Sophos ZTNA: An Interview with Sophos IT

ProductsSophos ZTNA
Jan 31 2022 By

Sophos was an early adopter of Sophos ZTNA and we had the pleasure to sit down with our resident expert, Matt Welch, Senior IT Infrastructure Engineer, for an honest discussion about why and how. In this video, Matt offers insight into the challenges of remote access VPN and the benefits of Sophos ZTNA as he managed the transition to ZTNA here at Sophos.

Here’s an outline of the key takeaways:

Challenges with previous remote-access VPN at Sophos:

  • A frustrating user experience. It was unreliable, and was often blocked at hotels or hotspots.
  • It was very difficult to extend access to third parties, such as contractors, consultants, or newly acquired company teams.
  • There were security risks involved.

The benefits of ZTNA for Sophos:

  • It enables easy access for guests (consultants or contractors) or new users and acquisitions in minutes. ZTNA eliminates the need to setup complex site-to-site VPNs for contractors or newly acquired companies which often can take days. Guest access can now be provided via their own corporate identity, with no need to duplicate or import that to our identity provider. It makes access for new company acquisitions very quick and easy.
  • Easy self-provisioning. Combined with a cloud-based MDM and a modern identity provider, ZTNA enables a completely zero-touch deployment where a laptop can be drop-shipped to a user’s home and they can set it up themselves without IT involvement. This simultaneously decreases the IT team workload while improving the user experience.
  • Better security. ZTNA eliminates risk of lateral movement from a compromised device and provides better security for applications. Users and guests are only connected to what they need, and nothing more. If an application has a vulnerability discovered, it’s not exposed to the internet putting it at risk of being exploited reducing the surface area of attack.

Key ZTNA use cases at Sophos:

  • Secure access to applications, lab and test environments, and remote systems
  • Easy and secure guest (contractor/consultant) access to only what they need
  • Quick and easy access to Sophos systems for newly acquired companies using their existing corporate identities
  • Better security for applications or portals that don’t support single sign on (SSO) or multi-factor authentication (MFA)
  • Secure third-party applications against potential exploits, so they’re not exposed to the internet if vulnerabilities are discovered

Advice for other organizations:

  • Understand the shift in mindset from broad VPN network access for all users to a very user/group/app specific access model; it has enormous benefits improving security and the user experience while reducing workload for the IT team.
  • Plan your identity strategy – a modern identity provider like Microsoft Azure AD or Okta is essential.
  • Start small, with the apps that are most used in order to demonstrate the value of ZTNA.
  • Understand and catalog your app ecosystem. Know which applications users need access to so they can work with the other business units so you can better understand their needs.

If you missed the SophSkills session and the answers to your FAQs, get caught up here.

About the Author

Chris McCormack is a network security specialist at Sophos where he has been focused on firewall and network protection since joining Sophos in 2008. When not evangelizing Sophos network security products, Chris specializes in providing advice and insight into the latest threats and network protection technologies and strategies.