Working remotely has been a reality for many knowledge workers for many years, enabled by the growth and development of the Internet, Wi-Fi connectivity, and mobile computing devices. Indeed, it was this trend that powered the evolution of virtual private network (VPN) technology to secure connections from anywhere other than the corporate LAN, with VPNs now constituting a multibillion-dollar business.
In recent years, Omdia has observed the emergence of a new class of technology, again focused on remote access to corporate assets but now encompassing the cloud environments where an increasing proportion of the application infrastructure resides and with the promise of more stringent control of that access. We call this type of technology Zero-Trust Access (ZTA).
I began work on a report, along with my colleague, Omdia associate analyst Rob Bamforth, at the end of 2019. I was interested in explaining the whys and wherefores of this emerging VPN replacement technology. That was before the coronavirus, even in its original Chinese iteration, was making the headlines, and long before it was billed as a global pandemic making a huge impact on world health and driving millions to self-isolate, many of them now working from home. It is a sad coincidence that our report appears at this time, giving it an added relevancy, albeit in tragic circumstances. The fact is, though, that the need for secure remote access technology has never been greater.
The global VPN market is estimated at anywhere between $25 billion and $40 billion, with the difference resulting from how the market is defined — i.e., whether VPN services from carriers are included and so on. It was already predicted to enjoy healthy growth rates even before the current situation, with one analyst house forecasting a CAGR of 18% between 2018 and 2025. VPNs have their limitations, however, as our report, "Omdia Market Radar: Zero-Trust Access," (registration required), explains.
First, there is the fact that VPN technology was developed in an era when all corporate applications lived in the company's data center. In that scenario, VPN clients on remote laptops could log in to a concentrator located in that data center, with contact then being set up to the nearby application. Now, by contrast, an increasing proportion of the applications are in the cloud, whether in infrastructure-, platform-, or software-as-a-service (IaaS, PaaS, or SaaS) environments. This forces traffic flowing between the end user's device and the application to "trombone" through a concentrator on your premises, which is both inefficient and potentially detrimental to the end user's experience, if significant latency is added.
Second, VPNs grant access to a company's entire IT infrastructure, such that if an attacker steals an employee's credentials to get in, they can then roam around on reconnaissance, or lay in wait until they find assets that are of value, elevate their access rights accordingly and purloin the relevant data.
ZTA addresses both these issues, as there is no need for a concentrator on company premises. It typically resides in the cloud, and access is granted on a restricted basis — i.e., only to the application the user needs to get to for a particular task.
The Two Flavors of ZTA
Omdia divides the ZTA market into two distinct approaches, one of which can be licensed software that the customers themselves deploy and operate, though some vendors also offer a service. The other is a SaaS offering, on account of the product's architecture. The former is called Software-Defined Perimeter (SDP) technology and the latter, Identity-Aware Proxy (IAP). The vendors profiled for the report are:
- Pulse Secure
- Palo Alto Networks
- Perimeter 81
The list is by no means exhaustive, but it is a good representation of the major players in each category. We omitted the likes of Google, which was a pioneer in ZTA but will roll out an enterprise IAP service for accessing any corporate asset, regardless of where it resides, only later this year, and Symantec, which acquired SDP vendor Luminate in 2019, but has undergone a lot of corporate reorganization since being acquired by Broadcom later that year.
These are still early days for ZTA, but Omdia expects ZTA-as-a-service to outgrow the licensed software side of the business, given the broader trend for technology to be delivered in this way. As for market sizing, Gartner predicts that as many as 60% of the VPNs in place today will be replaced by some form of ZTA technology by 2023. Given the size of the VPN market, this would put the value of the ZTA market at somewhere between $20 billion and $24 billion by 2023.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Security Lessons We've Learned (So Far) from COVID-19."