Cybersecurity is absolutely everything to modern business. Security company Risk Based Security released their annual data breach report, and noted that during the first six months of 2021, there were 1,767 reported breaches, exposing a total of 18.8 billion records. While breaches have declined by 24% over the last year, there are still ransomware attacks continuing at an alarming pace, inflicting serious damage on organizations.
As attackers continue to find new ways to take advantage of changing and emerging technologies, it has been more vital than ever to reassess the notion of trust in an organization, and specifically, in relation to security and IT practices.
The importance of incorporating a security framework that will strengthen the enterprise as well as remove implicit trust seems to be an essential step in the modern world. This is where the network security model of the Zero Trust network access is vital to modern B2B enterprises.
Here, we are going to dive deep into this critical security strategy, and how it can benefit the modern companies that are concerned with their security.
Why Is Trust (and Lack of It) So Crucial to Security Frameworks?
Trust in relation to cyber security is an approach that is pivotal to protecting businesses’ data and individuals. As the world becomes more technically advanced, trust is being exploited by cyber attackers for a number of key reasons:
Obsolete access controls
There is an over-reliance on infrastructures, such as a network firewall, which is to the detriment of a business. While it is vital to an individual user, when a network firewall has no visibility or control on users’ applications or services, there is the potential for hackers to compromise the network and access its applications.
Weak security models
One of the fundamental mistakes in security screenings is that it takes place outside of the perimeter of a business location. If malware or hackers infiltrate the perimeter, they can cause damage to the entire infrastructure.
Improper authentication and authorization
External technologies such as VPNs (Virtual Private Networks), are excellent for securing businesses, therefore maintaining privacy and secrecy, but authentication and authorization may not be achieved perfectly.
Insufficient adaptation to changing workflows
The current state of the world has seen a rise in remote workers, and therefore BYOD (Bring Your Own Device) policies, where workers are using their own devices within a company network. If a proper security system is not implemented to secure these components, this can result in catastrophic data leaks.
These are all security challenges that have naturally resulted in a dynamic and flexible system that provides high-level security. This is where the model, Zero Trust, comes into play. So what is it?
What is “Zero Trust?”
Over the last few years, the concept of Zero Trust security has been critical to allowing emerging companies to adopt a way to comprehensively protect an enterprise. Zero Trust is a strategic initiative that prevents data breaches and does this by removing the concept of trust from an organization’s network architecture.
Zero Trust is an advanced security approach where all users, whether they are inside or outside an organization’s network, have to be authorized, validated, and authenticated on a constant basis before being granted access to the network applications and data. Zero Trust utilizes a number of high-end security strategies and methodologies, such as Identity and Access Management (IAM), Multi-factor Authentication, and Next-gen Endpoint Security. These verify a user’s identity, while also maintaining rigid security measures.
Zero Trust is designed to protect modern frameworks by incorporating network segmentation, threat prevention, and preventing lateral movement within a network, therefore simplifying user access control. Additionally, it offers strict verification to protect the applications and users from adaptive and sophisticated online threats.
Zero Trust is, in essence, a component that doesn’t just equate to technology but is a way to promote ethics, lawfulness, and morality in a company framework.
Trust is, understandably, a pivotal component that allows any business to thrive. Zero Trust aims to spread the idea that companies should not trust users or devices by default, even if they were connected or verified previously.
Zero Trust relies on real-time clear visibility into user attributes, such as firmware versions, OS versions, user logins, vulnerabilities, user identities, and so forth.
What Is Zero Trust Network Access?
Zero Trust network access (ZTNA), which is also known as SDP (Software-Defined Perimeter) is a set of technologies that operate on this trust model.
The concept of ZTNA operates on what is known as an “adaptive trust model,” where trust is never taken for granted, and access is determined on a “need to know basis” defined by a number of granular (small, almost grain-like) policies. ZTNA is a way for users to gain seamless and secure access to private applications. However, with the added benefits of never actually being on the network or being allowed to provide exposing apps to the internet.
The ideology behind Zero Trust can be vague, and therefore interpreted wildly, but a Zero Trust network access provides a very clear framework for companies to follow, and unlike solutions that are focused on the network, such as VPNs or FWs (firmware), the ZTNA takes a different approach to secure access to internal applications, following these four key approaches:
1. ZTNA removes the act of providing application access from the act of network access
The isolation and separation between the two components will reduce any risks to the network, such as infection by compromised devices, and will only grant application access to authorized users.
2. ZTNA will only make outbound connections
This guarantees the network and the application infrastructure are invisible to authorized users. IPs are never exposed to the online world, which makes the network impossible to locate.
