5 Key Considerations Before You Implement ZTNA

Key Considerations for ZTNA solutions

Application architecture has shifted to hyper-efficient microservices; simultaneously, users are increasingly accessing critical resources from remote locations and their own devices. Keeping pace demands enterprises to step beyond the moat, and adopt Zero Trust Network Access (ZTNA) solutions. 

Quick Takeaways

  • True Zero Trust: Instead of the traditional castle and moat approach to perimeter security, ZTNA protocols demand that the context of every user, service, and access request be scrutinized before and after access is granted. 
  • How Much You’ll Scale: While VPN hardware comes with a hefty price tag throughout both implementation and its ongoing maintenance, ZTNA solutions offer a new, scalable approach to network security without the hardware demands.
  • Integration: To achieve the core zero trust philosophy of ‘never trust, always verify’, ZTNA tools should integrate tightly with your existing identity and security tool providers.
  • Visibility: ZTNA solutions should offer a dashboard that displays active sessions, licenses, gateways and more in a single, filterable view. Through this minute-to-minute window, your security team is able to spot suspicious activity and determine network needs. 
  • Availability: With how critical a ZTNA solution will be, it’s vital that yours maintains over 99% uptime.

Why ZTNA is Needed Now More Than Ever

Breach after breach, attackers are able to take advantage of password and email combinations to remotely break in and steal sensitive info. Most recently, streaming service Roku had its second major breach since March this year, with a combined 600,000 accounts breached via credential stuffing.

As a way to keep remote end-users protected, companies have increasingly turned toward Virtual Private Networks (VPNs). However, password-protected VPNs remain one of the weakest points of failure for remote employees: attackers have a choice between stealing the necessary login credentials, or using a novel vulnerability. 

On the support side, attempting to manage the rapid explosion of device locations, users, and applications has kept security teams redlining – and the ticket queue full of password reset requests. Finally, to top it off, user access accounts are all too often manually provisioned, with multiple active directories that need endless updates. 

Instead of placing highly-critical data behind one set of login credentials, a ZTNA solution provides zero-trust network access to each employee.

The 5 Core Capabilities of a ZTNA Solution 

To deliver on the central promise of ZTNA protocols, the following capabilities need to be achievable: 

#1. Identify the User’s Access Level

First and foremost to any ZTNA solution: define exactly what the user should have access to. A core principle of zero trust is the ability to limit user access to the bare minimum. From a traditional perspective, this is a waste of effort – but attackers are always on the lookout for over-provisioned access. 

After all, these accounts allow them to move laterally as they hunt for sensitive resources. 

With the right ZTNA tool, users are granted access to only what they need for their role, and only for the length of time they need it for. Agent-based software has struggled to achieve this unilaterally – particularly when your enterprise works with contractors – so agentless, browser-based ZTNA can offer a useful and rapidly-implementable approach. 

#2. Identify the User’s Risk Level

While advanced VPN apps are able to support a degree of network segmentation, for instance, by having one VPN app for lower-ranking employees and another for VPs and COs –  VPNs do not change their degree of access depending on the user’s behavior. 

The right ZTNA tool takes the user’s individual risk level into account before granting access. 

This goes far beyond simple device location, and looks closer at device health and the context surrounding each access request. Device Posture Check (DPC) represents an integral part of identifying how risky an access request is. Inspecting the user’s device for the necessary certificates and antivirus software is one example of how its initial security stance is assessed. 

For full zero trust, access validity needs to be assessed throughout a user’s session – not just at the front door.

#3. Protect all Data Being Transferred

While basic VPN applications often fail to provide an adequate degree of protection, the core processes that they’re based upon still work almost without fault – the IPSec protocol suite is a perfect example. 

IPSec allows all transferred data to be unreadable, thanks to how it breaks data into packets and individually encrypts them. Each packet is given several more headers than normal – collectively, these make sure the encrypted data is able to be decrypted when sent to the correct, verified device. 

It also authenticates each packet. This encryption means that data can be sent securely over public networks. Wireguard is a similar protocol suite, with the added benefit that it’s newer and faster. For optimum in-transit traffic protection, ZTNA should put encryption protocols such as these in place.

#4. Gain Deep Visibility and Control

The transient nature of cloud resources mean that cloud-delivered applications can be difficult to gain full visibility over. Your ZTNA tooling should grant you a single platform through which you can view detailed insight into user activities such as resource use and behavior. 

Because so much of zero-trust protection is based on time-sensitive responses, it’s also best if this is as close to real-time as possible.

This visibility allows for tighter control over the policies that denote application, command, and query access. To support rapid implementation and a clear overview, your ZTNA tool should allow you to rapidly segment your users into groups: with this, it’s possible to create and define which of your connected resources are accessible to which groups. Amongst services, this should also let you view and control how data is moved between services, addresses, and groups. 

Again, ideally, all of this is contained within a central dashboard.  

#5. Ensure Constant Uptime

Global users demand nearly round-the-clock access. To support this, make sure to choose a ZTNA solution with close to 99.999% uptime: this high performance should also be backed by Service Level Agreements. 

Global Points of Presence (PoPs) should help lend some further credence to a vendor’s claims.

The Future of ZTNA Solutions 

ZTNA solutions are already pushing these 5 core capabilities in two key directions: AI and integration.

The first of these is heavily focused on achieving a better view of risk level. User behavior has traditionally been far too time and cost-intensive for many organizations to continuously analyze, but AI engines are uniquely well positioned to manage this. Alongside detecting and cutting off access to users that begin demanding unexpected file access, ZTNA is increasingly applying analytical engines to the packets and files being sent across a network.

Not only is it possible to identify user accounts that have been compromised, but the behavior and characteristics of individual files are now analyzable on a larger scale than ever before.

Alongside behavioral analysis for the more nitty-gritty risk assessments, ZTNA tools are changing the very infrastructure of security tooling: rather than disparate and disjointed tech stacks, many ZTNA providers are focusing on tools that can couple up with others. 

For some, this means shifting everything over to a single provider – and for others, it means embracing open security, by focusing on seamless integration with your pre-existing identity provider and SIEM tools. 

Get Started with Perimeter81

You shouldn’t need to revamp your organization’s entire infrastructure, throw out hardware, or endure prolonged, frustrating configurations to achieve network security. 

Perimeter 81’s ZTNA technology seamlessly integrates with any network and hardware and immediately switches out outdated solutions with a single platform. Unify, view, and manage zero-trust access across the entire network in minutes: see how with a demo today.

FAQs

What are the requirements for zero trust?
implementing a zero trust security model requires several critical components: chief of this is least privilege access, which ensures that users have only the access necessary to perform their roles. Second to this is ongoing analytics that monitor entity behavior. A final requirement of zero trust is regular security training.
Where should I start getting ZTNA?
Start by assessing your current security posture. From there, you can prioritize the assets and data that need the highest level of protection – only after you’ve built an understanding of what your organization needs should you look for a suitable solution.
Is ZTNA necessary?
The dual rise of remote workers – which need low-latency connection – and aggressive, multifaceted attacks that need filtering out make ZTNA a higher priority than ever before
What’s the difference between ZTNA and a Secure Web Gateway (SWG)?
SWGs block access to malicious websites by filtering web traffic based on URLs, content categories, and reputations. ZTNA tools assess not just web content, but user context and device security before allowing access. 

Get the latest from Perimeter 81