Updated: Oct 29, 2022
Traditionally, cybersecurity has involved creating a security perimeter and trusting that everything inside that perimeter is secure. However, the rise of remote users, SaaS applications, and cloud services has eroded the perimeter.
Zero trust is a cybersecurity mindset based on the principle: trust nothing, verify everything. This provides significantly better security by effectively treating each user, device, and application like their own perimeter. Users only have access to applications and data defined explicitly by their policies, reducing lateral movement and the risks that come with it.
“Trust but verify” model which assumes that everything inside the organization can be trusted. Network access relied on classifying users as trusted or untrusted. The trusted user would gain access to the network and move laterally. This model has proved not to be viable because of
Insider threats: Lateral access to the network of a trusted user may be exploited.
Compromised credentials: If credentials of trusted user are compromised, an attacker may use them to access the network and cause damages.
Sophisticated attacks: With the increase of attacks, the need to prevent lateral movement in a network is paramount incase a section of a network is compromised.
Institutions adopted network segmentation to limit the network lateral movement for the trusted users and devices but policies were hard to manage because the security model was not designed to handle such complexities.
In the recent past, the growth of cloud computing services has skyrocketed mainly influenced by the need to reduce hardware resources and break locational barriers. The cloud platforms have made it easy to bypass IT visibility. Remote users have also increased tremedouslly especially due to the covid19 pandemic.
With all these challenges, the need for a new model became paramount.
Gartner's Secure Access Service Edge (SASE) security concept envisions ZTNA as one of the paramount concepts. In 2019, Gartner projected that 60% of enterprises will have phased out VPN and use ZTNA instead by 2023. The main driver of ZTNA is the changing shape of enterprises network perimeter, cloud, working from home, mobile and on premise assets.
Principles of Zero Trust Network.
Assume that the network is hostile.
The number of cyber-attacks have continued to increase and enterprises must always be prepared for an attack.
ZTNA assumes that attacker could be either within the network or outside the network. Thus, all users, devices and network flow must be authenticated and authorized.
ZTNA employs the least privilege principle. Users and devices have zero access by default, then access authorized to only authorized resources.
It also employs Multi-factor authentication. Users require more than one form of authentication to get access.
Policies should be dynamic, informed by several sources of Data.
Crucial Benefits of ZTNA
Enable Remote Workers
Remote Access VPN has served us well, but was never designed for this new world.
ZTNA provides a much better alternative for remote access by providing better security
and threat protection, an easier more scalable management experience,
and a more transparent frictionless experience for end-users.
Micro-Segment Your Applications- by providing specific application access. Your applications, users and devices are micro-segmented and with the
integration of device health into access policies, and continuous authentication verification,
you get much better security. This eliminates all the of implicit trust and the lateral movement that comes along with VPN.
Onboard New Apps and Users Quickly
Sophos ZTNA is much leaner, cleaner, and therefore easier to deploy and manage than
traditional remote access VPN. It enables better security and more agility in quickly
changing environments with users coming and going - making day-to-day administration a
quick and painless task and not a full-time job.
Stop Ransomware and Other Threats - by reducing the surface area and risk of a ransomware attack by removing a new and growing vector. With ZTNA remote systems are
no longer connected “to the network” and only have specific application access.
Why is ZTNA Replacing VPNs?
Faster and more reliable.
VPNs are appliance that have often-impact networks negatively causing poor performance. They also have CPU and other resource limitations which bind enterprises to what they can achieve. ZTNA, cloud native approach, this limitation will be a thing of the past
Enhancing efficiency in routing.
ZTNA eliminates the backhauling of traffic to the data center, when the required resources that are not hosted in the data center. This will enable freedom to work from anywhere without compromising security. This is unlike VPNs, which direct traffic to enterprise data centers for rerouting to the intended destinations. This is inefficient for connections intended for cloud and web platforms.
Accommodates more network topologies.
ZTNA is designed to accommodate the mobile and cloud network topologies. All the traffic and user on these platforms can be managed effectively. This is unlike VPNs that were not designed with mobiles and cloud network topologies in mind, enterprises lacked visibility on these platforms creating mobility risks.
ZTNA enable access control and network visibility down to the level of specific applications and identities. This makes it possible to restrict access to the level of applications. While VPNs implement policies that restrict access based upon IP addresses, this becomes a challenge because one IP can hold more than one resource. These benefits are compelling many organizations to shift from VPN to ZTNA.
Cloud Based ZTNA Ariel Technology has partnered with Netskope to provide Netskope Private Access which is a cloud-based Zero Trust Network Access (ZTNA) solution to help SOC teams to protect corporate applications in Hybrid IT environments. Appliance based ZTNA For appliance based ZTNA, Ariel Technology provides FortiGate next-generation firewall with the FortiClient ZTNA agent for your organization to enable more secure access and a better experience for your remote users, whether on or off the network. https://www.catonetworks.com/sase/zero-trust-network-access-capabilities-of-sase/ https://www.netskope.com/products/capabilities/zero-trust-network-access https://www.fortinet.com/solutions/enterprise-midsize-business/network-access