With the proliferation of remote work, organizations have found themselves increasingly dependent on the security and reliability of employees’ home networks, devices and applications — most likely accessed via a home Wi-Fi connection. Unfortunately, the internet can expose IP addresses, creating security risks due to potential vulnerabilities.
A newer security concept known as zero trust network access (ZTNA) hides the network location — the IP address — and instead uses identity-based authentication to establish trust and provide access. ZTNA appropriately adapts access to specific applications or data at a given time, location or device, providing IT and security teams with centralized control and improved flexibility to secure highly distributed IT environments.
Defining ZTNA
Distributed work environments mean that there is no single, true security perimeter that exists within organizations today. As such, there is no trust of internal connections — because everyone is connected through different Wi-Fi networks — and a solution is needed to address this issue.
ZTNA products and services create identity- and context-based access, as ZTNA hides resources from discovery and provides access through authentication to a trust broker, which acts as a mediator between specific applications and authorized users, notes TechTarget.
ZTNA decouples access to resources and access to the network, as the internet is an untrusted point of access. The trust broker provides centralized control and management to IT teams, and teams can deploy the broker in data centers as software or an appliance or provide it as a managed service in a cloud environment.
Also, ZTNA unifies access to applications, thus eliminating the bifurcation of private cloud, VPN and SaaS application methods. It provides centralized control, with the scalability and flexibility to offer users appropriate access given their devices, locations and times of day.
6 Business Benefits of ZTNA To Improve Security
Taking a holistic approach to security, zero-trust architecture offers a wide range of benefits. While the obvious one is increased security, ZTNA also improves operations, user experience and workflows. These “hidden” perks often surprise organizations. Here are six benefits of implementing zero-trust protocols:
1. Maintains an Accurate Inventory of Infrastructure
Zero trust also requires the tracking of inventory. The model requires that administrators have a thorough understanding of exactly what users, devices, data, applications and services are in use by all employees within the corporate infrastructure at all times, as well as where those resources reside. An accurate infrastructure inventory not only helps with security-related matters, but it is also beneficial for asset tracking and planning purposes. Non-IT operations personnel can be included in the reporting of the status and usage of all corporate devices, informing corporate purchasing decisions as well.
2. Improves Monitoring
Monitoring a zero-trust framework can be complex. However, tools like security information and event management (SIEM) and network detection and response use a combination of log and event analysis to identify when security issues occur. Such solutions then provide insights into how to remediate these issues and determine where the zero-trust model may have failed. This gives security operations center administrators the ability to rapidly detect and respond to cybersecurity threats and adjust the implementation where needed.
3. Enhances the End-User Experience
ZTNA improves the end-user experience because it introduces simplicity: Users will no longer need to keep track of passwords for all of the devices and applications to which they need access in order to do their jobs. One key element of zero trust is the ability to deploy single sign-on (SSO) tools that greatly simplify the number of passwords end users must keep track of. An SSO authentication framework allows users to authenticate once to gain access to everything they need. This helps eliminate password mismanagement and potential phishing scams, enabling users to easily get to the resources they need while single- or multifactor authentication and access controls operate transparently in the background.
4. Streamlines Security Policies and Implementation
Traditional security models used a siloed approach to threat prevention. As organizations grow, their needs tend to evolve, and they acquire newer systems that are most likely incompatible with older legacy ones. As a result, many enterprises find themselves leaning on a patchwork quilt of disparate security tools that are individually purchased, configured and operated independently from one another. This leaves the organization’s overall security posture vulnerable due to the varied capacity or potential misconfiguration of each tool. Zero trust remedies this by creating a universal policy that is created once and then implemented throughout the organization.
5. Provides Flexibility as Apps, Data and Services Change
As business goals change — and as preferences for and versions of particular devices, apps and services change — so do the needs of the technology required to support them. As such, there is often quite a lot of movement of applications, data and IT services within the corporate infrastructure, and ZTNA supports these movements. Prior to zero-trust architectures, moving applications and data from private data centers to a cloud environment, or vice versa, forced a security administrator to manually recreate security policy at the new location. Not only was this process time-consuming, but it was error-prone and vulnerable to security weaknesses. Zero trust addresses this, as it enables app and data security policies to be centrally managed using automation tools to migrate these policies where and when they are required.
