Latest news with #ZTNA
Forbes
24-07-2025
- Business
- Forbes
Eliminating Blind Spots: How Browser-Based ZTNA Closes Security Gaps
Etay Maor is Chief Security Strategist for Cato Networks, a leader of advanced cloud-native cybersecurity technologies. Zero trust promised a fundamental shift: security where access depends not just on identity, but on full context—rigorous authentication, device posture, location and real-time risk assessment. Zero trust network access (ZTNA) became the engine driving this vision, replacing porous network perimeters with granular, policy-driven control. Yet, a critical blind spot persists in many implementations: the unmanaged device. Contractors, partners and BYOD users leverage unmanaged endpoints daily—essential for modern business, yet often outside IT's direct visibility and control. They lack agents and consistent configuration. For security leaders, this gap isn't an inconvenience; it's a direct threat to zero trust integrity. Unmanaged devices represent a glaring vulnerability, undermining the model's core principles. The Shortcomings Of Traditional ZTNA: Where The Perimeter Fades ZTNA dethroned legacy VPNs, offering stronger authentication, micro-segmentation (app-specific access) and superior visibility. However, its Achilles' heel is clear: It primarily serves managed devices running dedicated agents under IT's control. Unmanaged devices are left exposed, and common workarounds are flawed. Consider the following shortcomings: • Agent Deployment Hurdles: Installing clients on third-party or personal devices is often unscalable, invasive and blocked by user permissions or policies. • The VDI Burden: Virtual desktops (VDI) create a secure "bubble" but sacrifice performance and user experience—and add significant infrastructure complexity and cost. • Fragmented Tool Chains: Bolting on separate solutions (browser gateways, SWGs, reverse proxies, etc.) creates parallel access paths, inconsistent policy enforcement and siloed visibility—reintroducing complexity that zero trust aimed to solve. These approaches fail to deliver true zero trust for unmanaged devices and introduce new risks: policy gaps, visibility holes, operational overhead and user friction. We need a unified approach that can secure every user and device without multiplying complexity. The Imperative Of Consistency: No Exceptions Allowed Security effectiveness hinges on consistency. If managed users face stringent zero trust controls while unmanaged users operate through weaker exceptions, the entire model unravels. Uniform enforcement is impossible. This inconsistency has tangible consequences, especially for compliance (PCI-DSS, HIPAA, GDPR, SOC 2, etc.). These frameworks demand demonstrable, uniform security controls across all access points handling sensitive data. Gaps for unmanaged devices aren't just vulnerabilities; they are potential compliance violations with severe penalties. To address this, some organizations are turning to browser-based ZTNA. Unlike agent-based ZTNA models that require deep device integration, browser-based ZTNA delivers secure access directly through the user's standard web browser. This simple difference can be transformative. Contractors on home PCs, partners on their laptops and BYOD users can instantly fall under the exact same granular access policies, continuous risk assessment and inspection frameworks as managed users. Crucially, it achieves this without requiring device-level control, persistent software installs or intrusive endpoint changes. The browser becomes the universal conduit. Every access request undergoes rigorous verification, monitoring and filtering—true zero trust extended to the entire workforce ecosystem. Reducing Complexity, Not Just Risk Security leaders know the trade-off: more control often means more complexity. Accommodating unmanaged access historically meant buying new tools and managing parallel policy engines—draining resources and creating gaps. Browser-based ZTNA offers consolidation. It can eliminate the need for separate point products for external users. All traffic flows through a single, unified policy engine with common enforcement points. This ensures uniform access control, threat prevention, data protection and monitoring, reducing the overhead of managing siloed systems. In my experience, it streamlines multiple checkpoints into one efficient lane. Just as importantly, browser-based ZTNA respects the user experience. By supporting standard browsers (Chrome, Edge, Firefox, etc.), users access resources as they always have. No disruptive workflow changes, no specialized software installs or configuration changes. Adoption, I've found, is often frictionless. Use Case: Secure Access For Unmanaged Devices The most compelling application of this model is securing access from unmanaged devices, delivering core zero trust benefits universally. By focusing on these devices, you can: • Enforce identity and risk-based access policies. • Limit users to specific, authorized applications or data sets. • Prevent lateral movement within the network. • Log and audit access for compliance reporting