ZTNA report from Rohde & Schwarz highlights DPI's role in accelerating zero-trust implementations with enhanced traffic visibility

Zero-trust network access (ZTNA) is built on the idea that networks are no longer defined by physical perimeters. Imagine a new apprentice on the office WiFi, or a remote user on the enterprise VPN, being granted access to every directory on the local storage just because they are connected to the enterprise network.

As users become scattered across branch offices, homes and co-working spaces, and as Cloud applications and shadow IT push enterprise traffic flows to third-party data centers, ZTNA emerges as a timely philosophy. It uses identity and context awareness to authenticate new and ongoing sessions regardless of the user’s location, while at the same time, keeping a close eye on network resources.

ipoque, a Rohde & Schwarz company, just launched a report on ‘Next-gen DPI for ZTNA: Advanced traffic detection for real-time identity and context awareness’, which discusses ZTNA and the role of traffic visibility in zero-trust environments. Based on a survey of 55 leading ZTNA vendors, the report finds a staggering 90.7% of ZTNA vendors agreeing to a lack of traffic visibility being a major challenge in establishing ‘identity and context awareness’, a central denominator for zero-trust controls. As a crucial component that determines ‘continuous adaptive trust’, traffic visibility requires not only user / device IDs and passwords, but also a host of other inputs such as privilege tiers, application and threat awareness, frequency of access, usage thresholds, physical location and behavioral anomalies.

DPI registers a high adoption rate among ZTNA vendors

The survey highlights the importance of incorporating traffic visibility within ZTNA, focusing on lightweight, high-performant tools that have unlimited filtering capacity and minimal latency implications. Deep packet inspection (DPI), a traffic detection technology that examines IP packets in real-time, is a natural fit for ZTNA. Leading solutions in this space include ipoque’s OEM next-gen DPI engines, R&S®PACE 2 and its VPP counterpart, R&S®vPACE. The advanced DPI technology by ipoque merges statistical, heuristic and behavioral analysis with encrypted traffic intelligence (ETI) to detect traffic flows in real-time, even if traffic is encrypted or obfuscated. Boasting linear scalability and the lowest memory footprint in the industry, the engines offer highly reliable and accurate traffic insights to support ZTNA’s intelligence needs.

The survey reveals that 83.3% of ZTNA vendors are currently using DPI or planning to do so in the future. By identifying traffic down to protocols, applications and application services, DPI enables vendors to offer granular configurations based on an enterprise’s traffic priorities. This paves the way for dynamic policies for access and security, as opposed to blanket ‘yes’ or ‘no’ decisions. For enterprises handling a wide range of applications with varying latency requirements, and a very diverse user base with multiple configurations in terms of privileges and controls, DPI offers the analytics needed to speed up verification. Its analytics are also applicable in identifying and analyzing the behavior of non-human users, for example, third-party applications making API requests, and IoT devices seeking to connect to cloud resources.

Lack of visibility presents serious security implications

One of the major takeaways from the report is the potential rise in attack surfaces due to limited visibility. The survey finds 92.6% of ZTNA vendors expressing their concerns over traffic visibility gaps and its impact on security. Without tools such as DPI, even the most comprehensive ZTNA policies will have to revert to default settings based on static credentials, which predisposes enterprise resources to threats from device hijacks, password thefts and eavesdropping.

Device security posture, for example, is a key input that can help enterprises determine risks from unmanaged devices typically used by hybrid employees, connected machines and other IoT endpoints such as smart meters. DPI logs information such as anti-malware versions and latest security updates registered by such devices to enable a ZTNA engine to decide their susceptibility to malware, ransomware, spyware and other threats. Input from DPI on these parameters and on other anomalous, suspicious and malicious traffic patterns allows traffic scrutiny to be adjusted to the current risk status, ensuring a more efficient trust assessment for ZTNA.

DPI’s threat intelligence is also a major enabler in the detection of data breaches across enterprises, especially those involving personal information and sensitive corporate data. Unusual data transfers and irregularities in the usage of enterprise applications can point to data exfiltration or infiltration, which would have been left undetected by regular zero-trust controls usually bereft of analytics at this scale and depth.

Circumventing loss of visibility from stricter encryption protocols

Next-gen DPI’s ability to handle encrypted traffic is another key driver pushing its take-up in ZTNA. ipoque’s ETI classifies traffic, even across emerging encryption protocols and techniques such as TLS 1.3, QUIC and ESNI. It leverages techniques such as machine learning and deep learning, enabling ZTNA to retain fine-grained policies across encrypted, obfuscated and anonymized applications. Combined with a frequently updated signature library and customizable signatures, ipoque provides comprehensive coverage across virtually every packet that traverses the network.

While most enterprises are ready to jump onto the zero-trust bandwagon, many are cautious of implementing ZTNA without the prerequisite analytical capabilities. According to 43.3% of ZTNA vendors, shortfalls in traffic visibility have led to delays in ZTNA deployments. In fact, a handful of vendors admit to deployments being scrapped altogether due to poor analytics. This underscores the importance of traffic intelligence in zero-trust implementations, drawing attention to analytical tools that are effective and compatible, especially in cloud environments where ZTNA is mostly deployed.

A comprehensive analysis on how to future-proof ZTNA

The report also outlines the advantages of DPI in other aspects. This includes ZTNA automation where DPI supports AI algorithms by providing sufficient data points, allowing automated policies and rules. Beyond ZTNA, DPI fortifies integrated security frameworks such as SASE and SSE with shared analytics that can be used by CASB, SWG, next-gen firewalls and other security functions. The types of applications where DPI makes the most difference are also presented. Assessing and exploring the baselines in terms of monitoring and analytical capabilities, the findings are expected to enhance enterprises’ and vendors’ experiments with zero-trust architectures, while ensuring a seamless, yet effective, zero-trust experience for end users.

To read the full report, visit Next-gen DPI for ZTNA: Advanced traffic detection for real-time identity and context awareness

To learn more about how DPI can power next-gen ZTNA solutions, read the white paper Real-time traffic visibility for ZTNA with next-gen DPI