Updated: Oct 25, 2021
Zero Trust Network Access is a data protection model which applies the “never trust, always verify” model to grant access to corporate services and applications. Modern enterprise IT environments and corporate networks consist of many interconnected segments, cloud services and infrastructure, mobile environments, and increasingly non-conventional technology such as IoT devices.
Traditional perimeter defenses are ineffective and pose a great risk to IT environment as they rely on the “Trust but verify” model which assumes that everything inside the organization can be trusted. Network access relied on classifying users as trusted or untrusted. The trusted user would gain access to the network and move laterally. This model has proved not to be viable because of
Insider threats: Lateral access to the network of a trusted user may be exploited.
Compromised credentials: If credentials of trusted user are compromised, an attacker may use them to access the network and cause damages.
Sophisticated attacks: With the increase of attacks, the need to prevent lateral movement in a network is paramount incase a section of a network is compromised.
Institutions adopted network segmentation to limit the network lateral movement for the trusted users and devices but policies were hard to manage because the security model was not designed to handle such complexities.
In the recent past, the growth of cloud computing services has skyrocketed mainly influenced by the need to reduce hardware resources and break locational barriers. The cloud platforms have made it easy to bypass IT visibility. Remote users have also increased tremedouslly especially due to the covid19 pandemic.
With all these challenges, the need for a new model became paramount.
Gartner's Secure Access Service Edge (SASE) security concept envisions ZTNA as one of the paramount concepts. In 2019, Gartner projected that 60% of enterprises will have phased out VPN and use ZTNA instead by 2023. The main driver of ZTNA is the changing shape of enterprises network perimeter, cloud, working from home, mobile and on premise assets.
Principles of Zero Trust Network.
Assume that the network is hostile.
The number of cyber-attacks have continued to increase and enterprises must always be prepared for an attack.
ZTNA assumes that attacker could be either within the network or outside the network. Thus, all users, devices and network flow must be authenticated and authorized.
ZTNA employs the least privilege principle. Users and devices have zero access by default, then access authorized to only authorized resources.
It also employs Multi-factor authentication. Users require more than one form of authentication to get access.
Policies should be dynamic, informed by several sources of Data.
Why is ZTNA Replacing VPNs?
Faster and more reliable.
VPNs are appliance that have often-impact networks negatively causing poor performance. They also have CPU and other resource limitations which bind enterprises to what they can achieve. ZTNA, cloud native approach, this limitation will be a thing of the past
Enhancing efficiency in routing.
ZTNA eliminates the backhauling of traffic to the data center, when the required resources that are not hosted in the data center. This will enable freedom to work from anywhere without compromising security. This is unlike VPNs, which direct traffic to enterprise data centers for rerouting to the intended destinations. This is inefficient for connections intended for cloud and web platforms.
Accommodates more network topologies.
ZTNA is designed to accommodate the mobile and cloud network topologies. All the traffic and user on these platforms can be managed effectively. This is unlike VPNs that were not designed with mobiles and cloud network topologies in mind, enterprises lacked visibility on these platforms creating mobility risks.
ZTNA enable access control and network visibility down to the level of specific applications and identities. This makes it possible to restrict access to the level of applications. While VPNs implement policies that restrict access based upon IP addresses, this becomes a challenge because one IP can hold more than one resource. These benefits are compelling many organizations to shift from VPN to ZTNA.
Cloud Based ZTNA Ariel Technology has partnered with Netskope to provide Netskope Private Access which is a cloud-based Zero Trust Network Access (ZTNA) solution to help SOC teams to protect corporate applications in Hybrid IT environments. Appliance based ZTNA For appliance based ZTNA, Ariel Technology provides FortiGate next-generation firewall with the FortiClient ZTNA agent for your organization to enable more secure access and a better experience for your remote users, whether on or off the network. https://www.catonetworks.com/sase/zero-trust-network-access-capabilities-of-sase/ https://www.netskope.com/products/capabilities/zero-trust-network-access https://www.fortinet.com/solutions/enterprise-midsize-business/network-access