and forensics. • Inspect web traffic for threats and data loss—no endpoint agent needed. In contrast to traditional VPNs or VDI setups, I've found that this model is lighter, faster, more scalable and simpler to manage. Getting Started Organizations beginning their zero trust journey should first address the critical vulnerability of unmanaged devices. Established, traditional ZTNA models often fail here, leaving contractors, partners and BYOD users outside consistent security controls. Agent deployment is impractical, while VDI introduces performance penalties and complexity. Fragmented solutions recreate the visibility gaps zero trust aims to eliminate. Prioritize implementing browser-based ZTNA for unmanaged access. This approach directly tackles the core weakness: It allows applying rigorous zero trust policies—strong authentication, granular access control, continuous inspection—to every user without agents or disruptive changes. The standard web browser becomes the secure conduit, delivering immediate risk reduction at the perimeter's weakest point. Ensure consistent policy enforcement across all users and access paths; security and compliance demand no exceptions. Base access decisions on rich context: identity, device posture (where feasible), location and real-time risk. Critically, reduce complexity by choosing solutions that unify access paths and policy management, avoiding fragmented tools that undermine zero trust. Start by securing high-value applications via this browser approach to demonstrate value and build momentum. Why This Matters Now Hybrid work and third-party collaboration are not temporary—they're the permanent operational fabric of our day-to-day efforts. Unmanaged devices are integral to this landscape. Half-measures are obsolete. A consistent, identity-centric, browser-based ZTNA approach can eliminate fragmented solutions and ensure comprehensive policy coverage. The same stringent rules apply to the CEO on a corporate laptop and the contractor on a personal device. It simplifies operations for security teams. For CISOs, this means fewer dangerous security exceptions, fewer exploitable gaps and more confidence in protecting data and meeting regulatory obligations—regardless of where work happens or which device is used. Browser-based ZTNA doesn't just close the blind spot; it provides the consistent control demanded by boundary-less work. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Forbes
14-07-2025
- Business
- Forbes
Why Zero-Trust Network Access Requires VPN Technology
Francis Dinha is CEO and cofounder of OpenVPN Inc., a leading enterprise network security company. As businesses increasingly adopt zero-trust network access (ZTNA) as a way to secure their digital environments, a common misconception is emerging: Some believe that ZTNA can replace virtual private networks (VPNs). While it might not be as exciting to explain, the reality is that ZTNA simply cannot function without the support of some kind of tunneling technology—and that means working with VPNs, not against them. Both technologies are crucial in the fight against cyber threats; it doesn't have to be one or the other. That being said, they do both serve different purposes, and understanding their relationship is key to enhancing organizational security. Different Tools, Complementary Purposes ZTNA and VPNs are often mistakenly seen as competing solutions. However, they are not mutually exclusive. A VPN serves as a secure transport layer by creating an encrypted tunnel for communication between users and networks. This ensures that data remains private and protected, even over public networks like the internet. On the other hand, ZTNA focuses on access control. It ensures that only authorized users can access specific resources based on context such as their location, device health or user identity. ZTNA defines who can access what, when and under which conditions. While ZTNA policies enforce strict access controls, the mechanics of secure data transmission still rely on VPN tunneling, even on ZTNA tools. It's clear we need both secure access control and secure data transport, but many businesses still misunderstand this idea. The Role Of VPNs In Zero-Trust Strategies Zero trust is a model where trust is never assumed, regardless of whether the user is inside or outside the corporate network. The central tenet of zero trust is that access should be granted only on a need-to-know basis. To enforce this, organizations implement tools like identity and access management (IAM), multifactor authentication (MFA) and other strategies like device management. Despite these innovations in access control, zero trust does not eliminate the need for secure communication channels. VPN technology remains a crucial component of this model. In fact, 40% of companies still report using a VPN. A "zero-trust VPN" might sound like a contradiction, but it is an essential part of a complete zero-trust architecture. NIST And The Enduring Importance Of VPNs The National Institute of Standards and Technology (NIST), which provides guidelines for cybersecurity best practices, underscores