SECURE NETWORK ACCESS

Corey O'Connor|July 12, 2023 | 4 minute read

The Enterprise Advantage of Direct-routed Universal Zero Trust Access

In just a few short years Zero Trust Network Access (ZTNA) has become the fastest-growing network security segment, forecasted by Gartner to grow 36% last year and another 31% in 2023. But did you know that there are two different ZTNA architecture models? Sophisticated organizations that want to secure access across complex network topologies and cover all use cases should ask vendors one simple question: Is your ZTNA solution direct-routed or cloud-routed?

There’s no doubt about it, network security is challenging to maintain. Successful cyber breaches dominate news cycles. Infrastructures are complex. Applications and requirements constantly change. Attack surfaces seemingly expand overnight. And always-on global competition means that security must enable, not inhibit, ramping enterprise digital transformation strategies via their cloud, DevOps, CI/CD, IoT, AI, automation, and SaaS initiatives.

Organizations have turned to Zero Trust Network Access because it’s proven to handle the challenges faced by overburdened IT and security teams including:

  • More attack vectors like unmanaged devices, cloud workloads, IoT/OT devices, zero-day exploits, remote employees and third-party integrations
  • Flat network topologies exploited by threat actors seeking unsanctioned lateral movement
  • Perimeter-based security solutions with disparate controls that aren’t built for hybrid workforces and distributed infrastructure, plus obsolete connect, then verify access models that introduce needless risk
  • Overprivileged employees and third-party users with access to more data and systems than required to do their job
  • Tedious, manual, and error-prone user and device access provisioning for heterogeneous legacy solutions like VPNs, NACs, and WANs

 

But not all Zero Trust access solutions are created equal and organizations on a Zero Trust security journey shouldn’t compromise when building their ideal Zero Trust architecture. When comparing architecture models, direct-routed ZTNA offers distinct operational and security advantages over cloud-routed ZTNA solutions.

Cloud-routed vs. direct-routed ZTNA: what’s the difference?

The vast majority of ZTNA solutions are cloud-routed, built on a proxy-based architecture often called identity-aware proxy (IAP) that runs all traffic through a vendor cloud. These cloud-routed ZTNA solutions are good enough to secure remote connections to web apps but weren’t designed for complex hybrid infrastructure, nor can they accommodate all use cases. 
 

Cloud-routed ZTNA disadvantages:
 

Cloud-routed ZTNA - ZTNA Security - Zero Trust Network Access - Network Security
  • Network traffic forced through vendor cloud
  • Network protocol and on-prem resource constraints
  • Throughput, scale, latency, and hair-pinning limitations
  • Implicit trust of vendor multi-tenant cloud
  • Hidden or variable costs

On the other hand, a direct-routed ZTNA architecture model, which very few vendors provide, avoids vendor cloud pitfalls, puts you in control of how data traverses your network, secures all user-to-resource and resource-to-resource connections, and can handle all enterprise use cases, not just basic remote access.

Direct-routed ZTNA advantages:

Direct-routed ZTNA - ZTNA vendors - Zero Trust Network Access - Network Security
  • Full control over your network traffic
  • Universal access control for all users, devices, and workloads
  • Low-latency, high availability direct access
  • Flexible deployment options for true Zero Trust architecture
  • Predictable pricing

Our industry-leading Zero Trust access solution Appgate SDP is one of a handful of direct-routed ZTNA solutions available on the market today and is purpose-built on stringent Cloud Security Alliance Zero Trust software-defined perimeter guidelines. The flexibility, extensibility, and integration capabilities of Appgate SDP support any organization’s unique, ideal Zero Trust architecture and puts IT and security teams in control of how data traverses the network. It can be applied across all enterprise use cases on the journey to adaptive Zero Trust security which, for many, should follow a route that looks like this:

  1. Think big: Direct-routed Zero Trust access allows you to transform your network, retire legacy equipment and reach the ideal state of adaptive Zero Trust.
  2. Start small: Your ideal state won’t be built in a day. First tackle ZTNA use cases that will address immediate risk and prove value to the business.
  3. Scale fast: Rapidly deploy universal ZTNA across your full environment to replace legacy tools and integrate with adjacent systems to continue maturing and automating access policies.

Additionally, the unique Appgate SDP direct-routed architecture ensures that sophisticated organizations get the flexibility, control, and extensibility required to secure their whole environment, harden defenses, transform their network, and drive measurable ROI and value for the business.

The proven ROI of Appgate SDP direct-routed ZTNA

Organizations are reaping real returns by deploying universal, direct-routed ZTNA. An independent 2023 Nemertes analyst study quantifies the operational and security improvements identified by both commercial and federal Appgate SDP customers:

  • 83% saw significant reduction in the number security incidents
  • An overall 87% average decrease in time to modify access privileges
  • An overall 32% average reduction in hands-on staff time to manage access
  • An overall 55% average decrease in the number of security tools needed to manage on-prem access
  • A 67% decrease in connectivity costs reported by global systems integrator
  • A 6% decrease in gross IT spend reported by software and IT services company

Appgate SDP, the industry’s most comprehensive universal Zero Trust access solution, can be configured to meet your exacting security and compliance requirements regardless of network topology or complexity and is built on six core design tenets:

  • Cloaked infrastructure: A sophisticated form of single packet authorization (SPA) makes your network invisible where no ports are exposed because hackers can't attack what they can’t see.
  • Attribute-based access control: Identity-centric security that adapts access based on user, device, application and contextual risk, building a multi-dimensional identity profile before access is granted.
  • Least privilege access: Builds “segments of one” just-in-time, session-based micro firewalls or perimeters using patented multi-tunneling technology to microsegment users, workloads, and resources and limit lateral movement inside the network.
  • Dynamic and continuous: Continuous is a core Zero Trust tenet, but operational benefits are realized when adding dynamic live entitlements that automatically modify access in near-real time based on context and risk, so security threats are automatically blocked.
  • Flexible and agile: Extensible, 100% API-first technology enhances and integrates with your technology stack so you can build security directly into the fabric of your business processes and workflows.
  • Performant and scalable: Stateless and distributed architecture allows for nearly limitless horizontal scale and performance.

Want to learn more? Visit our Zero Trust access Demo Hub.

Additional ZTNA resources 
Comparison Guide: Cloud-routed vs. Direct-routed ZTNA: What’s the Difference?
Analyst report: 2023 Nemertes Real Economic Value of Appgate SDP
Blog: Universal ZTNA Advances Enterprise Innovation, Reduces OpEx and Simplies Security
eBook: Zero Trust Maturity Model Roadmap
 

Receive News and Updates From Appgate