Framing ZTNA and Security Parameters: Risks, Tenets and Best Practices
The Growing Need for Zero Trust Network Access
As we set the stage for wider adoption of Zero Trust Remote Access methodology and solutions, it’s worth a quick look back at the traditional mindset.
Traditional perimeters were obviously created on the assumption that all devices and users inside the network or security perimeter could be trusted, within the boundaries of internal access controls, and therefore allowed access to related resources. Emphasis was placed on preventing access from external devices and users, save the use of VPNs.
Unfortunately, as has been proven in too many breach incidents to count, this practice of entrusting user access to network defenses alone can lead to exploits via numerous methods, including password theft, account hijacking, and individuals taking advantage of overly-permissive access privileges.
Roll the clock forward to the last decade and increased adoption of cloud applications and mobile technologies, underlined by the massive growth of the remote workforce, has resulted in a significant obfuscation and blurring of perimeters in general – with external attacks and insider threats further intensified.
The prolific adoption of all things cloud (IaaS, PaaS, and SaaS) continues to drive massive fragmentation in security strategies and tooling used to address these challenges, with many practitioners scrambling to find scalable solutions that maintain business continuity while enabling adequate protection.
ZTNA – Better addressing internal and external security requirements
So how can organizations curb this tide of rising threat vectors across increasingly distributed users, devices, networks, and applications? One common thread that can be controlled across these vectors is securing the “access.” Evaluating every link, user, or host before being granted access goes a long way in securing enterprise access from any location. And this is where the concepts of Zero-Trust Access and Zero-Trust Network Access (ZTNA) have emerged as leading alternatives.
For its part, industry analyst firm Gartner defines ZTNA as: “a product or service that creates an identity- and context-based, logical access boundary around an application or set of applications. The applications are hidden from discovery, and access is restricted via a trusted broker to a set of named entities. The broker verifies the identity, context, and policy adherence of the specified participants before allowing access and prohibits lateral movement elsewhere in the network. This removes application assets from public visibility and significantly reduces the surface area for attack.”
Using this approach when considering options beyond the perimeter model, it is important to have a firm understanding of what can be trusted. Implementing a ZTNA security approach allows employees and external partners or third-party contractors to securely access an organization’s internal applications and collaborate, irrespective of the device they use (managed or unmanaged) or the location they are connecting from.
ZTNA also typically adopts the strategy of employing micro-segmentation that shields an organization’s private applications within software-defined perimeters and provides “least privilege” access to authorized users thereby eliminating the risk of lateral movement associated with full network access.
Translating Zero Trust Network Access into Practice
So now let’s talk about the practical application of ZTNA.
The core principles of ZTNA operate on preventative techniques meant to thwart breaches, minimize movement, and overall reduce the attack surface.
1. Moving from network-level access to application-level access
First, ZTNA establishes a control surface (with micro-segmentation and application cloaking) where all the sensitive resources and access paths stay hidden until an obtained access request is authenticated, licensed, and trusted to comply with all the existing, relevant security policies.
2. Decoupling users from their devices
Next, ZTNA creates adaptive, identity, and context-aware access policies, enforcing separate user-centric and device-centric controls for enabling access to specific applications.
3. Eliminating threat of data discovery on public internet
Now, with ZTNA in place, enterprises are no longer required to open inbound firewall ports to enable external connections, creating a virtual darknet with full application cloaking, thereby preventing the discovery of applications on the public Internet.
4. Securing legacy applications
More importantly, the centralized monitoring capabilities typically enlisted by ZTNA provide deep visibility into legacy applications, detecting unusual user activity and preventing threats. Integration with multi-factor authentication and identity solutions supplement the authentication control checks, ensuring every access is authorized and secured.
ZTNA Best Practices
There are currently a lot of varied approaches to ZTNA being advanced among practitioners and solutions providers. However, the first step in building the ideal security approach is for organizations to fully review and understand its multi-cloud environment, private applications, users, and device ecosystem.
Thereafter, gaining detailed visibility into current usage and user behavior patterns, along with supported business practices, helps security practitioners immensely in understanding diverse risks and requirements, and the notion of correctly enforcing contextual policies in real-time.
It is also important to understand that there is no such thing as an all-in-one ZTNA solution. Building an integrated security approach requires an architecture that accounts for the network, data, identity, context, and incidents. This is also a key step towards embracing another new model that Gartner has developed that combines networking and security services, including CASB and ZTNA into an overarching framework called “Secure Access Service Edge,” or SASE (pronounced “sassy”).
To that end, Lookout delivers a market-leading approach to integrated CASB, ZTNA, and Data Loss Prevention, addressing a critical scope of customer requirements across these emerging models that span access, discovery, monitoring, data protection, policy enforcement and compliance.