the importance of network segmentation and encrypted tunnels in any zero-trust architecture. In the NIST Special Publication 800-207 on zero trust, NIST states that strong network segmentation and secure pathways remain foundational to zero-trust security models. Without secure transport mechanisms like VPNs, organizations leave themselves vulnerable to cyberattacks, as malicious actors could exploit gaps in the system to gain unauthorized access to critical data. Without VPN tunneling, even the best access controls cannot prevent the interception or manipulation of data in transit. The Shift In Cybersecurity Strategy Rather than seeing VPNs as unnecessary in the face of emerging zero-trust models, organizations must recognize how these tools work together. VPNs are not the problem; they're part of the solution. By evolving VPN technology to support more granular, contextual access controls, businesses can enhance their security posture. As businesses increasingly embrace hybrid workforces and cloud-based operations, ensuring secure connectivity without sacrificing access control will be essential. The combination of ZTNA policies and VPN tunneling provides the best of both worlds, allowing organizations to adapt to modern challenges while maintaining strong security frameworks. Working Together: Best Practices For Combining ZTNA And VPN Technology Zero trust and VPNs are complementary, not competing, technologies. As organizations move toward integrating zero-trust security with VPN technology, strategic implementation becomes essential to avoid common pitfalls and fully realize the benefits of this powerful security model. Here are several best practices and considerations for optimizing deployment: 1. Start with a comprehensive access inventory. Before layering ZTNA policies onto your VPN infrastructure, organizations should begin by auditing all existing access points—including users, devices, applications and services. Map out who needs access to what and under what conditions. Without this clarity, ZTNA enforcement may inadvertently block legitimate traffic or leave gaps in protection. 2. Integrate identity and context-aware controls early. ZTNA relies heavily on identity verification and context (e.g., device posture, location, time of day, etc.). Ensure that your VPN solution is integrated with robust identity and access management (IAM) systems and supports context-aware enforcement. This ensures the VPN is not just a static tunnel but a dynamic, policy-enforcing conduit. 3. Avoid the 'lift-and-shift' mentality. A common stumbling block is trying to bolt ZTNA onto legacy VPN architecture without rethinking how access policies should change. ZTNA is not simply a wrapper—it's a shift in mindset. Legacy VPNs often provide broad, implicit trust once connected; zero trust demands explicit, granular permissions. Transitioning to this model requires redesigning network segmentation and access scopes. 4. Ensure visibility and logging across all layers. When combining VPN and ZTNA, ensure you have complete observability into user sessions, device health, policy enforcement outcomes and data flows. Look for solutions that integrate with SIEM platforms or offer centralized dashboards to track both access requests and transport-level activity. This visibility is critical not only for threat detection but also for compliance and incident response. 5. Prioritize user experience. One challenge many organizations face is user friction during authentication and access. If the ZTNA-VPN setup is cumbersome, users may seek workarounds—potentially undermining security. Minimize complexity by using single sign-on (SSO) and adaptive access policies that reduce the number of re-authentication steps when risk levels are low. 6. Adopt a phased rollout strategy. Implementing ZTNA on top of VPN infrastructure is complex. Start with a pilot program focused on a specific user group or application, and gradually expand. This allows IT teams to test policies, monitor behavior and fine-tune configurations before rolling out organization-wide. As the threat landscape continues to evolve, businesses must embrace the combination of ZTNA-powered VPNs to ensure both secure connectivity and precise access control. The future of cybersecurity lies in this integration—where trust is never assumed and data is always protected. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Forbes
11-07-2025
- Business
- Forbes
Zero Trust's Weak Spot: SaaS Apps Aren't Playing By The Same Rules
