Fortinet's Darius Goodall (L) hosted the Zero Trust and SASE Summit where Forrester Senior Analyst Heath Mullins (R) discussed the building blocks of a successful zero-trust approach.

Fortinet this week hosted its virtual Zero Trust and SASE Summit 2022 event, where company leaders and industry analysts discussed the future of the zero-trust network access (ZTNA) and secure access service edge (SASE) architectures.

At the summit, Fortinet Senior Director of Products Peter Newton explained that one of the challenges he sees with zero trust is that people have various different understandings of what the term actually means.

Many conflate a holistic zero-trust architecture with component elements of zero trust, like ZTNA technology, Newton said. “Zero trust at a high level is that philosophy, that mindset of making sure that you're authenticating users and devices before you grant them access to a particular application,” he added.

Newton distinguished that ZTNA is just one instance of that mindset, which specifically looks at users and applications. “That's all ZTNA is, just applying those zero-trust principles to that singular use case of should this user get access to this application,” he said.

ZTNA is usually the first identified zero-trust project that companies pursue, Newton told SDxCentral after the summit. He joked that's partly because the term has “zero trust” in its title, but mostly because it covers a “huge amount of the attack surface to start with,” and serves organizations looking for a better remote work access solution.

“So you know, it's a great starting point,” he said.

Fortinet touted that Gartner’s latest Market Share report ranked the vendor among the top ZTNA vendors.

“We're doing [ZTNA] in this protected environment, because we have pre-certified all the pieces and parts together and it works well with the existing environment,” Newton told SDxCentral about the Gartner ranking. He attributes the ranking in part to the Fortinet ZTNA being integrated into the company’s firewall OS, while many other providers have cloud-based ZTNA. Because the FortiGate firewall can run in the cloud or on-premises, Fortinet ZTNA works for both cases.

"It makes for a very easy transition. It really reduces the risk and angst for an IT organization wondering, can I do ZTNA," Newton said

The shift toward the zero-trust mindset and deploying zero-trust technologies into organizations is a "hot topic," Newton said, adding that “there's a lot more zero trust to come. We have a lot more people who can still go out with ZTNA. It's kind of that first step toward the zero-trust journey.”

At the Fortinet summit, Forrester Senior Analyst Heath Mullins said despite anticipation around ZTNA, there is still confusion around the architecture, with one of the leading inquiries he receives being “what is zero trust and what should we be doing to move forward?”

Mullins said conversation can take many different directions based on what a client already has in place and whether they already align mentally or from a technology perspective with the zero-trust framework. The biggest thing to know about zero trust, he explained, is that it's “not an end state, and it's not a product.”

When designing a zero-trust architecture “what you're really trying to do is you're trying to give yourself the most visibility with the least privilege, period,” Mullins said. “I don't want anything, anyone touching things that they are not explicitly allowed to touch based on policy or based on the decision that was made somewhere within this stack.”

A zero-trust mindset, Mullins noted, is really about reiterating the process again and again. Performing assessments, locating gaps in infrastructure, and identifying where technology may be able to be augmented, replaced, or layered upon to provide even more granular security is an ongoing process.

“The frameworks are really just kind of the first approach to getting to this state. It's not just about, this is day 365, I've completed my zero-trust journey,” Mullins said. “It's also about what day 366 looks like, what day 367 looks like.”