Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Rik Turner
Rik Turner
Connect Directly
E-Mail vvv

Introducing Zero-Trust Access

It's too early to tell whether ZTA will be a VPN killer or not, but major players are ramping up products in this new class of security technology that focuses on the cloud.

Working remotely has been a reality for many knowledge workers for many years, enabled by the growth and development of the Internet, Wi-Fi connectivity, and mobile computing devices. Indeed, it was this trend that powered the evolution of virtual private network (VPN) technology to secure connections from anywhere other than the corporate LAN, with VPNs now constituting a multibillion-dollar business.

In recent years, Omdia has observed the emergence of a new class of technology, again focused on remote access to corporate assets but now encompassing the cloud environments where an increasing proportion of the application infrastructure resides and with the promise of more stringent control of that access. We call this type of technology Zero-Trust Access (ZTA).

I began work on a report, along with my colleague, Omdia associate analyst Rob Bamforth, at the end of 2019. I was interested in explaining the whys and wherefores of this emerging VPN replacement technology. That was before the coronavirus, even in its original Chinese iteration, was making the headlines, and long before it was billed as a global pandemic making a huge impact on world health and driving millions to self-isolate, many of them now working from home. It is a sad coincidence that our report appears at this time, giving it an added relevancy, albeit in tragic circumstances. The fact is, though, that the need for secure remote access technology has never been greater.

The global VPN market is estimated at anywhere between $25 billion and $40 billion, with the difference resulting from how the market is defined — i.e., whether VPN services from carriers are included and so on. It was already predicted to enjoy healthy growth rates even before the current situation, with one analyst house forecasting a CAGR of 18% between 2018 and 2025. VPNs have their limitations, however, as our report, "Omdia Market Radar: Zero-Trust Access," (registration required), explains.

VPNs' shortcomings
First, there is the fact that VPN technology was developed in an era when all corporate applications lived in the company's data center. In that scenario, VPN clients on remote laptops could log in to a concentrator located in that data center, with contact then being set up to the nearby application. Now, by contrast, an increasing proportion of the applications are in the cloud, whether in infrastructure-, platform-, or software-as-a-service (IaaS, PaaS, or SaaS) environments. This forces traffic flowing between the end user's device and the application to "trombone" through a concentrator on your premises, which is both inefficient and potentially detrimental to the end user's experience, if significant latency is added.

Second, VPNs grant access to a company's entire IT infrastructure, such that if an attacker steals an employee's credentials to get in, they can then roam around on reconnaissance, or lay in wait until they find assets that are of value, elevate their access rights accordingly and purloin the relevant data.

ZTA addresses both these issues, as there is no need for a concentrator on company premises. It typically resides in the cloud, and access is granted on a restricted basis — i.e., only to the application the user needs to get to for a particular task.

The Two Flavors of ZTA
Omdia divides the ZTA market into two distinct approaches, one of which can be licensed software that the customers themselves deploy and operate, though some vendors also offer a service. The other is a SaaS offering, on account of the product's architecture. The former is called Software-Defined Perimeter (SDP) technology and the latter, Identity-Aware Proxy (IAP). The vendors profiled for the report are:

- AppGate
- Okta
- Opswat
- Pulse Secure
- Safe-T
- Verizon

- Akamai
- Cloudflare
- Palo Alto Networks
- Perimeter 81
- Zscaler

The list is by no means exhaustive, but it is a good representation of the major players in each category. We omitted the likes of Google, which was a pioneer in ZTA but will roll out an enterprise IAP service for accessing any corporate asset, regardless of where it resides, only later this year, and Symantec, which acquired SDP vendor Luminate in 2019, but has undergone a lot of corporate reorganization since being acquired by Broadcom later that year.

These are still early days for ZTA, but Omdia expects ZTA-as-a-service to outgrow the licensed software side of the business, given the broader trend for technology to be delivered in this way. As for market sizing, Gartner predicts that as many as 60% of the VPNs in place today will be replaced by some form of ZTA technology by 2023. Given the size of the VPN market, this would put the value of the ZTA market at somewhere between $20 billion and $24 billion by 2023.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Security Lessons We've Learned (So Far) from COVID-19."

Rik is a principal analyst in Omdia's IT security and technology team, specializing in cybersecurity technology trends, IT security, compliance, and call recording.  He provides analysis and insight on market evolution and helps end users determine what type of ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
3/31/2020 | 8:28:26 AM
Re: SaaS
We don't have to make or move all SaaS Cloud applications, just the one's that are considered "Cloud-Ready". I think it is essential to create a matrix (planning) to determine which applications are considered to be viable as opposed to just moving them (there is also a cost to doing that). It is essential companies look at the cost as being one part of the decision and not all and to look at the cloud as an arm of the organization and not the saviour.

Demystifying Legacy Migration Options to the AWS Cloud | AWS ...

AWS is only one CSP vendor but this gives you an idea.


User Rank: Ninja
3/26/2020 | 6:06:58 PM
Sounds good, this is good to hear
I do see some of the VPN companies using IPv6 as the underlying connection to the internet (IPv6 IPSec AES256 ESP/AH) capabilities which are inherent to IPv6. That is a good thing, companies can utilize this capability to connect their regional and remote offices using this capability without having to purchase additional hardware, just enable IPv6 VPN tunnel to the other site and send IPv4 traffic through that tunnel.

Deploying IPv6 in Branch Networks - Cisco

Network – Blog Webernetz.net

This sample, if configured, can create an endless number of VPNs to regional offices, major sites, computers configured with IPv6 (VPN connector) where the tunnels are being encrypted. This technology has been out for while but companies have not taken advantage of it. ISPs provide the IPv6 range (even AWS and Azure - has to be configured on the load-balancer).

Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd
PUBLISHED: 2021-01-22
M&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web interface.