Zero Trust advocates have been on a campaign to #KillTheVPN for years, largely because VPNs provide too much (implicit) access and can become the entry point for malicious activity. The replacement technology is Zero Trust network access (ZTNA), and it is how most organizations are getting into Zero Trust today. ZTNA was the darling of the pandemic, but not because of security; it freed remote users from having to hairpin their always-on VPN traffic through their on-premises corporate security stack. ZTNA restored productivity while being more secure.

The big three public cloud providers, Amazon Web Services (AWS), Google Cloud, and Microsoft Azure, all now offer cloud-native ZTNA services. See below for my thoughts on the ZTNA service offered by each of the hyperscalers.

Google BeyondCorp

Forrester was the first research firm to evaluate ZTNA vendors in The Forrester New Wave™: Zero Trust Network Access, Q3 2021, and Google was one of those vendors with its BeyondCorp offering. Kudos to Google in that it provided one of the first, if not the first, Zero Trust access solutions in the market. BeyondCorp works best when tied to the rest of the Google ecosystem. For example, the BeyondCorp software client is the Google Chrome browser, which is probably already on your users’ computers, and that’s a real differentiator.

AWS Verified Access

In April, AWS debuted its own ZTNA service called Verified Access. AWS has long had VPN directly into a VPC, which was sorta cool, but now they have ZT access to provide user-to-app access. Unlike nearly all other services that charge by the user, AWS charges by usage (by the hour), associated to the application being connected to and by the data being processed. Currently, the service cannot protect on-prem applications, so the service is a better fit for organizations that are all-in on the cloud.

Microsoft Private Access

In July, Microsoft made a huge announcement around security services. The vendor renamed Azure AD to Entra, so that people like me will stop confusing it with the actual Active Directory (please do not rename Active Directory, Microsoft). Sure, Entra sounds like something you’d take for moderate-to-severe bursitis, but that is neither here nor there. The vendor is also entering the burgeoning SSE ring to compete with the likes of Zscaler, Netskope, Cloudflare, Menlo, Lookout, iboss, and everyone and everyone’s mom. SSE stands for security service edge, and it’s a suite of techs (starring ZTNA) that protect remote users. We note with serendipity that we’re kicking off evaluative research into SSE this month at Forrester.

Microsoft has actually had ZTNA for years with a feature called Conditional Access. Obviously, it worked with apps hosted in Azure, but administrators could also configure it to provide ZTNA to on-prem apps through a little EXE connector. It was cool because it was “free” (if you had the right license level), but it was limited to web applications, which is a dealbreaker for larger orgs that need all ports and protocols for things like VOIP. The Conditional Access feature is at the heart of the new Private Access service. Today, it at least handles any TCP app but still has some significant limitations, like no IPv6 tunneling to M365 and a lack of QUIC support, which is quite problematic, because that’s what Exchange Online uses!

Is Cloud-Native ZTNA Right For You?

While It is absolutely cool that all three hyperscalers now offer a native ZTNA (Alibaba Cloud has it, too, but only in China), I do not expect enterprises to use them except in specific cases, and here’s why. Unlike other cloud security services where the tech is just embedded in the infrastructure (looking at you, DDoS protection), ZTNA is user-facing. That often means software agents on endpoints.

Most Forrester clients are enterprise class and are therefore multicloud and hybrid. They need solutions that provide good UX and Zero Trust to applications regardless of where they live, and they want a single user agent for all of that, so I expect to see (and to recommend) that orgs continue to look to the third-party ZTNA and SSE providers.

Developers Have Entered The Chat

Developers are one community that might embrace these cloud-native ZTNA offerings, as they are often tied to a particular hyperscaler. But even then, there’s a whole class of developer-friendly ZTNA solutions out there for them, like Tailscale, OpenZiti, StrongDM, Teleport, and even the commercial SSH people.

The dev community likes their own tools, from their own trusted vendors. If you’re a dev and still using VPNs, have a look at these developer-friendly ZTNA offerings. If they don’t sell you on it, at least look at replacing VPNs with the native cloud offerings that you can get with each of the hyperscalers today.

Want to learn more? At our upcoming Security & Risk Forum in November we’ll have a track entitled Catapult Products To Success With Cloud And Application Security. Check out the full event agenda here. And Forrester clients can always schedule an inquiry or guidance session with me to dive deeper into this topic and how to choose the right ZTNA vendor for your organization.