Zero Trust Network Access: The What and the Why
According to Gartner, Zero Trust Network Access (ZTNA) is a product or service that creates an identity- and context-based, logical access boundary around an application or set of applications.
“The applications are hidden from discovery, and access is restricted via a trust broker to a set of named entities. The broker verifies the identity, context and policy adherence of the specified participants before allowing access and prohibits lateral movement elsewhere in the network. This removes application assets from public visibility and significantly reduces the surface area for attack.”
Put another way, these solutions provide Zero Trust access to private applications hosted on clouds and corporate data centers. But what is “zero trust?”
Well, as the name suggests, “zero trust” is an approach that trusts no one.
What’s wrong with a simple firewall or VPN?
Traditional perimeter security — firewalls, VPNs, access controls, etc. — focuses on keeping attackers out of your network, but trusts by default users and devices that are already inside. What this means is that once inside the perimeter, users are granted almost unlimited lateral movement.
This can have disastrous results should malicious actors break the perimeter. And indeed, malicious actors have developed plenty of tools to break through your perimeter, including:
- Phishing emails
- Stolen passwords
- Stolen database credentials
- Redirecting shells
These kinds of attacks are disturbingly common. In a 2021 report, major U.S. internet provider Verizon noted that phishing remains one of the biggest causes of breaches, responsible for 36% of breaches in 2021, up from 25% the previous year. Global lockdowns in the wake of the COVID-19 pandemic have only accelerated the trend thanks to coronavirus-related phishing lures. Verizon also reported that use of stolen credentials was responsible for 25% of breaches, a phenomenon that has only increased as more and more employees work remotely.
According to U.S. tech giant IBM, breaches involving stolen credentials resulted in USD 4.37 million in damages on average.
To make matters worse, the widespread transition to remote workforces is putting organizations and companies at even greater risk. The more people working remotely using potentially insecure devices, the more threats a network faces, and the limitations of traditional perimeter defenses grow more apparent.
How does ZTNA work?
ZTNA rests on the principle that organizations should never trust anyone or anything, regardless of whether they’re inside or outside the security perimeter.
ZTNA constantly verifies users and devices before granting them access to sensitive data. And it does this without sacrificing performance or user experience, providing fast and uninterrupted access.
In particular, ZTNAs are seen as an improvement on VPNs.
VPNs — particularly popular in the case of remote work — might seem like a good security choice. But in fact, anyone with valid login keys can access your network. And that can be devastating. In a traditional perimeter defense such as a VPN or firewall, once a malicious actor gets inside the defensive wall, they can run rampant, stealing data and causing damage at all.
ZTNAs, on the other hand, restrict users to specific applications, giving malicious actors much less room to roam.
VPNs fail to take into account the health of a device, either. Anyone with an infected laptop or phone could connect directly to your network via VPN, potentially wreaking havoc. ZTNAs, on the other hand, constantly evaluate connecting devices. They also render all of a network’s resources invisible except to authorized and authenticated users.
Unlike VPNs, ZTNAs provide users direct connections to applications, free from sluggish performance and bandwidth problems. VPNs also require additional hardware or clients, saving companies and users money.
Cloudbric’s Remote Access Solution (RAS) is a Zero Trust-based service that lets users easily connect to their workplace in a safe remote environment.
The service lets only authenticated users access the corporate private network and data, regardless of device or access location. The cloud-type remote access service lets you safely access corporate systems without establishing a dedicated line or VPN.
Cloudbric RAS is applied on the domain of the web application (HTTP, HTTPS). When users access the domain, they are prompted with an authentication page, ensuring only authenticated users get access.
Cloudbric RAS helps you to securely access your company network anytime, anywhere, with various terminals.
To learn more, click here.