Brian Soby is CTO & co-founder at AppOmni, a leader in SaaS security, with more than 20 years of security experience. The boundaries of modern enterprise networks have dissolved, making zero trust an essential cybersecurity framework for modern organizations. It's no surprise that many organizations are implementing zero-trust network access (ZTNA). And while it's a valuable component of zero trust as a whole, there's a pervasive and dangerous misconception that it alone equates to a complete zero-trust architecture. But the hard truth is that ZTNA primarily secures the pathways to your applications, not the applications themselves. And this gap creates critical risks that undermine the integrity of the entire zero-trust architecture, opening businesses up to cyberattacks and breaches. The ZTNA-Only Fallacy ZTNA solutions secure perimeters, ensure safe user transport to applications and inspect traffic, but their security coverage predominantly ends at the application's boundary, failing to extend principles like granular control and continuous verification through applications. ZTNA implementations typically provide binary, access-focused security controls—either access to the application is granted or denied. However, once users gain entry, their activities within the application often remain unchecked and unmonitored. Focusing on these solutions alone can inadvertently re-create a perimeter-centric mindset, neglecting security within applications. This is particularly problematic when we consider the modern enterprise's reliance on cloud and software-as-a-service (SaaS) applications. SaaS platforms are no longer auxiliary tools; they are the backbone of operations, repositories of sensitive data and hubs of collaboration. When zero-trust strategies emphasize access controls to these applications but ignore their internal security posture, they leave a gaping hole, which undermines the entire security architecture. The Real Threat Landscape: Data Resides In Apps, And Attackers Know It Securing your applications themselves is critical because, based on what I've seen in the industry, most sensitive data now resides in SaaS applications. Organizations that rely solely on ZTNA or similar network-focused defenses often mistakenly believe their SaaS applications are protected. Yet, time and again, we observe these critical applications being entirely overlooked by zero-trust architectures that ignore the reality of the risk landscape. The consequence? A significant weak point that attackers are keenly aware of and actively exploiting. I've seen incident after incident where companies, despite having secure service edge (SSE) or secure access service edge (SASE) solutions deployed, suffer breaches because attackers bypass these network-centric defenses to target applications directly—by using sideloaded accounts, entering through overly permissive access privileges or exploiting misconfigurations that make single sign-on (SSO) optional. SaaS apps, unlike on-premise systems, are internet-accessible by default—so if settings like SSO, multifactor authentication (MFA) or IP restrictions are misconfigured, users can directly access these apps and bypass the ZTNA stack. These misconfigurations not only weaken zero-trust controls, but they also expose sensitive data, often without oversight or enforcement on corporate devices. This effectively destroys any return on investment from zero-trust solutions. Consider building a fence around 75% of a critical facility. You don't get 75% of the security value; you get very little, because adversaries will simply walk through the 25% that's open. Similarly, if your zero-trust strategy doesn't extend into your critical applications, your expensive ZTNA solutions become a mere inconvenience for sophisticated attackers, not a barrier. Beyond Access: The Imperative Of Securing Applications Themselves A truly robust zero-trust architecture cannot stop at verifying a user and granting them access to an application. It must scrutinize what users—and non-human identities—can do once inside. This is especially true for SaaS environments, which involve a complex ecosystem of internal users, external collaborators, customers and third-party application integrations. ZTNA was never designed to manage the risks arising from this extended surface area, and as a consequence, many organizations are facing significant SaaS security gaps. And while the National Institute of Standards and Technology (NIST) and other guiding bodies emphasize an end-to-end, continuous zero-trust process where authorization decisions are as granular as possible, this contrasts sharply with most implementations that make binary decisions—sanctioned or prohibited, access or no access—at the application's edge. True zero trust requires a deep dive into application-level permissions and activities, not coarse-grain decisions over simply whether access is granted or denied. Complete Your Zero-Trust Strategy To close this critical gap, organizations need to implement tools beyond ZTNA alone. Look for technologies that extend zero-trust principles directly into the application layer, particularly for SaaS environments. Apply the zero-trust principles of verification, least privilege and continuous monitoring directly to application-level interactions and behaviors. This will help address the inherent limitations of network-focused security. In addition to the above, look for tools that do the following: 1. Granular Authorization And Continuous Monitoring: Move beyond simple access decisions to enable fine-grained, least-privilege policies based on specific actions and data interactions within an application. Couple this with continuous monitoring of user activities and data access, which can allow permissions to adapt dynamically based on real-time risk. 2. Deep Visibility And Threat Detection: By continuously monitoring activities within SaaS apps, organizations can detect subtle indicators of malicious behavior or accidental misconfigurations. This visibility is critical for proactively mitigating risks before they escalate into damaging security incidents. 