ZTNA, Secure Service Edge and the future way of remote access

A couple of years ago I posted a blog post about SASE and the future way to protect remote workers SASE – The next generation of services we need to protect the mobile workspace? – msandbu.org.

Well at lot has happened since then, and I decided to revisit this topic to write an update to what has happened within this front. To begin with more and more the companies that I wrote about have been focusing more on SSE (Security Service Edge) instead of SASE.

What is SSE? Security Service Edge (SSE) is a subset of Secure Access Service Edge (SASE) architecture, concentrating solely on cloud security services. SSE ensures safe internet access through a secure web gateway, protects Software as a Service (SaaS) and cloud applications using a Cloud Access Security Broker (CASB), and enhances remote access to private applications with Zero Trust Network Access (ZTNA). While SASE includes these features, it also includes (SD-WAN), WAN optimization, and Quality of Service (QoS) capabilities. Some of the vendors also include Remote Browser Isolation and DEM (Digital Experience Monitoring) as well to monitor the user-experience.

While Palo Alto has also coined the term ZTNA 2.0 for their product and named ZTNA v1 (which apparently most other vendors are using in their product, which they see as “legacy” architecture), but I’ll get back to that part in a bit. The first part that I want to address is the main part of these definitions and that is Zero-trust.

While there are many ways to describe Zero-Trust, however. I like the NIST definition.

Zero trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. ZTA is an enterprise’s cybersecurity plan that uses zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a ZTA plan

NIST SP 800-207 SP 800-207, Zero Trust Architecture | CSRC (nist.gov)

This Zero-Trust Maturity Model, represents a gradient of implementation across five distinct pillars, and enterprises should move to a higher level of maturity within each of these pillars, until they get to an optimal level of Zero-trust based adoption.

How do these pillars apply to remote access and SSE? well to be able to adhere to the Zero-Trust practices, we need to have a set of technology to provide these features. For instance to be able to verify the health of the device and user identity and provide least-level of access to a specific application or set of data we need to have a high level of maturity and technology that allows us to get that information.

For instance Microsoft has now also entered the competition with their new product called Microsoft Global Secure Access, how would this fit into this picture above in terms of getting access to applications/services and data?

Much of these settings are configured using Conditional Access, where information from Identity protection, Intune and defender are incorporated as “health signals” in combination with other settings there that define what kind of location, if there should be settings as part of the session how traffic should be handled. Based upon the results of the settings or depending on the application or service it should either be handled and traffic proxied trough Global Secure Access (Client) or Session proxy as part of defender for cloud apps or directly to the SaaS provider.

While the technology here can be different types of providers, you are highly dependant on having a set of technology that integrates well together to provide this type of zero-trust based approach to remote access. There is however a multitude of different providers in this space already that provides these types of features, and some of them I mentioned in my previous blog post but exploring this for 2023 there has been a lot of new entries and some changes.

This Gigaom report from 2023 focusing solely on SSE highlights the biggest vendors in the ecosystem.

Since Microsofts offering is still in preview and was therefore not part of the evaluation when the research was done from Gigaom. However it is an interesting thing to see that the big players within the firewall ecosystem such as Cisco, Checkpoint and even Palo Alto to some extent are a bit behind the others in terms of maturity and features. However this is based upon the analysts ability to comprehend the different vendors vision/strategy/customers/features, and this will not mean that the vendor you need that fits your use-case is among the top 3 even.

Some of these vendors also come from a CASB based background or more from an Secure Web Gateway product such as with ZScaler. When you are evaluating your options here are some of the things you should consider.

1: What kind of security products do I use today? (SOAR/SIEM, EDR, AV, Networking tools) and do the vendors integrate with those services? For instance if you have invested a lot of time into Okta or Entra ID and their policy engine you should ensure that your SSE/SASE product can reuse those policies. Or even that a SSE provider can use compliance settings or EDR risk signals into their product. Instead of requiring you to change out those products.
2: Do I need to replace hardware with new hardware to get full access to the features they provide?
3: What kind of services and applications do I need to provide access trough? (VDI, VPN, SaaS, file services, print?, Kubernetes? Cloud based access?) and what is supported from the vendor
4: What kind of insight do these tools provide and how can I integrate it into my ITSM tools to make the service desk get easier information and overview
5: Does the vendor provide an direct connection approach or is traffic routed via a cloud service and if so does the vendor have a PoP close to my majority of users.
6: How does the traffic flow and what kind of transport layer is being used? (Some vendors use QUIC and some use TCP, where there is a major difference in terms of performance). You can for instance see this from Ubers blog post when they implemented QUIC and did a comparison with TCP.

7: You need to understand if the current endpoints that you users have can connect (OS, Hardware, IPv4/IPv6 support)
8: End-user experience, which is about providing SSO for instance if the users have an Entra ID joined device it should be able to use those credentials to automatically sign-in.

So let us explore some of these vendors and how they fill the requirements starting with ZScaler and how they fit into a customer that is using the majority of Microsoft security products such as defender, intune and Sentinel (which is a large portion of the customers that I am working with in the nordics).

ZScaler is a known vendor in ths market, and has built a lot of integrations the last years. So if we go trough the list compared to the requirements.

1: Supports Intune and Defender for device posture. It has a custom connector with Microsoft Sentinel. This means that their agent which is installed on an end-user machine that can check for device posture before connecting. It also supports Entra ID for identity based access, meaning that all investments into Conditional Access and such can be reused and also provide SSO.
2: ZScaler can connect to internal resources using a feature called an app connector which does not require hardware, so it does not require any hardware to work.
3: Zscaler supports custom deployments for Kubernetes, (even Citrix while I would not recommend it) DFS (filservers), supports IPv4 for TCP, UDP and ICMP-based connections, and supports IPv6 for only TCP-based applications.
4: ZScaler has a custom app and connector for Service now that can provide both insight and incident management.
5: ZScaler has a PoP in Oslo Norway (traffic is routed trough their cloud service Zscaler Trust) meaning that the latency overhead is small.
6: ZScaler does not support QUIC, but uses TCP/443 to tunnel traffic. UDP is used for the end-user monitoring experience component. They actually recommend blocking QUIC in their documentation, while more and more services are moving towards the use of QUIC (Usage Statistics of QUIC for Websites, December 2023 (w3techs.com)) and also while the HTTP/3 protocol is also using QUIC as the transport protocol.
7: Zscaler supports IPV6, supports Entra ID joined devices and has agents for most operating systems.
8: ZScaler supports SSO from entra ID based devices, meaning that SSO is seamless for the user.

While this list only covers a fraction of the requirements, it just shows some of the features you should look for when evaluating a SSE service. Also some other aspects and feedback is always helpful to take a look at reddit Prisma Access / Zscaler – client vpn replacement : r/networking (reddit.com)

The biggest hurdle Ive seen with deployments on SASE/SSE is the ecosystem surrouding the end-users and how a new product is going to integrate into that ecosystem. While the majority of use-cases around these services are security based, they tend to focus less on the user-experience on how it can impact performance on apps and services. A Example: One of these vendors have their PoPs at Google cloud which means that all user traffic is routed from their endpoint (client) –> Cloud PoP (Which might be hosted in another country) –> datacenter where the apps are hosted –> back to the client again. For protocols like file servers which use the SMB protocol this is going to kill the performance. While some of these vendors have direct connetion or overlay routing which routes the traffic directly to the datacenter. Therefore it is important to note that while security features are at the core of these services, user-experience should be a top priority for any organizations that are looking to implement these types of services.

Leave a Reply

Scroll to Top