Learn more about Zero Trust Network Access (ZTNA)

Traditional perimeter-based network protection combines ordinary users and privileged users, insecure connections and secure connections, and external and internal infrastructure parts to create the illusion of a trusted zone. Many potential security issues cannot be resolved. More and more companies are turning to zero-trust network access to solve this problem.

[[431649]]

With the booming development of cloud computing, virtualization, the Internet of Things (IoT), BYOD concepts, and remote work, the number of mobile devices has increased dramatically, and the boundaries of the network are becoming increasingly blurred. Not only must internal systems and devices be protected, but external systems and devices also require additional layers of defense. Therefore, the traditional boundary-centric approach is gradually being eliminated.

Zero Trust Concept

In 2010, Forrester Research analyst John Kindervag introduced the concept of Zero Trust (ZT) as an improvement to the traditional network perimeter protection approach. The basic idea behind it is that there are no secure zones or trusted users, either inside or outside the corporate network.

The following are the assumptions for simulating this model in an enterprise ecosystem:

• The corporate internal network is not considered a trusted zone.
• Devices on the internal network can be installed and configured by people other than corporate personnel.
• By default, no users or resources are allowed to be trusted.
• Not all enterprise digital assets reside on the enterprise's internal network.
• All connections can be intercepted and modified.
• The security posture of all devices and assets must be monitored and compliance with established policies verified.

It should be noted that Zero Trust itself is just a concept, a set of vague requirements for building enterprise infrastructure security and controlling access rights, which can be implemented in different ways. In 2018, Chase Cunningham, another expert at Forrester, proposed the Zero Trust eXtended (ZTX) method, which can evaluate the efficiency of Zero Trust implementation in terms of technology, structure, and organizational changes.

At this point, Zero Trust Network Access (ZTNA) is a model that almost all market players recognize. ZTNA aims to put the idea of ​​zero trust into practice. After deploying ZTNA, the scope of perimeter protection tools will go beyond traditional technologies and authentication mechanisms such as agents, network access control (NAC) and firewalls. In addition, workstations and nodes will be continuously monitored for compliance with established security policies. Excellent scalability is one of the main features that distinguish the ZTNA model from traditional models.

Zero Trust Network Access

As mentioned earlier, the purpose of zero trust network access is to implement zero trust principles.

That is, it is a model for providing the most controlled access to the smallest range of resources within and outside the network perimeter so that users can complete their daily tasks.

The basic principles of a ZTNA-based infrastructure are as follows:

• Protected zone segmentation. Instead of trying to cover the entire perimeter at once, divide it into micro-perimeter (application, device, system, network, etc.) and establish different security policies, protections, and controls for each micro-perimeter.
• Mandatory encryption. All communications and network traffic must be encrypted to prevent malicious interference.
• Access control. All users, systems, applications, devices, and processes must be scanned every time they connect to any protected resource.
• The principle of least privilege at all levels. Grant only the minimum permissions that would compromise a user or system and would not result in unauthorized access to the entire infrastructure.
• Complete control. Continuously collect and analyze events, behaviors, and status of all infrastructure components to ensure early response to security incidents.

ZTNA Architecture and Components

The Policy Engine (PE) and Policy Administrator (PA) are the basic logical elements of the ZTNA model. The former manages access policies at the user, device, system, and application levels, while the latter applies the assigned policies, controls access to resources, and monitors the status of access objects and subjects.

The two form the policy decision point (PDP) - which examines the user or device to determine whether they can proceed to the next step, and the policy enforcement point (PEP) - which is responsible for connecting and disconnecting enterprise resources according to the PA's command. These components form the foundation of the system. Benign barriers between users and enterprise services also include next-generation firewalls (NGFW) and cloud access security brokers (CASB).

ZTNA Deployment

There are two common approaches to deploying a ZTNA model. They differ in whether additional software (agents) are installed on the devices accessing corporate resources, which is responsible for authentication, connection establishment, encryption, status monitoring, etc.

In the case of a proxy, the user or device initiates the connection using a pre-installed proxy. This technique has a lot in common with the software-defined perimeter (SDP) model, which aims to control access through authentication, identity-based access, and dynamically generated connection options.

The main advantages of this ZTNA architecture include complete control over the device and prohibition of unverified devices from connecting. But from another perspective, it is also disadvantageous for enterprises because it imposes additional restrictions. The agent must be compatible with different operating system and platform versions, or the enterprise must install the supported operating system version on the device and apply security updates in a timely manner.

Another approach is to offer a ZTNA-based solution as a cloud service. In this case, a logical access perimeter is created around corporate resources in a cloud infrastructure or data center so that they are hidden from external users. The systems that manage employee access, control network traffic, and scan connections are all done through an intermediary, such as a CASB.

The advantages of ZTNA architecture as a cloud service are as follows:

• Fast, easy deployment.
• The cost is relatively low.
• Centralized management.
• Good scalability.
• No additional software needs to be installed – this therefore removes restrictions on connected devices and is more convenient in organizational BYOD principles or remote working.

The main disadvantage is the lack of real-time control over access points, which reduces the level of security. In addition, the lack of a pre-installed proxy may increase the chances of a DoS attack.

ZTNA in Practice

Fully integrating zero trust principles into an enterprise infrastructure requires rebuilding from scratch. This includes changing the internal network architecture, devices, security policies, and potentially even the way employees handle company digital assets. For most large organizations, this is not feasible, and the process is time-consuming and costly.

Another option is to upgrade the existing infrastructure based on current resources and capabilities. This seems more reasonable and feasible. In order to successfully implement ZTNA principles in this case, the information security strategy of the enterprise must first be fine-tuned to align with the concept of zero trust.

Then analyze IT infrastructure components to see which devices and technologies already in use can become the cornerstone of ZTNA and which ones need to be replaced.

First, the following mechanisms need to be implemented:

• Identify all users and devices.
• Access control is performed on connected devices based on their state, compliance with adopted security policies, and the results of vulnerability scans.
• Segmentation of enterprise networks, including data centers.
• Access control based on BYOD principles.
• Authentication and authorization of every system, device, and user that interacts with enterprise web hosting services and infrastructure.
• Data access control.
• Network traffic monitoring.

Companies can then begin implementing a ZTNA model to protect cloud resources and remote connections by combining it with traditional methods of securing the enterprise perimeter.

Global ZTNA Market Status

Although the concept of zero trust appeared more than ten years ago, the surge in demand for remote work caused by the epidemic is the main driving force for the development of ZTNA.

According to Gartner, 60% of companies are expected to abandon the use of VPNs to access corporate resources in favor of zero-trust network access solutions by 2023. Pulse Secure said in its 2020 Zero Trust Access Report that approximately 72% of organizations plan to leverage zero trust to reduce information security risks.

ZTNA is also a key component of SASE, a comprehensive approach to cloud security proposed by Gartner in 2019. In addition to ZTNA, it also includes software-defined wide area network (SD-WAN), secure web gateway (SWG), cloud access security broker (CASB) and firewall as a service (FWaaS).

The concept of zero-trust network access is the result of adapting traditional enterprise security methods to today's environment. Although the concept of zero trust is gaining popularity, for some enterprises, traditional information security methods are still applicable because cloud technology and remote access are unacceptable to them. For example, this is the military structure, the government, and companies that handle confidential information.

Original text: Zooming Into Zero Trust Network Access (ZTNA) Philosophy