3. Limited application access
The principle behind native app segmentation means that, even when users are granted authorization, application access is only granted on a one-to-one basis. Users do not have access to the entire network, but only have access to specific applications to ensure their job is completed.
4. ZTNA avoids a “network-centric” approach to security
It focuses on a user-to-application methodology. This means the network is not emphasized as a key component of communication and coordination, and the focus is more on the end-to-end components rather than the internet itself.
How Does ZTNA Work?
The Zero Trust model is based on the following core principles:
1. Re-examining all default access controls
The model assumes that any potential attackers are inside and outside of the network. Therefore, there is no such thing as a “trusted” source, and every request to access the system has to be authenticated, authorized, as well as encrypted.
2. Utilize a number of preventative techniques
ZTNA focuses on preventative techniques to minimize damage and stop breaches, including the following:
- Identity protection and device discovery: The system needs to know what is normal and what is to be expected on the extended network. Understanding how these devices and credentials behave and connect will allow companies to incorporate identity challenges and put them in place.
- Multi-factor authentication (MFA): This approach to security is nothing new. It is one of the most common ways to confirm the identity of a user and improve security. MFA involves two or more pieces of evidence to assess the credibility of a user, such as an email or text confirmation, or logic-based exercises.
- Utilizing “least privileged” access: This method to prevent attacks involves the organization granting the lowest level of access possible to a user or a device. This works to limit movement within the network.
- Micro-segmentation: This is a security technique that divides security perimeters into smaller “zones” for keeping separate access to part of the network and containing attacks. This can be conducted through devices or by controlling users and groups.
3. Enable real-time monitoring and controls to identify malicious activity
The key to enabling security in any organization is not just about prevention. The ZTNA approach is a preventative one, but it is vital that any enterprise improves what is called its “breakout time.” This is the window between when a hacker compromises the first machine and moves on to the next system. Incorporating real-time monitoring will identify and stop any malicious activity. This can be done through identity challenges being implemented in real-time at the domain controller rather than just simply being logged.
4. Work with the strategy on a broader scale
It is important to remember that Zero Trust Network Access is only one component of a wider security strategy. Technology is crucial to protecting any company, but it is still important for companies to adopt a holistic approach to security that will incorporate a number of capabilities to ensure network safety. For example, companies need to be consistent with security advice, as well as continually self examine and update any obsolete authentication protocols. Additionally, having an incident response plan to guarantee business continuity and recovery will help with any potential breaches.
A Brief History of ZTNA
The concept of Zero Trust was created by John Kindervag during his time as the vice president and principal analyst for research and advisory company Forrester Research Inc. The concept of Zero Trust is based on his realization that traditional security models operated on the assumption that everything within the network has to be trusted. This outdated notion was assumed that the user’s identity is not compromised and that every user within the framework is acting responsibly so they can be trusted.
Zero Trust focuses on the idea of trust being a vulnerability. When any user is on the network, they are able to access any data they are not limited to and can move around the system laterally. Therefore, infiltration is not done through one key point, but rather a number of points. Therefore, Kindervag inverted the model making everyone “guilty until proven innocent.”
Since he came up with the concept, businesses have chosen to apply this model within their security plans. In fact, the model has become a very popular one. In 2018, one Forrester analyst said that out of 20 calls he received, 17 were about Zero Trust.
ZTNA in the Real World
The most famous example of ZTNA in a real setting is Google with its BeyondCorp project. Initially, it began as an internal Google initiative to allow employees to work from trusted networks without VPNs and is now widely used. Google implemented BeyondCorp as an internal initiative arising from Operation Aurora, a series of cyberattacks that occurred throughout 2009, and resulted in Google losing some of its intellectual property. As a result, Google started to reimagine its security architecture in relation to how employees and devices accessed internal applications.
Now, it is being rolled out to the general public and is naturally one of the biggest trailblazers of ZTNA in the real world. In fact, there are companies that have been called upon to adopt the Zero Trust model. The executive order issued in May 2021 by President Joe Biden has called for 18 companies to demonstrate to the National Institute of Standards and Technology their approaches to implementing Zero Trust. These include big names such as Amazon Web Services, Microsoft, Tenable, McAfee, and IBM. The 18 companies asked to participate in the Zero Trust project will provide examples of integrating open-source and commercial products that leverage cyber security standards and recommended practice.
As the real world is coming around to the notion of Zero Trust, it is now time for businesses to reap the benefits.
The Benefits of Zero Trust Network Access
The concept of Zero Trust offers a number of policies to protect the enterprise, stop any external threats, and safeguard individuals from harmful internal threats. It is important to recognize that internal threats can be worse because of the notion of exploiting trust. Approximately 30% of all data breaches have involved internal exploitation, which is why Zero Trust focuses on the concept of verification and will benefit your organization in the following ways:
1. Greater visibility on the network
ZTNA doesn’t allow you to trust anything, which means that you can decide on the components you would like to observe.
