizing identity stores with a ZTNA solution. If they aren’t involved in the consideration and purchasing decisions for the new technologies, legal or compliance officers may find showstopping concerns that need to be addressed before the ZTNA solution can be deployed.
  3. Organizational change management
    Behind every product deployed there’s someone who thought purchasing and deploying it was a good idea. For any new addition of technology in an organization, and especially when it affects user experience, organizations need to carefully navigate replacing tried-and-true methods of remote access (even if they are insecure). 

ZTNA is a completely different approach than VPN when it comes to securely enabling today’s hybrid workforces to access the apps and data they need to do their jobs. In some cases, network and security teams throw in the towel and opt to either continue using their VPNs or deploy their ZTNA products providing users with full, network-based access effectively eliminating any benefits ZTNA offers. How can organizations effectively move past these hurdles and take advantage of all ZTNA has to offer?

Overcoming ZTNA Deployment Hurdles

In the same way that you will achieve that New Year’s resolution that may have sounded better over cocktails, start with focused goals for your ZTNA deployment. Rather than trying to boil the ocean when implementing  ZTNA principles and technologies across your entire infrastructure, it is wise to start off focused on specific initiatives. Some examples may include: 

  • Deploying ZTNA-powered identity-based access control to business-critical or other sensitive applications
  • Implementing group-based policies for employees or contractors in sensitive areas of the business such as finance to enforce restricted access control then gradually begin adding granular, identity-based access control
  • If you are an NGFW customer who also purchased Prisma Access, you can take advantage of the PAN-OS Policy Optimizer, included natively in both products, to transition hardware policies to Prisma Access. You can use Cloud Identity Engine to help synchronize IDP or identity stores with the policy management in Prisma Access

Focused and measured ZTNA rollouts make managing unforeseen challenges more manageable. Focused rollouts help you discover the processes as well as identify organizational roadblocks and ways to overcome them. 

When exploring ZTNA tools, you should consider not only the standalone capabilities offered but how the solution fits into and supports a broader SASE and zero trust platform. Our ZTNA capabilities, offered through Prisma Access, provide a scalable, resilient solution that supports your remote access needs in the short term while paving the way to a comprehensive SASE transformation. If you are ready to increase your network security at a data, application, asset, and service level, find out how the ZTNA features in Prisma Access can help.

Subscribe to Sase Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.