COMMENTARY: A report by Okta found that 61% of organizations have already undertaken a well-defined zero-trust initiative, while an additional 35% are planning to do the same in the near future.
As these zero-trust programs move forward, adoption of zero trust network access (ZTNA) – a core technology in zero-trust – continues to soar. However, organizations must realize that not all ZTNA services are alike. When designing a robust zero-trust framework, they must carefully evaluate both its important tenants and the supporting infrastructure.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
For a ZTNA-compliant platform or service to garner results, it must operate wherever users are located. ZTNA providers require a global network of points of presence (PoPs) running ZTNA software to deliver services regardless of location.
Building such a network of PoPs takes money and it’s time-consuming, so tapping hyperscale cloud infrastructure offers a convenient option. This lets vendors go to market quickly, giving them an established global network of data centers in which to run ZTNA.
But will it meet the needs of enterprise buyers?
SaaS: A study in cloud economics
David Heinemeier Hansson helps run and co-owns 37signals, the company behind the project management SaaS application, Basecamp. For years, Basecamp ran on hyperscaler infrastructure until Hansson and his team decided to reevaluate their decision.
In a blog, he points out that relying on public cloud infrastructure can result in unpredicted outages, performance variability, and significant hidden costs that may undermine the long-term efficacy and cost-efficiency of an application’s deployment
The primary advantage of public cloud infrastructure isn’t cost savings, but the ability to scale rapidly in response to fluctuating demands. Hansson highlights that, while hyperscalers offer virtually unlimited scalability, the standby capacity they provide gets billed at premium rates. Public cloud also incurs ongoing costs based on usage, which can accumulate rapidly as demand increases. The premium charged for standby capacity and continuous usage in the cloud led Hansson’s team to reevaluate its infrastructure strategy and transition back to on-premises servers. In addition, public cloud providers often have additional costs, such as data egress fees, which can further impact the provider’s cost structures.
While hyperscaler infrastructure offers scalability and quick provisioning, these benefits come at a premium, which companies cannot always justify for stable, predictable workloads, such as delivering a SaaS application.
“The back of the napkin math is that we’ll save at least $1.5 million-per-year by owning our own hardware rather than renting it,” says Hansson.
With rising hyperscaler fees, customers ultimately pick up the tab. It may come in the form of higher pricing, lower service, or get backloaded onto future contracts. But make no mistake: one way or another, higher costs will always impact service delivery.
What’s true about SaaS applications is also true of ZTNA platforms. Relying on cloud infrastructure escalates ZTNA platform costs. Over time, this can significantly impact enterprise customers. Gartner highlighted a similar point in its recent report on single-vendor secure access service edge (SASE). Gartner reported that platforms which exclusively use hyperscale infrastructure may see pricing increases ranging from 25% to 250% compared to those running on private infrastructure.
Ensure a robust and resilient backbone for ZTNA
Public cloud infrastructure creates an additional challenge for ZTNA platform providers. When ZTNA gets delivered on public cloud infrastructure, the deployment locations depend on the distribution of the cloud provider’s data centers. But it cost a lot of money to open a new generalized hyperscaler data center, which limits footprint expansion.
And because of the high cost of compute in hyperscaler infrastructure, vendors avoid running compute PoPs everywhere. It’s too expensive. So we end up with some PoPs (compute nodes) for running ZTNA processing, but other PoPs (network nodes) for ingesting and backhauling traffic to the compute nodes for processing, increasing latency. Furthermore, specific services, such as data loss prevention (DLP) or malware inspection, only run on certain compute nodes, adding more latency when traffic must travel between them.
By owning the underlying infrastructure, we can strategically distribute and design PoPs to meet specific business and regional demands. Privately-owned PoPs can be optimized for single-pass processing. This ensures that all security functions are available at all PoPs and performed in a single go, thus avoiding the latency associated with processing data packets repeatedly at various PoPs.
While the initial investment in private PoPs can run higher, long-term cost savings and performance improvements are realized through strategic expansion, infrastructure optimization, and insulation from escalating public cloud costs. These benefits are extended to ZTNA users in the form of enhanced performance or direct cost reductions.
Overall, selecting the optimal ZTNA deployment hinges on two primary factors: the comprehensiveness of its features and integration with other security functions, and the underlying network backbone. Rather than rushing headlong into a decision, organizations should carefully weigh the long-term implications of their choice.
Converged SASE or secure service edge (SSE) implementations can effectively address the first factor. However, as ZTNA adoption accelerates and zero-trust models evolve, the capabilities of the chosen PoPs and network backbone will significantly influence an organization's ability to adapt to future advancements and maintain robust security.
Eyal Webber-Zvik, vice president of product marketing and strategic alliances, Cato Networks
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