With a more intense approach to monitoring threats across the organization across data and computing devices, you are gaining a greater insight into your network. For example, you are going to be more aware of the timestamps, applications, users, and locations with every single access request. Any behavior that comes out of the norm is flagged up by the security infrastructure and allows you to track all the activity in real-time.
Having greater visibility across your network allows you better insight into who or what is granted access to the network.
2. Improved data protection
In its simplest notion, ZTNA will prevent malware or any unwarranted access to a larger part of the network. Limiting employees’ access to the network or greatly reducing the duration of their access will reduce the likelihood of attacks.
Data breaches are a common occurrence and are one of the ways cybercriminals can effectively hold a company to ransom. And even if a breach occurs, having minimal access to the network means a better attempt at damage limitation. When malware breaches a firewall, rather than being able to access all the data, it will only be able to gain entry to specific parts of the data.
Therefore, this doesn’t just protect the business, but it will also protect the customer and your intellectual property. The irony being with trust is that it will actually inspire more trust from your customers. Additionally, it will save you a lot of financial hardship having to clean up the mess arising from a data breach.
3. Provides additional security to the remote workforce
The most common adaptation arising from COVID-19 has been remote work. However, despite it being widely accepted, it has also increased the abilities and risks because of insufficient security practices on networks and devices. Companies that have employees working around the world can find themselves at risk due to inefficient firewalls.
ZTNA demands user identification and verification at every level, taking over what is called the perimeter concept, which is where a firewall is installed between a private network and another public network.
As every user, device, and application will warrant a layer of security to gain access, this is more robust protection to the workforce regardless of their location in the world or where the data is kept.
4. Reduces the need for manual IT management
The concept of ZTNA focuses on continuous monitoring, which means incorporating automated processes can make things easier for an in-house IT team. If everything is conducted manually, it takes a lot of time to approve each request, resulting in decreased productivity and workflow, which will have a negative impact on the business.
Automation packages can be programmed to judge the access requests according to certain security identifiers. Therefore, you do not need to have your IT team approving every request manually. The problems with manual access can result in a decreased workflow as well as an increased likelihood of human error. However, if a system flags up a suspicious request, this is where the IT team can take over.
Automation isn’t a cure-all, however, it allows your team to work on improving and innovating the business rather than needing to conduct mundane administrative tasks.
The Challenges of Implementing ZTNA
If we are to implement ZTNA, we’ve got to understand the implicit challenges that businesses face:
1. Regulations have not warmed to the Zero Trust concept yet
Companies under compliance could have trouble passing an audit. The challenge of adopting ZTNA is that it completely does away with the notion of segmentation and firewalls. If regulations demand the use of segmentation and firewalls on sensitive data, it will prove difficult to pass the audit. Therefore, this could prove problematic for an organization.
The current issue, in a technological sense, is that regulations will need to change before we can use this model, but also, the potential for architecture can only be measured by its success, and this could mean that companies need to sit and wait until regulatory bodies come round to the idea of Zero Trust network access being an effective measure.
2. Legacy apps can be excluded from Zero Trust architecture
Legacy apps, legacy authentication protocols, and network resources are widespread in use, especially as the remote work revolution has risen over the last few years. These tools are essential for the day-to-day operation of a business, but these are not protected with identity verification, which can mean it is too expensive to re-orchestrate these systems.
These legacy network resources can result in an inconsistent user experience, which could arise from prohibiting certain tools from being used by employees, which immediately has a knock-on effect on their productivity. It is important that incorporating ZTNA doesn’t inhibit employees’ daily activities while still doing the job at hand.
3. Concerns with audits and testing
It is important for organizations to understand what is attacking their interests, and while passing audits is deemed a priority, there also needs to be a focus on simulating attacks to see where the gaps in the security lie.
Therefore, the approach of Zero Trust doesn’t necessarily align effectively when it comes to addressing security problems. Rather, it can seem like a somewhat blanket approach to security. It is important for organizations to pass audits, but they also need to identify their weaknesses, which can be a challenge because the balance between passing audits and addressing the weaknesses can result in organizations opting for one over the other.
4. The obstacle of control
Visibility and control within a network are significant challenges that can result in the enterprise struggling to implement a Zero Trust network. Many organizations don’t have a comprehensive perspective or the ability to set appropriate protocols around the minutiae of their network, such as individual use and every service account.
Therefore, they can find themselves vulnerable to threats posed by significant other sites within the network for example legacy systems, overprivileged uses, or unpatched devices.
