While the idea of enabling Zero Trust Network Access (ZTNA) without having to install new client or agent software on endpoints sounds great from a deployment, management, and training perspective, the The reality is that this approach has major trade-offs. As an administrator responsible for providing the highest security and best user experience, understanding these trade-offs should be considered essential when deciding whether an agentless approach should be used for employees or third parties.
The first limitation to consider is whether you can live with restrictions on which apps and resources can be used and accessed. Some resources are ideal for agentless or browser-based connectivity. Internal web applications are a great example. However, more interactive web applications may not work very well on smaller devices like mobile phones or tablets. Additionally, web applications that have Java applets or other older technologies may also not perform as well after being reformatted in the agentless delivery method. Other resources such as RDP or VNC may be nearly impossible to use on mobile devices or tablets, with browser-based on-screen keyboards or other input methods. There are also limitations on what you can do from a browser-based solution. Heavy applications on the end user’s device cannot be used, as they cannot communicate with the back-end through the web browser. Also, features such as local drive mapping to external data stores are not possible if the only connection is through a browser. Additionally, while it is common to have multiple monitors for the physical system, most agentless solutions cannot support it, which imposes unproductive limits on the end user’s working environment. and its productivity.
The next limitation to consider is limited or unavailable device identity and posture assessments. Because agentless methods use the browser, the only reportable system information available for the browser is the source IP address and user agent string. This fails any reasonable expectation of non-repudiation because both pieces of information can be easily tampered with by the average user. The source IP address can be changed by using a browser like Tor or by using a VPN to hide your real location. Geolocation based on IP addresses is often wrong because some organizations, such as hotels, centralize their traffic for inspection purposes. Additionally, user agent strings can be easily modified using a browser’s built-in developer tools. Both methods can be easily used to circumvent security policies. Beyond the limited assessment of device health, most agentless methods fail to resolve once an issue is discovered that renders a device non-compliant, which can lead to more calls to the computer help desk.
Finally, most agentless methods have scale and performance limitations as they are likely built around HTML5 rendering of tools such as RDP and SSH sessions. Often this HTML5 rendering, sometimes referred to as brokerage, is done using open source software like Guacamole. These types of solutions require a lot of memory and CPU to be allocated to virtual machines and generally do not scale linearly. Thus, more users will require the creation of more virtual instances. Users will need to load balance across these instances, which means yet another layer of appliances to deploy and manage. Additionally, each user’s specific activity and bandwidth usage directly impacts the scale and performance of others. For example, resource-intensive features such as video and audio rendering significantly reduce performance. In today’s world, 4K displays are common and many of these systems cannot handle many users at this level of resolution.
As with many things, having flexible options is ideal. A ZTNA provider that offers both client and clientless options as well as clientless workflows means being able to leverage the benefits of both. It also means being able to deploy, at scale, a variety of solutions depending on the device used, the devices connected and the type of users (employees or third parties).
Visit https://www.banyansecurity.io/resources/analyst-reports/ to find out what trusted analysts are saying about Banyan Security.
The post office Clientless ZTNA Only – Desirable Freedom or Unpleasant Limitations? first appeared on banyan tree safety.
*** This is a syndicated blog from the Security Bloggers Network of banyan tree safety written by Ashur Kanoon. Read the original post at: https://www.banyansecurity.io/blog/clientless-only-ztna-desirable-freedom-or-unpalatable-limitations/