Application architecture has shifted to hyper-efficient microservices; simultaneously, users are increasingly accessing critical resources from remote locations and their own devices. Keeping pace demands enterprises to step beyond the moat, and adopt Zero Trust Network Access (ZTNA) solutions.
Breach after breach, attackers are able to take advantage of password and email combinations to remotely break in and steal sensitive info. Most recently, streaming service Roku had its second major breach since March this year, with a combined 600,000 accounts breached via credential stuffing.
As a way to keep remote end-users protected, companies have increasingly turned toward Virtual Private Networks (VPNs). However, password-protected VPNs remain one of the weakest points of failure for remote employees: attackers have a choice between stealing the necessary login credentials, or using a novel vulnerability.
On the support side, attempting to manage the rapid explosion of device locations, users, and applications has kept security teams redlining – and the ticket queue full of password reset requests. Finally, to top it off, user access accounts are all too often manually provisioned, with multiple active directories that need endless updates.
Instead of placing highly-critical data behind one set of login credentials, a ZTNA solution provides zero-trust network access to each employee.
To deliver on the central promise of ZTNA protocols, the following capabilities need to be achievable:
First and foremost to any ZTNA solution: define exactly what the user should have access to. A core principle of zero trust is the ability to limit user access to the bare minimum. From a traditional perspective, this is a waste of effort – but attackers are always on the lookout for over-provisioned access.
After all, these accounts allow them to move laterally as they hunt for sensitive resources.
With the right ZTNA tool, users are granted access to only what they need for their role, and only for the length of time they need it for. Agent-based software has struggled to achieve this unilaterally – particularly when your enterprise works with contractors – so agentless, browser-based ZTNA can offer a useful and rapidly-implementable approach.
While advanced VPN apps are able to support a degree of network segmentation, for instance, by having one VPN app for lower-ranking employees and another for VPs and COs – VPNs do not change their degree of access depending on the user’s behavior.
The right ZTNA tool takes the user’s individual risk level into account before granting access.
This goes far beyond simple device location, and looks closer at device health and the context surrounding each access request. Device Posture Check (DPC) represents an integral part of identifying how risky an access request is. Inspecting the user’s device for the necessary certificates and antivirus software is one example of how its initial security stance is assessed.
For full zero trust, access validity needs to be assessed throughout a user’s session – not just at the front door.
While basic VPN applications often fail to provide an adequate degree of protection, the core processes that they’re based upon still work almost without fault – the IPSec protocol suite is a perfect example.
IPSec allows all transferred data to be unreadable, thanks to how it breaks data into packets and individually encrypts them. Each packet is given several more headers than normal – collectively, these make sure the encrypted data is able to be decrypted when sent to the correct, verified device.
It also authenticates each packet. This encryption means that data can be sent securely over public networks. Wireguard is a similar protocol suite, with the added benefit that it’s newer and faster. For optimum in-transit traffic protection, ZTNA should put encryption protocols such as these in place.
The transient nature of cloud resources mean that cloud-delivered applications can be difficult to gain full visibility over. Your ZTNA tooling should grant you a single platform through which you can view detailed insight into user activities such as resource use and behavior.
Because so much of zero-trust protection is based on time-sensitive responses, it’s also best if this is as close to real-time as possible.
This visibility allows for tighter control over the policies that denote application, command, and query access. To support rapid implementation and a clear overview, your ZTNA tool should allow you to rapidly segment your users into groups: with this, it’s possible to create and define which of your connected resources are accessible to which groups. Amongst services, this should also let you view and control how data is moved between services, addresses, and groups.
Again, ideally, all of this is contained within a central dashboard.
Global users demand nearly round-the-clock access. To support this, make sure to choose a ZTNA solution with close to 99.999% uptime: this high performance should also be backed by Service Level Agreements.
Global Points of Presence (PoPs) should help lend some further credence to a vendor’s claims.
ZTNA solutions are already pushing these 5 core capabilities in two key directions: AI and integration.
The first of these is heavily focused on achieving a better view of risk level. User behavior has traditionally been far too time and cost-intensive for many organizations to continuously analyze, but AI engines are uniquely well positioned to manage this. Alongside detecting and cutting off access to users that begin demanding unexpected file access, ZTNA is increasingly applying analytical engines to the packets and files being sent across a network.
Not only is it possible to identify user accounts that have been compromised, but the behavior and characteristics of individual files are now analyzable on a larger scale than ever before.
Alongside behavioral analysis for the more nitty-gritty risk assessments, ZTNA tools are changing the very infrastructure of security tooling: rather than disparate and disjointed tech stacks, many ZTNA providers are focusing on tools that can couple up with others.
For some, this means shifting everything over to a single provider – and for others, it means embracing open security, by focusing on seamless integration with your pre-existing identity provider and SIEM tools.
You shouldn’t need to revamp your organization’s entire infrastructure, throw out hardware, or endure prolonged, frustrating configurations to achieve network security.
Perimeter 81’s ZTNA technology seamlessly integrates with any network and hardware and immediately switches out outdated solutions with a single platform. Unify, view, and manage zero-trust access across the entire network in minutes: see how with a demo today.