5. The time and effort to set it up
From a practical perspective, organizing policies within a network can be hard because the network still has to function during the process of transition.
Conversely, it can be easier to build a new network from scratch and switch over to the new system. If legacy systems are not compatible with the current framework, it will be necessary to start all over again.
6. Complication in application management
There are a number of diverse applications. They are used across multiple platforms and will be potentially shared with third parties.
It is important to be aware air of the individual needs for each application.
7. More devices to oversee
The modern work environment demands different types of devices.
Each individual device may have its own properties and protocols that have to be monitored, therefore increasing the workload.
8. Increased management of users
Employees have to be monitored more stringently with access granted as necessary. However, the users are not just employees but can be clients, customers, and third-party vendors.
With an increasing number of access points, a ZTNA demands specific policies for each group.
How to Achieve Zero Trust Network Access in Your Organization
Every organization has unique needs. If you want to achieve Zero Trust, you have to follow a key set of practices:
1. Assessing your organization
If you are undertaking a holistic practice to trust, it is still important to define the attack surface. Assessing your organization can comprise identifying and auditing every credential active within the business and removing any accounts that have not been used for 30-days.
Additionally, you need to assess the current tools to ascertain the level of security and identify any gaps within the security network. Once you have done this, ensure that the most critical aspects are given the highest level of protection.
2. Create a directory of every asset
It is important to determine where sensitive information is located, and which users need to access it. You need to understand how many service accounts you have and if they all actually need to connect with the network.
Additionally, look at any authentication protocols and remove any connections on outdated or weak assistance. It is also important to obtain a list of all the sanctioned cloud services and only guarantee access to the essential uses.
3. Establishing preventative measures
To prevent data breaches and deter hackers, you should focus on micro-segmentation, least privilege principles, and multi-factor authentication.
4. Continuous monitoring of the network
Monitoring the network is crucial, and allowing your business to analyze and inspect all traffic without any interruption can allow you to react appropriately and prevent it effectively. It is crucial for any enterprise to have a clear action plan.
Incorporating Technological Zero Trust
If you want to start incorporating ZTNA in your organization, there are four key technological areas that can help.
1. Using a VPN alternative
If businesses want to reduce or eliminate their VPN usage, a company can start to phase out remote access VPN in favor of a ZTNA approach.
2. Incorporate secure multi-cloud access
This is one of the more popular approaches for enterprises when they begin with ZTNA. There are more companies adopting cloud services, and turning to ZTNA to enable a multi-cloud strategy can increase comprehensive security.
3. Reducing third-party risk
Third-party users are prone to receiving more access than is necessary, which results in a massive security gap for the organization. ZTNA works by ensuring external users never gain access to this network, and only authorized users can gain access to permitted applications. This significantly reduces the third-party risk and will avoid a significant gap in the security.
4. Will accelerate the integration of mergers and acquisitions (M&A)
From a business perspective, integration can take a number of years due to a number of overlapping IPs and spend time converging internal networks. The benefit of having ZTNA at this point will simplify the time-sensitive tasks needed to guarantee a successful M&A, resulting in immediate value to the company.
Incorporating the Zero Trust model into your organization is not simply about implementation and integration, but is about the additional work needed to implement it. The Zero Trust model is a solid framework, not just technologically speaking, but in terms of ethics.
The notion of trustworthiness is certainly moving down the ladder of priorities in the modern business world. Without any form of assumed trustworthiness, this makes the network more secure. Incorporating the Zero Trust model means the network will be more secure and will hinder any form of lateral movement within a network.
From the perspective of security, it is an excellent way for a business to have complete control over its response to threats. Therefore, this will have a positive impact on the business’s bottom line. It will help companies to understand where their flaws are in the armor and is a very comprehensive approach to security. However, the challenge is in switching over to the Zero Trust model from the traditional practices.
Zero Trust is making a big buzz in the security industry. There is an increasing amount of cyber-attacks across the globe. Therefore, having a robust system is crucial to providing a stronger security architecture. Companies need to have access and control to every component of transaction and data by verifying each device and uses at the access point. Therefore, it is not just a way to protect the business from threats, but it is a comprehensive component to dealing with endemic threats inside and outside of the organization.
Threats come in numerous forms. Internal threats are more bruising to an organization, and incorporating Zero Trust is not just a way to protect an organization from foreign threats, but can also help an organization to understand its attitude to domestic infiltration.
Does Zero Trust sound like the missing link to your organization? You have to ask yourself if you are able to deal with threats in your current system architecture or not, or if you need to develop a more sophisticated attitude to managing threats in the rounds. If you have any concerns, Zero Trust network access could be exactly what you need.