Zero trust network access is a security solution that simplifies and streamlines secure application access. It hides infrastructure from discovery, limits access to apps on a need-to-know basis, and protects against lateral attacker movement in case of a breach.
Modern organizations need granular, context-aware access to their applications regardless of whether they reside on-premises or in the cloud. They also need to minimize the impact of a breach.
1. Authentication
What is ZTNA used to authenticate users and their devices before any access to internal resources? This enables an organization to apply granular security and access policies based on location, device, context, etc. This helps prevent unauthorized access to sensitive data and assets by restricting privilege escalation in case of a breach.
For example, a ZTNA solution can ensure that contractors, suppliers, vendors, and other third parties never have complete and unfettered access to the entire corporate network. Instead, they are granted access to specific data and applications that they need to do their jobs, and this access is only for as long as it takes them to get the job done.
The result is that a threat actor only has a limited view of the target and its vulnerabilities and cannot move laterally within the corporate network, dramatically reducing the attack surface and impact of a breach.
In addition, a ZTNA solution integrated with strong endpoint security can mitigate these risks by ensuring that only valid users and healthy devices are allowed to connect. With the right approach to implementation, a zero-trust network access solution can be up and running in days rather than weeks or months. Most organizations start with a pilot focusing on a few user groups and services, working out the kinks and getting the process down before expanding to a broader set of use cases.
2. Context Awareness
Modern organizations rely on services that do not reside within their network, and ZTNA allows them to connect users and applications over an encrypted tunnel. This is similar to how two people need to contact support with phone numbers instead of email addresses. This helps organizations hide infrastructure from public discovery and prevents attackers from scanning and pivoting through the organization’s network. As part of this capability, a ZTNA solution can be context-aware.
This means it considers more than just the user’s or device’s identity and evaluates other factors such as the time of day, geographical location, how often an access request is made, and the requested data types. These additional context-aware security policies allow for granular access and limit privileges to align with the principle of least privilege. Context also limits the potential “blast radius” of a breach.
Suppose a hacker successfully breaches a single device in a zero-trust environment. In that case, they cannot move laterally to other devices or networks because they would need a new connection, verified identity, and credentials for each subsequent attack. This is because the temporary certificate-based connection that authenticates and authorizes in a ZTNA environment expires automatically after each connection.
3. Isolation
Unlike traditional VPN solutions, zero-trust network access (ZTNA) doesn’t just secure application connectivity but also safeguards the entire network from infection and lateral attacker movement. This is achieved by completely separating providing application access from network access, making all outbound connections through a secure encrypted tunnel, and shielding the network’s IPs from the public internet (creating a darknet).
This prevents unauthorized users from seeing applications they cannot access and protects against lateral attacks. Authentication is performed on the ZTNA service, and context awareness is verified with a dynamic, just-in-time certificate that expires after each connection. ZTNA uses microsegmentation to grant access on a one-to-one basis based on the user’s identity, device, location, and other security criteria.
A vital requirement of any modern organization is connecting users, applications, and data, even if they don’t reside on the corporate network. Zero trust network access provides this ability, delivering the agility and flexibility needed to meet today’s hybrid workforce demands. It also delivers granular contextual access to applications that may not require complete network visibility, such as SaaS and cloud applications.
Combined with comprehensive monitoring capability, organizations can see who’s using what and from where so anomalies can be quickly identified and responded to. This significantly reduces the risk to contractors, vendors, and other third-party users.
4. Policy Enforcement
A ZTNA solution typically uses a policy engine to decide whether to allow or deny access to specific network flows. This engine may be installed on-premises, run in an enterprise’s cloud presence, or offered as SaaS, and it authenticates and authorizes users just in time for each connection using ephemeral certificates.
It also inspects devices for various attributes, including device security posture, and uses real-time attributes like location, timing, and frequency of access to detect anomalies. In addition, a ZTNA solution often offers features that help reduce the risk of lateral movement within an organization’s network in the event of a breach. It does this by supporting micro-segmentation, which involves dividing a network into smaller segments protected from each other with strict security policies.
Conclusion
With granular microsegmentation, you can ensure that users can only connect to the applications they need without having access to sensitive information on other parts of your network. This makes it much more difficult for attackers to spread malware between different networks and limits the impact of a breach once they gain entry.
By isolating access to your network, ZTNA helps make your organization a less attractive attack target while allowing users to work from anywhere. This is especially important when employees use unmanaged BYOD devices for remote and hybrid work.