3. External User And Third-Party Risk Management: Extend your zero-trust security controls to external users and third-party integrations interacting with SaaS platforms. This will let you evaluate risks associated with cloud-to-cloud connections and non-human identities. ZTNA is an important step on the zero-trust journey, but it's not the destination. Failing to secure your applications themselves, especially business-critical SaaS platforms, leaves organizations dangerously exposed. Implementing a partial zero-trust strategy is akin to building a chain with missing links—the entire structure is compromised. Enterprises must recognize that true zero trust requires security not only at the point of access, but also within the application itself. For CIOs, the mandate is clear: Extend zero-trust principles deep into the application layer now. It will help you forge robust cyber resilience and realize the real security value of your zero-trust investments. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Techday NZ
11-07-2025
- Business
- Techday NZ
Portnox unveils cloud ZTNA for secure, agentless remote access
Portnox has announced the release of a cloud-native Zero Trust Network Access (ZTNA) solution designed to streamline secure remote access for enterprises. ZTNA approach The ZTNA solution aims to address the traditional challenges associated with remote work, where employees need to access company applications from various devices and locations, sometimes using untrusted networks. This new service is designed to bypass many of the performance and operational issues common in classic VPNs and older ZTNA models. Portnox's product offers a passwordless, agentless approach for accessing web-based applications. Instead of requiring users to download clients or agents, the system is built to allow access via standard web browsers using familiar URLs. Launch details During its launch, Portnox also introduced a free version of its ZTNA solution, which grants access to an unlimited number of web-based applications for an unlimited number of users. However, this version provides only community support. Installation of Portnox's endpoint posture assessment tool, AgentP, is required for use. Future updates are planned to expand access capabilities to a broader range of enterprise resources, including older applications without web interfaces. This planned expansion aims to provide comprehensive cloud-native access control for every user and device, regardless of their location. Security features Key features of Portnox ZTNA include instant access with minimal latency, eliminating the performance issues commonly experienced with legacy solutions. The system conducts continuous risk posture checks on endpoints before allowing access, ensuring devices are compliant with security policies. Automated remediation addresses any non-compliant or risky devices instantly. The solution's access control is based on both user roles and location, limiting resource availability to only those necessary for specific job requirements. Additionally, Portnox highlights that its approach does not require configuration changes to remote worker networks or corporate firewalls, as all communications are outbound only. According to Portnox, this design minimises the attack surface and simplifies deployment for IT departments. Executive comments "Portnox ZTNA fundamentally changes how organizations approach remote access security," stated Denny LeCompte, CEO of Portnox. "We've engineered a solution that not only significantly strengthens security but also enhances the user experience - because the best security is virtually invisible: fast, seamless, and frictionless. By eliminating the reliance on traditional VPNs and streamlining access controls, we empower businesses to embrace a true zero trust model with remarkable simplicity." Unified platform Portnox ZTNA is part of the company's Unified Access Control Platform, which also features RADIUS authentication, Network Access Control (NAC), and TACACS+ in a single cloud-based offering. This consolidation provides organisations with a centralised system for managing and enforcing zero-trust access policies across various hybrid working environments. Intended audience The solution is targeted at end-users, IT decision-makers, and organisations across various sectors, including finance, healthcare, education, and technology. Portnox indicates that users will benefit from fast, simple, and secure access, while IT leaders can maintain greater oversight of access attempts and enforce robust policies. The company asserts that the system's security and management benefits are designed to serve industries with demanding requirements for remote access and data protection.
