Gartner identifies Jamf + ZTNA to keep your network communications safe

Zero Trust Network access, or ZTNA for short, is not just the latest security buzz term but one that packs enough teeth along with its bark to take a sizable bite out of security strategies that include legacy technologies and those that simply cannot contend with the changes to modern computing environments with a decidedly mobile focus.

Gartner has seen this future and it is driven by “a desire to provide a more secure, flexible hybrid workforce connectivity”. Not only that, but legacy technologies that rely on implicit trust to organizational resources, like VPN – regardless of if users necessarily require them to stay productive – are viewed as an excessively risky practice, when the best practice of least privilege is often the desired aim to minimize attack surfaces and mitigate in risk.

As with any technology, great care should be taken to assess your organization’s infrastructure prior to implementing it within your environment. Luckily, Gartner has addressed some of those pain points in its guide, as well. Highlights include:

• Establish your high-level zero trust strategy first. This helps to ensure that access management and Identity Provider (IdP) technologies are a good fit with your proposed ZTNA solution.
• Identify your current needs to determine where VPN works well and where it falls short, comparing the benefits of implementing ZTNA as a replacement.
• Analyze your organization’s security solutions to avoid the complexity and potentially unsupported configurations of implementing multiple agents on endpoints.

Circle of (Zero) Trust

Based on their market analysis, “the benefits of ZTNA are immediate”, according to Gartner. ZTNA provides access to applications and services – not networks – leveraging contextual, risk-based access based on the principle of least privilege. It also provides isolation within the local network or cloud, not only reducing threats but also shielding applications normally exposed within a DMZ, by making them no longer visible on the public Internet.

Cloud-based ZTNA products, like that included in Jamf Connect, also bring with it an enhancement to digital transformation, in the form of scalability, ease of adoption, adaptability to suit multiple device and OS types and centralized policy management and enforcement. But let's not forget the additional benefits to be gained from integrating with other Jamf products, such as Jamf Pro for device management; Jamf Connect also features IdP and authentication management, forming a holistic solution for managing your desktop and mobile devices enabling proactive endpoint protection, automated remediation workflows and secure from anywhere, anytime strategy empowering your users to work where they feel most productive – without any compromise to your security posture.

This or That? The choice is yours

The ZTNA model benefits modern computing, especially with the explosive growth and reliance on mobile devices that many industries have adopted as they transition to remote/hybrid environments.

Speaking of mobile devices, deployment models range from exclusively company-owned devices (CYOD), personally-owned devices (BYOD) or a mix of both (COPE) – ZTNA policies enforce organizational policies flexibly. Specifically, they can be applied within the same network to corporate-owned and personally owned devices using conditional management to segment personal data from enterprise data, keeping them separate while ensuring privacy data remains on the device, through the use of split tunneling technology.

An additional security benefit lies in how ZTNA operates. At its core, ZTNA applies to apps and services – not the network itself as mentioned previously. It can exist in agent and agent-less versions, with the former providing additional functionality. With Jamf Connect, the lightweight agent provided gathers device health, assessing if a device should be granted access to resources. This provides an opportunity for IT and Security teams to prevent access if a device is found to be compromised or in violation of a policy, such as missing patches.

This granular level of access is crucial to maintaining a good security posture and critical to minimizing threats, such as preventing lateral movement. If a service becomes compromised, admins only need to limit access to the affected service(s) – not the entire catalog of apps. Not only does this contain the threat to only what’s affected, but it efficiently allows users to remain productive until the issue(s) pertaining to the compromised service or app are remediated.