ZTNA: Zero Trust Network Access Is Superseding the Traditional Enterprise Security Model
Many users hesitate to leverage VPN for their work because it may affect their connection speed. Are you in the same boat? It turns out that the likely slowdown is not the only caveat here. To weigh up the pros and cons of taking this route, every organization should view the implementation of ZTNA or Zero Trust Network Access-based remote access systems through the prism of the following objectives:
- Facilitating employees’ access to enterprise resources.
- Raising the entry bar as high as possible for unauthorized users.
Traditionally, most companies have hinged on the perimeter-based network security principle and used virtual private network services as part of this approach. The fundamental logic behind VPN in this scenario is to harden the network via a virtual barrier that minimizes the risk of intrusion.
The problem with this tactic is that it is getting harder to implement in the present-day decentralized digital ecosystems. Furthermore, different types of users need different scopes of access to network resources. For instance, the privileges required by admins and third-party contractors s
The efficiency of VPN tools in corporate environments decreases as organizations move their applications and other IT infrastructure components into the cloud. Another important factor is that the remote work model sees a spike globally due to the pandemic.
That being said, let’s consider the cases where VPNs may not meet customers’ expectations. Additionally, the following paragraphs will shed light on a security strategy that provides greater flexibility and more options to keep your network safe.
Many businesses have already come to the realization that classic VPNs and access management instruments that safeguard the perimeter do not ensure proper security in a world where telework is the norm. Enterprise networks are undergoing dynamic decentralization, with IT departments being flooded with remote access requests from employees who work from home and third parties such as business partners and consultants.
The perimeter-based security model fails to address these challenges. An architecture like this with an on-premises data processing center at its core may not handle all this traffic, which affects its productivity and the incident response time.
BYOD poses extra risks
Unlike company-issued computers and mobile appliances, personal devices are difficult to manage and secure. It is problematic for IT teams to monitor all these endpoints and ascertain that they are using the latest software versions with security patches on board. Allowing access from these devices is a slippery slope because they may be riddled with malware or controlled by a threat actor who may piggyback on this access to gain a foothold in the network.
Cloud services become low-hanging fruit
VPN tools don’t get along with cloud technology very well, to put it mildly. Not only are they hard to deploy in such environments, but they also lack the functionality to guarantee secure access to Infrastructure as a Service (IaaS) applications like Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).
Redundant privileges for third parties
To comply with some organizations’ security policies, third-party contractors may be banned from accessing the corporate networks via VPN services. If such regulations aren’t in effect, external users can get permissions high enough to access the most sensitive digital assets. Since the security hygiene of any third party is difficult to evaluate and control, this issue is a significant part of the defense equation.
Crude network management options
Whereas simplicity is on the plus side of the perimeter-based security model backed by VPN, low flexibility is its main drawback. This is a potential source for quite a few problems. Here is a trio of the most impactful ones:
- Lack of granular access control mechanisms, which means it is impossible to grant different access permissions to particular users on the network.
- The risk of an adversary’s lateral movement inside the network that entails illegal retrieval of sensitive data.
- Scarce options for managing applications in a centralized way.
Alternatives to the VPN-centric security framework
In the not-so-distant past, when most employees were in offices, and the vast majority of applications were running on local servers, the virtual private network technology was the silver bullet in terms of securing enterprise data.
Things have changed, though. If an attacker succeeds in breaking through the network perimeter, traditional on-premises defenses cannot do much to prevent further damage. In this situation, firewalls and VPNs may do the organization a disservice by instilling a false sense of bulletproof network security.
Gartner predicts that by 2023, more than half of all enterprises will do away with VPNs and switch to using Zero Trust Network Access instead.
The forthcoming reign of Zero Trust
The above-mentioned drawbacks of VPN in the enterprise context have become catalysts for the emergence of a new security model that keeps authenticated users from accessing network assets in an unrestrained way. The Zero Trust security architecture is geared toward bridging the gap.
Advocated by the U.S. Department of Defense and many other reputable organizations, this model revolves around the “Never Trust, Always Verify” philosophy. It enables a highly flexible paradigm where a user gets the required minimum of permissions to an application. This ability to distribute the roles should be built into applications themselves, along with the thorough tracking of user activity after each sign-in event.
The Zero Trust security model is an overarching principle rather than a standalone “plug and play” tool. Its logic boils down to the following tenets:
- No device should be trusted by default.
- The scope of user access must be limited at the level of specific applications.
- Every user and device is subject to scrupulous authentication.
Although implementing this security ideology is easier said than done, most enterprises will eventually take the leap. The good news is that the transition does not have to happen in one go. While it can be performed gradually, application by application or group by group, organizations should not neglect the user experience along the way.
Gartner has taken this approach further by introducing a concept called Zero Trust Network Access (ZTNA). The term denotes a set of products or services that leverage identity-based and context-aware controls to thwart unauthorized access to an application.
Essentially, this principle shifts the security focus from network-based to application-level permissions. The range of criteria for granting such access includes IP addresses, geolocation data, timestamps, multi-factor authentication tokens, as well as specific user groups and roles.
A cloud-based ZTNA also hampers the discovery of protected applications from the open Internet by forming a logical access periphery that obfuscates the data center. Permitting or denying access is the responsibility of a “trust broker” that verifies the user based on the context and identity hallmarks as well as policy compliance.
The broker additionally pulls the plug on the lateral movement of network participants. This is attained by narrowing down a user’s access rights to a limited set of applications. Moreover, the person isn’t even aware of the presence of other applications he or she is prohibited from accessing. Such a mechanism hides application assets from public visibility, which minimizes the potential attack surface.
Organizations have plenty of reasons to step up the shift toward the Zero Trust security paradigm. When it comes to safeguarding network resources against unauthorized access, VPN is no longer doing the trick, especially in corporate ecosystems that heavily rely on telework. Furthermore, implementing the Zero Trust model is a decent way to ensure compliance with the increasingly rigid regulatory requirements regarding data protection.
To further harden the security of sensitive data assets, companies should consider adding the Cloudbric RAS (Remote Access Solution) to the mix. It allows employees to maintain tamper-proof encrypted connections with the enterprise network using any device and from any location.