The key to a successful ZTNA deployment? Start small.

Most organizations acknowledge the security deficiency of the traditional business VPN. They provide access to entire local area networks (LANs) or groups of applications, can’t independently verify user identity, are publicly accessible, and they don’t inspect user traffic after a user connects. In short, VPNs are a security nightmare.

Zero trust network access (ZTNA) technologies wake up network security professionals from their VPN-induced bad dreams. ZTNA solutions embody the principles of zero trust, and enable users to securely access the data, applications, assets, and services that your hybrid workforce needs.

ZTNA 101

Despite having the word “network” in their name, ZTNA solutions are less about network-level access and are all about restricting user access to only the specific resources they need to do their job. This “just-in-time-and-just-enough” approach gives users access to specific applications, data, assets, and services based on their identity and presumed “need to know.”

Still, many organizations, even after they deploy ZTNA technologies, will continue to use VPNs. 

Like anyone trying to keep a New Year’s resolution knows, old habits die hard. For network security professionals, the VPN is certainly a hard habit to break. And when it comes to implementation, many organizations are finding that ZTNA projects expand past the jurisdictions of the network and security teams to impact both the human resources and legal departments as well. 

3 Common ZTNA Deployment Hurdles

There are 3 common hurdles ZTNA projects encounter, including:

  1. The time and effort required to replace products, particularly VPN
    There are challenges with reducing dependencies on open LDAP or identity stores. User and group mapping can be cumbersome.
  2. Legal and regulatory concerns
    Compliance, privacy, or other regulatory barriers like HIPAA controls can be a challenge when it comes to synchronizing identity stores with a ZTNA solution. If they aren’t involved in the consideration and purchasing decisions for the new technologies, legal or compliance officers may find showstopping concerns that need to be addressed before the ZTNA solution can be deployed.
  3. Organizational change management
    Behind every product deployed there’s someone who thought purchasing and deploying it was a good idea. For any new addition of technology in an organization, and especially when it affects user experience, organizations need to carefully navigate replacing tried-and-true methods of remote access (even if they are insecure). 

It’s not uncommon for business units to slow rollouts out of concern that zero trust projects could impose unwelcome additional friction on their users. In some cases, network and security teams throw in the towel and opt to either continue using their VPNs or deploy their ZTNA products providing users with full, network-based access effectively eliminating any benefits ZTNA offers.

To overcome ZTNA deployment hurdles, start small

In the same way that you will achieve that New Year’s resolution that may have sounded better over cocktails, start with small, attainable goals for your ZTNA deployment. Rather than trying to do everything at once, implementing  ZTNA principles and technologies across your entire network, focus on one or two smaller initiatives instead. Some examples: 

  • deploy ZTNA-powered identity-based access control to a handful of applications. 
  • identify a subset of employees or contractors in your organization, and begin implementing group-based policies. For example, you could choose a small subset of employees or contractors in finance or marketing and implement restricted access control. Over time you can shrink the size of the groups and begin implementing granular, identity-based access control
  • If you are an NGFW customer who also purchased Prisma Access, you can take advantage of the PAN-OS Policy Optimizer, included natively in both products, to transition hardware policies to Prisma Access. You can experiment with using Prisma Access as your authentication for transient employee projects while monitoring their impact on user experience. As you expand your deployment, you can begin using Cloud Identity Engine to help navigate larger projects, synchronizing IDP or identity stores with the policy management in Prisma Access. 

Small and measured ZTNA rollouts make managing unforeseen challenges more manageable. A small ZTNA rollout helps you:

  • Discover the processes needed for a larger rollout. Identify potential, organizational roadblocks and ways to overcome them. 
  • Give your network and security teams the breathing room to trial various access control methods while keeping existing technologies in place as scaffolding
  • Provide time to get other organizational stakeholders engaged and employees on board with the new ways to access network resources 

If you are ready to increase your network security at a data, application, asset, and service level, find out how the ZTNA features in Prisma Access can help.