Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

3/26/2020
10:00 AM
Rik Turner
Rik Turner
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Introducing Zero-Trust Access

It's too early to tell whether ZTA will be a VPN killer or not, but major players are ramping up products in this new class of security technology that focuses on the cloud.

Working remotely has been a reality for many knowledge workers for many years, enabled by the growth and development of the Internet, Wi-Fi connectivity, and mobile computing devices. Indeed, it was this trend that powered the evolution of virtual private network (VPN) technology to secure connections from anywhere other than the corporate LAN, with VPNs now constituting a multibillion-dollar business.

In recent years, Omdia has observed the emergence of a new class of technology, again focused on remote access to corporate assets but now encompassing the cloud environments where an increasing proportion of the application infrastructure resides and with the promise of more stringent control of that access. We call this type of technology Zero-Trust Access (ZTA).

I began work on a report, along with my colleague, Omdia associate analyst Rob Bamforth, at the end of 2019. I was interested in explaining the whys and wherefores of this emerging VPN replacement technology. That was before the coronavirus, even in its original Chinese iteration, was making the headlines, and long before it was billed as a global pandemic making a huge impact on world health and driving millions to self-isolate, many of them now working from home. It is a sad coincidence that our report appears at this time, giving it an added relevancy, albeit in tragic circumstances. The fact is, though, that the need for secure remote access technology has never been greater.

The global VPN market is estimated at anywhere between $25 billion and $40 billion, with the difference resulting from how the market is defined — i.e., whether VPN services from carriers are included and so on. It was already predicted to enjoy healthy growth rates even before the current situation, with one analyst house forecasting a CAGR of 18% between 2018 and 2025. VPNs have their limitations, however, as our report, "Omdia Market Radar: Zero-Trust Access," (registration required), explains.

VPNs' shortcomings
First, there is the fact that VPN technology was developed in an era when all corporate applications lived in the company's data center. In that scenario, VPN clients on remote laptops could log in to a concentrator located in that data center, with contact then being set up to the nearby application. Now, by contrast, an increasing proportion of the applications are in the cloud, whether in infrastructure-, platform-, or software-as-a-service (IaaS, PaaS, or SaaS) environments. This forces traffic flowing between the end user's device and the application to "trombone" through a concentrator on your premises, which is both inefficient and potentially detrimental to the end user's experience, if significant latency is added.

Second, VPNs grant access to a company's entire IT infrastructure, such that if an attacker steals an employee's credentials to get in, they can then roam around on reconnaissance, or lay in wait until they find assets that are of value, elevate their access rights accordingly and purloin the relevant data.

ZTA addresses both these issues, as there is no need for a concentrator on company premises. It typically resides in the cloud, and access is granted on a restricted basis — i.e., only to the application the user needs to get to for a particular task.

The Two Flavors of ZTA
Omdia divides the ZTA market into two distinct approaches, one of which can be licensed software that the customers themselves deploy and operate, though some vendors also offer a service. The other is a SaaS offering, on account of the product's architecture. The former is called Software-Defined Perimeter (SDP) technology and the latter, Identity-Aware Proxy (IAP). The vendors profiled for the report are:

SDP
- AppGate
- Okta
- Opswat
- Pulse Secure
- Safe-T
- Verizon

IAP
- Akamai
- Cloudflare
- Palo Alto Networks
- Perimeter 81
- Zscaler

The list is by no means exhaustive, but it is a good representation of the major players in each category. We omitted the likes of Google, which was a pioneer in ZTA but will roll out an enterprise IAP service for accessing any corporate asset, regardless of where it resides, only later this year, and Symantec, which acquired SDP vendor Luminate in 2019, but has undergone a lot of corporate reorganization since being acquired by Broadcom later that year.

These are still early days for ZTA, but Omdia expects ZTA-as-a-service to outgrow the licensed software side of the business, given the broader trend for technology to be delivered in this way. As for market sizing, Gartner predicts that as many as 60% of the VPNs in place today will be replaced by some form of ZTA technology by 2023. Given the size of the VPN market, this would put the value of the ZTA market at somewhere between $20 billion and $24 billion by 2023.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Security Lessons We've Learned (So Far) from COVID-19."

Rik is a principal analyst in Omdia's IT security and technology team, specializing in cybersecurity technology trends, IT security, compliance, and call recording.  He provides analysis and insight on market evolution and helps end users determine what type of ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
tdsan
50%
50%
tdsan,
User Rank: Ninja
3/26/2020 | 6:06:58 PM
Sounds good, this is good to hear
I do see some of the VPN companies using IPv6 as the underlying connection to the internet (IPv6 IPSec AES256 ESP/AH) capabilities which are inherent to IPv6. That is a good thing, companies can utilize this capability to connect their regional and remote offices using this capability without having to purchase additional hardware, just enable IPv6 VPN tunnel to the other site and send IPv4 traffic through that tunnel.

Deploying IPv6 in Branch Networks - Cisco

Network – Blog Webernetz.net

This sample, if configured, can create an endless number of VPNs to regional offices, major sites, computers configured with IPv6 (VPN connector) where the tunnels are being encrypted. This technology has been out for while but companies have not taken advantage of it. ISPs provide the IPv6 range (even AWS and Azure - has to be configured on the load-balancer).

T
tdsan
50%
50%
tdsan,
User Rank: Ninja
3/31/2020 | 8:28:26 AM
Re: SaaS
We don't have to make or move all SaaS Cloud applications, just the one's that are considered "Cloud-Ready". I think it is essential to create a matrix (planning) to determine which applications are considered to be viable as opposed to just moving them (there is also a cost to doing that). It is essential companies look at the cost as being one part of the decision and not all and to look at the cloud as an arm of the organization and not the saviour.

Demystifying Legacy Migration Options to the AWS Cloud | AWS ...

AWS is only one CSP vendor but this gives you an idea.

T

 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7029
PUBLISHED: 2020-08-11
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the System Management Interface Web component of Avaya Aura Communication Manager and Avaya Aura Messaging. This vulnerability could allow an unauthenticated remote attacker to perform Web administration actions with the privileged ...
CVE-2020-17489
PUBLISHED: 2020-08-11
An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible f...
CVE-2020-17495
PUBLISHED: 2020-08-11
django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.
CVE-2020-0260
PUBLISHED: 2020-08-11
There is a possible out of bounds read due to an incorrect bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-152225183
CVE-2020-16170
PUBLISHED: 2020-08-11
The Temi application 1.3.3 through 1.3.7931 for Android has hard-coded credentials.