6. Protects Against Lost or Stolen Data
Finally, zero-trust architectures should be thought of as the strongest defense against lost or stolen data. According to IBM, the average cost of a breach reached an all-time high of $4.25 million in 2022, with stolen or compromised credentials responsible for 19% of breaches. Because ZTNA doesn’t rely on credentials or exposure to the public internet or employees’ Wi-Fi, it’s currently considered the best insurance against a breach. Further, because it applies the principle of least privilege, only providing the bare minimum level of access for employees to do their job, ZTNA can stop a breach from becoming severe because a cybercriminal compromising credentials for a lower-level or part-time employee would be thwarted from accessing higher-privileged accounts.
Use cases for ZTNA
ZTNA provides several use cases previously unattainable with traditional security and access methods.
“With access dictated more by user, application, and service, the enterprise can adapt to the growing requirements for today’s new normal,” notes AT&T Business.
With ZTNA, organizations can:
- Allow third-party partners, such as suppliers and contractors, to access specific applications and services.
- Create access personas based on user behavior. This can be helpful when detecting anomalies, such as a device in use by a single-location employee would be prevented from making a connection if the request originated from another country.
- Simplify BYOD (bring your own device) programs and authenticate users on personal endpoints, improving security by enabling direct application access.
- Secure Internet of Things (IoT) devices that must connect automatically but that might be vulnerable.
- Deploy encryption from the endpoint to the ZTNA gateway for situations in which a local wireless hot spot, public access point or cloud provider cannot be trusted.
- Isolate high-value enterprise applications in the network or cloud to reduce insider threats (or mistakes).
ZTNA vs. VPN
The enormous growth in the distributed, remote workforce has exposed weaknesses in older security models and tools, including VPNs. VPN technology is designed primarily for corporate-based applications — not cloud environments. While it worked well when relatively few corporate employees worked remotely, over the years VPN technology became difficult to scale, manage and troubleshoot. Some experts believe VPNs have struggled to adapt to an increasingly cloud-based, internet-dependent world, especially one in which many workers BYOD (bring their own devices) and access their own internet.
Trust
VPNs and ZTNA remote access solutions have much crossover when it comes to features. “We can consider ZTNA as evolved VPNs, extending the features of VPNs while fixing some of their inherent security weaknesses,” explains TechRadar.
VPNs largely work on the assumption that any user and device connected to the local company network is trusted. As trusted devices, they can access all the other devices and applications on the network.
However, ZTNA is based on the zero trust security model, which works on a “never trust, always verify” basis. Whether a user is connecting from a local computer or a remote one, this model always authenticates the user and device each time they make a new request. This is fundamentally more secure than the basic VPN model that would enable a compromised remote machine to access the entire internal network.
Access
VPNs work on the network level and only have visibility of the low-level network traffic being sent back and forth. VPNs do not permit advanced rules because they aren’t privy to the applications users are accessing.
Instead, ZTNA works on the application level. Users are not given access to networks — instead, they only have access to the specific applications they are authorized to use. This makes ZTNA much more secure than basic VPNs.
Authentication
ZTNA has a much more robust authentication system than that of VPNs. VPNs often simply require just a username and password to connect, granting the remote user complete access to the network.
By contrast, every request on a ZTNA infrastructure first goes through a trust broker. The trust broker checks that the user is who they say they are and that they have the right to make the request they are making. ZTNA can also deny requests if the remote computer doesn’t have the latest security updates, as per company policy, or malware is detected, for example. This cuts down on the chance of a compromised remote computer being used to access sensitive company data.
Helping Organizations More Effectively Implement and Manage ZTNA
The Migus Group can help your organization more effectively implement and manage zero-trust methodologies and ZTNA for a stronger security posture.
Your enterprise may already have several point solutions in place to manage identities or to monitor security incidents. However, without a zero-trust architecture in place and the principle of least privilege, the enterprise is subject to risk not only from external cybercriminals but also from internal employee errors or oversight.
Contact us today to learn more.
Jake Wengroff writes about technology and financial services. A former technology reporter for CBS Radio, he covers such topics as security, mobility, e-commerce and the Internet of Things.