Techday NZ
10-07-2025
- Business
- Techday NZ
Five use cases that justify ditching VPNs for good
For years, Virtual Private Networks (VPN) have been the go-to solution for secure remote as the digital landscape evolves, the very infrastructure that once offered protection is now proving to be a significant liability. More than half (56%) of organisations experienced at least one VPN-related security incident in the past year, with many experiencing multiple breaches, making VPNs a primary attack vector. Furthermore, backhauling non-local traffic through the VPN just to access the internet leads to poor user experience, high costs, and complex routing. In fact, 22% of users complain about slow connection speeds, and 19% are frustrated by complex authentication processes with VPNs. IT teams also find balancing performance (21%) and constant troubleshooting (18%) to be top VPN headaches. For organisations looking to modernise their connectivity for a hybrid workforce, Zero Trust Network Access (ZTNA) is generally being touted as the superior alternative. However, not all ZTNA solutions are created equal, and to truly move beyond legacy VPNs, organisations should focus on their use cases rather than trying to fit themselves around one technology. Doing this, it becomes obvious that integrating ZTNA with other security tools within broader models such as Secure Access Service Edge (SASE) is the key to finally giving VPNs the boot. Here are five use cases where replacing VPNs with ZTNA can help organisations. 1. Enable hybrid workers The rise of the hybrid work model has exposed the inadequacies of legacy VPN solutions. VPNs offer limited visibility into application activities, suffer from latency due to traffic backhauling, and grant broad network-level access that allows for unrestricted lateral movements. Unpatched vulnerabilities in VPN concentrators can also act as major attack vectors. ZTNA is a safer and more efficient remote access alternative for hybrid workers, that allows organisations to deploy identity and context-aware least-privileged access among their workforce, and minimise unauthorised lateral movements in case of compromise. It also ensures consistent enforcement of security policies regardless of the user's location by providing real-time visibility into user activities and detailed network and application traffic. Finally, it facilitates the secure onboarding of new devices, enables remote password resets, and ensures only sanctioned devices access critical internal resources. 2. Accelerate cloud migration Digital transformation has led to a tipping point where more workloads reside in public clouds than in private data centres, and ensuring efficient connectivity for users to all environments for efficiency and productivity is key. As they route user traffic through private data centres before connecting to cloud environments or applications, VPNs often deliver a poor user experience. This is why a majority of IT teams (51%) rate 'better application performance' as a key driver of ZTNA programs. But ZTNA doesn't necessarily resolve these complex routing decisions. Organisations considering ZTNA solutions should seek to understand the network on which they are built, and reject architectures that involve hairpinning, or anything that looks like data and traffic will travel further than it should. 3. Facilitate unmanaged device access (when It makes sense) Organisations increasingly need to grant secure access to corporate resources for external contractors, service providers, and partners, and security teams face the challenge of accommodating unmanaged device access without exposing resources. This challenge can't be solved with VPNs, which often grant excessive access. This is a use case where a ZTNA solution sitting within a consolidated SASE architecture makes sense. Enterprise browsers can be easily and remotely deployed to unmanaged devices, extending the organisation's remote access and security policies to those users who can access corporate resources within an isolated and secure browser on their devices, without the need for security teams to duplicate operational effort around policy management. 4. Support remote contact centres While many call centres are adopting cloud-based Unified Communication as a Service (UCaaS), many still rely on legacy on-premises hosted VoIP systems, often routing calls through remote access VPNs. Most cloud-delivered ZTNA solutions currently don't support on-premises hosted VoIP, forcing organisations to maintain both ZTNA and VPN infrastructure. Platforms that converge ZTNA and SD-WAN capabilities can solve this problem, and should include capabilities such as dynamic traffic steering and context-aware Quality of Service (QoS) to ensure a consistent voice and video application experience. 5. Accelerate M&A integration The success of a merger or acquisition is often determined by how quickly the integration of the two entities can be completed, and traditional methods of merging networks are costly, time-consuming, and complex. An overwhelming majority of organisations (91%) find third-party access and M&A integration very challenging using VPNs. ZTNA allows organisations to quickly connect employees, contractors, and advisors to essential resources from day one, and eliminates the need for VPN setup and network merging, enabling immediate and secure integration. While legacy remote access VPNs were once cutting-edge, they now pose significant security vulnerabilities and degrade network performance and user experience. Many ZTNA solutions today offer only partial VPN replacement, leading to a complex mix of infrastructure that can be more complicated than the original setup. When assessing modern alternatives, these compromises are not necessary if the more challenging use cases are recognised upfront, and planned for in architecture selection.
