Quick Answer: Cost Effectively Scaling Secure Access While Preparing for a Remote Workforce

In this research, we respond to the question, “How do we scale secure access now in a cost-effective way while preparing for the longer term?” Gartner recommends using ZTNA and SASE offerings for scalable secure access, to reduce costs and support digital workplace transformation.

Quick Answer

How do we scale secure access in a cost-effective way while preparing for the longer term?

• Deploy zero trust network access (ZTNA) to scale secure access capabilities immediately when hardware capacity or bandwidth on existing firewalls or VPN termination devices is limited.
• Provide assessment capabilities for the security posture of unmanaged devices.
• Cut costs in 2020 as contracts renew for VPN, SWG and CASB.
• Adopt a secure access service edge (SASE) strategy as the foundation for future digital workforce and branch office transformation.

More Detail

The COVID-19 pandemic has exposed the limitations of hardware-based approaches for secure access:

• Having every employee work remotely creates bandwidth, scale and licensing issues on hardware-based VPN termination appliances. On-premises VDI servers represent a similar challenge.
• Procuring new hardware is slow, requires access to an office for installation and is difficult with budgets frozen.

Hardware-based approaches should be augmented or replaced with a cloud-first, cloud-native secure access service edge (SASE) approach, starting with zero trust network access (ZTNA). Security and risk management leaders responsible for infrastructure security and secure access should apply these best practices to scale secure access, save money and lay the foundation for digital workforce transformation.

• Adopt a cloud-based ZTNA offering to scale secure access capabilities without deploying new hardware.
• Favor vendors that offer ZTNA as a service from the cloud as these are easier to deploy (see “Market Guide for Zero Trust Network Access” and Step 1 in Figure 1). The policy engine resides in the provider’s cloud and manages all interactions between users and applications.
• To speed ZTNA adoption for web-enabled applications, use a service-initiated ZTNA product that can be deployed without requiring agents.
• If you are using a cloud-based secure web gateway (SWG), see if your vendor provides a cloud-based ZTNA offering to accelerate adoption.
• Confirm the ZTNA vendor has the capacity to scale and will commit to SLAs.
• If possible, migrate some on-premises private apps to IaaS for visibility and scale and to enable ZTNA-based access. If you have a limited budget, use the IaaS provider’s built-in identity-aware proxy capabilities.
• Architect for access by unmanaged devices as an immediate requirement.
• Favor ZTNA providers that use basic browser telemetry or partner with the identity provider for assessment and conditional access where agents can’t be used and would slow ZTNA rollout.
• Over time, agent-based ZTNA offerings can be phased in for applications that can’t be proxied and to provide deeper visibility into device security posture directly or via integration with unified endpoint management offerings.
• For the most sensitive apps, use VDI, desktop as a service (DaaS) or remote desktop services to achieve greater visibility and control of application usage.
• For some use cases, VDI may be the best approach. For new capacity, the first choice should be a cloud-delivered desktop as a service (DaaS) offering (see “Market Guide for Desktop as a Service” and “Solving the Challenges of Modern Remote Access”). Some DaaS offerings include integrated ZTNA capabilities to provide integration and a choice of access methods.
• As an alternative to DaaS or VDI, a browser-based workspace aggregator can provide ZTNA-like, identity-based access without agents to web-enabled and Windows applications via RDP/RDS (including remote desktop takeover to desktops still in the office).
• An emerging approach, remote browser isolation (RBI) can be used to protect sensitive internal applications from potentially compromised unmanaged devices (see “Innovation Insight for Remote Browser Isolation”).
• Extend protection when remote workers are using the internet and SaaS applications.
• In addition to ZTNA, the next phase in the protection strategy should include:
• Secure web gateway capabilities including URL and malware filtering for internet access (see Step 2 in Figure 1) and SaaS access visibility.
• Cloud access security broker (CASB) capabilities for deeper visibility and control of SaaS applications, including sensitive data discovery and monitoring.
• Optional RBI for dealing with unmanaged devices or risky sites.
• Cut costs and reduce complexity in 2020 as contracts renew for VPN, SWG and CASB capabilities by adopting offerings that converge these capabilities and shift these to cloud-native offerings.
• Multiple vendors offer ZTNA, SWG, CASB, DNS and RBI capabilities from a converged, cloud-based fabric priced on a consumption-based model.
• Consolidating vendors and adopting a cloud-based SASE approach will reduce costs and complexity while improving security (see Step 3 in Figure 1).
• For the longer term, use SASE as the foundation for digital workforce and branch office transformation.
• Digital workforce requirements of anywhere, anytime access will transform branch office access requirements. Several SASE vendors now offer SD-WAN capabilities to support digital workforce/workplace transformation (see “Top Security and Risk Management Trends” and step 4 in Figure 1).
• Getting rid of dedicated MPLS circuits and connecting branch offices directly to the internet and into a SASE fabric offers a significant source of cost savings over the next few years, in addition to supporting workforce transformation.

Figure 1. Scaling Secure Access Strategically