Why a Zero Trust Strategy Requires Both ZTS and ZTNA
On average, every 1 MB of north-south traffic entering a data center or cloud will create 20 MB of east-west traffic workload-to-workload.
If you're not building Zero Trust security for both perimeter and interior traffic, you're leaving blind spots across the network that attackers will exploit. This is why securing both the perimeter and interior of your network is crucial.
To build consistent Zero Trust security across both north-south and east-west traffic, Illumio has paired up with Appgate to deliver Zero Trust Segmentation (ZTS) and Zero Trust Network Access (ZTNA).
In a recent webinar, Paul Schofield, senior partner systems engineer at Illumio, sat down with Miles Davis, senior manager for security infrastructure offerings at DXC Technology and Jim Anthony, senior vice president for global solutions engineering at Appgate. They discussed building a Zero Trust framework using Zero Trust Network Access (ZTNA) and Zero Trust Segmentation (ZTS). Here are their top insights.
Watch the full webinar on-demand today.
ZTNA is more than just VPN 2.0
Miles shared that during the pandemic the DXC team quickly learned that traditional VPNs were outdated. “We were suddenly scaling for remote work on a massive scale, and VPNs just weren’t enough,” he recalled.
Instead, DXC turned to ZTNA. “ZTNA is a different model altogether, focusing on secure access based on identity and necessity, not broad permissions,” Miles explained.
Traditional VPNs grant broad access once a user is inside. But ZTNA operates on least-privilege access to ensure users only have access to the specific resources they need.
ZTNA is a robust, scalable solution for managing access in a Zero Trust environment.
“ZTNA isn’t just VPN 2.0,” Miles explained. “It fully embraces Zero Trust principles like least-privilege access all the time.”
Miles noted that one of the standout benefits of ZTNA is it enables organizations to adopt what he calls cloaked infrastructure. This means that unauthorized users or systems won’t even see sensitive assets, let alone access them.
“You can’t attack what you can’t see,” Miles added. He highlighted Appgate’s use of Single Packet Authorization (SPA) as a ZTNA technique. It ensures just-in-time access and just-enough access, two essential Zero Trust principles.
ZTS is critical for stopping lateral movement
While ZTNA secures the network perimeter and limits access, ZTS secures internal networks. It’s crucial to combine ZTS and ZTNA to build a multi-layered Zero Trust security posture.
Illumio’s Paul Schofield explained why ZTS, also called microsegmentation, is essential for limiting an attacker’s access if they do manage to breach the perimeter. ZTS stops lateral movement which means attackers can't spread through the network.
“With traditional segmentation, it’s tough to stop lateral movement,” Paul noted. “But microsegmentation with Illumio ZTS allows you to define exactly who can communicate with whom and when.”
The Illumio ZTS Platform delivers visibility into all communication and traffic between workloads and devices across the entire hybrid multi-cloud. This lets organizations see exactly what is communicating throughout the network and use of plain-English labels. With this information, security teams can build granular microsegmentation policy that contains breaches.
“You don’t have to remember VLANs or IP addresses,” Paul said. “You can see it all in real language, and make sure only the necessary applications talk to each other.”
“It’s a game-changer. With Illumio, you can plan and enforce controls before you actually apply them, reducing the risks associated with segmentation errors," said Miles.
In addition, Paul pointed out that ZTS aligns with many regulatory requirements, such as the European Union’s Digital Operational Resilience Act (DORA). DORA mandates detailed evidence of segmentation. “Having something like Illumio in place not only boosts security but helps you meet compliance standards with confidence,” Paul added.
Combining ZTNA and ZTS creates a complete Zero Trust defense
While ZTNA controls access to the network, ZTS ensures that unauthorized access is limited within the network. Together, they create a layered Zero Trust security strategy that manages both north-south and east-west traffic.
“Think of ZTNA as controlling the front door and ZTS as controlling the movement within the house,” Jim explained. “If an attacker makes it inside, ZTS makes sure they can’t access everything. Appgate and Illumio together cover the entire Zero Trust spectrum.”
Miles added that DXC’s own journey toward Zero Trust began with consolidating multiple VPN platforms and gradually adopting ZTNA principles across departments. “ZTNA and ZTS aren’t just add-ons,” he said. “They’re essential layers of Zero Trust. Together, they create a complete security picture.”
ZTNA + ZTS: The Zero Trust essentials
The journey to Zero Trust doesn’t happen overnight, but by combining ZTNA and ZTS, organizations can make significant strides in building Zero Trust and protecting their network against inevitable breaches.
Whether you’re just starting out or refining an existing Zero Trust strategy, these industry leaders’ insights highlight the importance of an integrated approach to Zero Trust. As Paul summed it up, “You can’t just do Zero Trust halfway. With ZTNA and ZTS, you’re setting up a resilient, adaptive security model that prepares you for anything.”
Get access to the full on-demand webinar now. Contact us today to learn more about building Zero Trust with ZTS and ZTNA.