Evolution and Innovation in Network and Web Access

When I was responsible for the architecture of network security and firewalls at a major bank in Germany in the mid-1990s, we discussed the topic of zoning even though firewalls often only had a few network interfaces to offer at the time. A few years later, we pushed the topic of VPN for connecting branches. The cost savings were enormous despite the increase in bandwidth from ISDN to DSL levels. Such a step was too risky for the major banks in Frankfurt. My colleagues used the development to simplify the IT infrastructure and support the business with new applications.

In the 2010s, I co-designed many proxy projects at the outsourcer and often thought to myself, what a cost driver in the network. I was one of the first to look into cloud-based proxying in order to at least minimise the enormous hardware costs and detours via the large access points. Why should the traffic of an employee who wants to reserve a table in the restaurant next door be routed via the head office in Zurich? But all that is in the past and I can see us facing the next big development in the network:

Zero Trust Network Access (ZTNA)

• New ways of working, both for employees and for organisations, will make existing network concepts with firewalls and VPNs obsolete, as the architectures no longer fit into the changing world. What is a firewall supposed to protect when employees are remote and the servers are replaced by SaaS applications or the workload is moved from the data centre to the public cloud?

I currently only see that the requirements can be implemented with a Zero Trust Network Access approach. This approach simplifies the architecture immensely, as firewalls and VPN gateways can be omitted. However, to be honest, this also means that network access for employees, business partners and services must be managed in a fine-grained manner. This may sound very complex, but anyone who has ever administered existing network access knows that even today the effort is immense and is based on different solutions. The advantage of Zero Trust is that I can, for example, give payroll employees access to the payroll system based on their role. Why should someone with the Finance or IT role be given access? If an IT employee does need access, they can request access in the ticket system and receive it (possibly only temporarily) after approval. The advantages of 3rd party access are much more striking. The access of an external employee or service can be restricted to a necessary target system. Why should the remote employee have access to the entire company network if he only administers an intranet server or maintains the lift? This also applies to the linking of systems. Why should an SAP system have access to the entire network if only warehouse data is exchanged between the systems? These restrictions help to significantly reduce the risks, be it access by 3rd parties or by remote employees where it is not possible to check who is using the device and even more so in the case of BYOD, where corporate security measures are only applied to a limited extent or are not accepted.

In addition to the advantages in terms of administration and security, the approach also has monetary advantages. These come firstly from the drastic reduction in infrastructure, but also because the latest generation of ZTNA devices routes directly. What does that mean? I set up my virtual gateways at the access points and route the traffic directly from one gateway to the next or from the endpoint to the gateway. This not only saves network volume and therefore also costs at the access points, but also leads to better response times for applications due to shorter routes and because data is only encrypted and decrypted once in contrast to cloud-routed solutions.

?

Secure web gateway using direct routing

The days when we needed proxies for caching are long gone. Most websites are so dynamic and browsers support regular updates. So why do we still need a proxy? I don't think the typical proxy is really needed anymore because security features such as URL filtering, SSL and malware inspection, access and cloud application control can be done directly on the client rather than on a device in the data centre or in the cloud.

As with ZTNA, such a web gateway also routes data directly, increasing speed by up to a factor of 4, and has the security advantage of working in all countries around the world (including restricted countries where proxies/secure web gateways may not be installed). The approach also ensures that supported sites will continue to use HTTP/2 and will not be downgraded to HTTP/1.1. Last but not least, the data is encrypted end-to-end and cannot be intercepted anywhere. This also applies to passwords.

?

Will this be the end of the development?

No, of that I am quite sure. But these developments will help companies to reduce the cost of network and web access.