Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Rik Turner
Rik Turner
Connect Directly
E-Mail vvv

Introducing Zero-Trust Access

It's too early to tell whether ZTA will be a VPN killer or not, but major players are ramping up products in this new class of security technology that focuses on the cloud.

Working remotely has been a reality for many knowledge workers for many years, enabled by the growth and development of the Internet, Wi-Fi connectivity, and mobile computing devices. Indeed, it was this trend that powered the evolution of virtual private network (VPN) technology to secure connections from anywhere other than the corporate LAN, with VPNs now constituting a multibillion-dollar business.

In recent years, Omdia has observed the emergence of a new class of technology, again focused on remote access to corporate assets but now encompassing the cloud environments where an increasing proportion of the application infrastructure resides and with the promise of more stringent control of that access. We call this type of technology Zero-Trust Access (ZTA).

I began work on a report, along with my colleague, Omdia associate analyst Rob Bamforth, at the end of 2019. I was interested in explaining the whys and wherefores of this emerging VPN replacement technology. That was before the coronavirus, even in its original Chinese iteration, was making the headlines, and long before it was billed as a global pandemic making a huge impact on world health and driving millions to self-isolate, many of them now working from home. It is a sad coincidence that our report appears at this time, giving it an added relevancy, albeit in tragic circumstances. The fact is, though, that the need for secure remote access technology has never been greater.

The global VPN market is estimated at anywhere between $25 billion and $40 billion, with the difference resulting from how the market is defined — i.e., whether VPN services from carriers are included and so on. It was already predicted to enjoy healthy growth rates even before the current situation, with one analyst house forecasting a CAGR of 18% between 2018 and 2025. VPNs have their limitations, however, as our report, "Omdia Market Radar: Zero-Trust Access," (registration required), explains.

VPNs' shortcomings
First, there is the fact that VPN technology was developed in an era when all corporate applications lived in the company's data center. In that scenario, VPN clients on remote laptops could log in to a concentrator located in that data center, with contact then being set up to the nearby application. Now, by contrast, an increasing proportion of the applications are in the cloud, whether in infrastructure-, platform-, or software-as-a-service (IaaS, PaaS, or SaaS) environments. This forces traffic flowing between the end user's device and the application to "trombone" through a concentrator on your premises, which is both inefficient and potentially detrimental to the end user's experience, if significant latency is added.

Second, VPNs grant access to a company's entire IT infrastructure, such that if an attacker steals an employee's credentials to get in, they can then roam around on reconnaissance, or lay in wait until they find assets that are of value, elevate their access rights accordingly and purloin the relevant data.

ZTA addresses both these issues, as there is no need for a concentrator on company premises. It typically resides in the cloud, and access is granted on a restricted basis — i.e., only to the application the user needs to get to for a particular task.

The Two Flavors of ZTA
Omdia divides the ZTA market into two distinct approaches, one of which can be licensed software that the customers themselves deploy and operate, though some vendors also offer a service. The other is a SaaS offering, on account of the product's architecture. The former is called Software-Defined Perimeter (SDP) technology and the latter, Identity-Aware Proxy (IAP). The vendors profiled for the report are:

- AppGate
- Okta
- Opswat
- Pulse Secure
- Safe-T
- Verizon

- Akamai
- Cloudflare
- Palo Alto Networks
- Perimeter 81
- Zscaler

The list is by no means exhaustive, but it is a good representation of the major players in each category. We omitted the likes of Google, which was a pioneer in ZTA but will roll out an enterprise IAP service for accessing any corporate asset, regardless of where it resides, only later this year, and Symantec, which acquired SDP vendor Luminate in 2019, but has undergone a lot of corporate reorganization since being acquired by Broadcom later that year.

These are still early days for ZTA, but Omdia expects ZTA-as-a-service to outgrow the licensed software side of the business, given the broader trend for technology to be delivered in this way. As for market sizing, Gartner predicts that as many as 60% of the VPNs in place today will be replaced by some form of ZTA technology by 2023. Given the size of the VPN market, this would put the value of the ZTA market at somewhere between $20 billion and $24 billion by 2023.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Security Lessons We've Learned (So Far) from COVID-19."

Rik is a principal analyst in Omdia's IT security and technology team, specializing in cybersecurity technology trends, IT security, compliance, and call recording.  He provides analysis and insight on market evolution and helps end users determine what type of ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
3/31/2020 | 8:28:26 AM
Re: SaaS
We don't have to make or move all SaaS Cloud applications, just the one's that are considered "Cloud-Ready". I think it is essential to create a matrix (planning) to determine which applications are considered to be viable as opposed to just moving them (there is also a cost to doing that). It is essential companies look at the cost as being one part of the decision and not all and to look at the cloud as an arm of the organization and not the saviour.

Demystifying Legacy Migration Options to the AWS Cloud | AWS ...

AWS is only one CSP vendor but this gives you an idea.


User Rank: Ninja
3/26/2020 | 6:06:58 PM
Sounds good, this is good to hear
I do see some of the VPN companies using IPv6 as the underlying connection to the internet (IPv6 IPSec AES256 ESP/AH) capabilities which are inherent to IPv6. That is a good thing, companies can utilize this capability to connect their regional and remote offices using this capability without having to purchase additional hardware, just enable IPv6 VPN tunnel to the other site and send IPv4 traffic through that tunnel.

Deploying IPv6 in Branch Networks - Cisco

Network – Blog Webernetz.net

This sample, if configured, can create an endless number of VPNs to regional offices, major sites, computers configured with IPv6 (VPN connector) where the tunnels are being encrypted. This technology has been out for while but companies have not taken advantage of it. ISPs provide the IPv6 range (even AWS and Azure - has to be configured on the load-balancer).

Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-12
This affects the package chrono-node before 2.2.4. It hangs on a date-like string with lots of embedded spaces.
PUBLISHED: 2021-04-12
INTELBRAS TELEFONE IP TIP200 version allows an attacker to obtain sensitive information through /cgi-bin/cgiServer.exx.
PUBLISHED: 2021-04-12
** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered on D-Link DIR-802 A1 devices through 1.00b05. Universal Plug and Play (UPnP) is enabled by default on port 1900. An attacker can perform command injection by injecting a payload into the Search Target (ST) field of the SSDP M-SEARCH discover pa...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory ...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the sam...