ZTNA - The tech behind the buzzword

Is it really 'Zero Trust'?

In my opinion, I think the term 'Zero Trust' gets a bad rep or causes confusion in the industry... but, 'Selective Trust' doesn't roll off the tongue as nicely...

Zero trust network access (ZTNA) is a product or service that creates an identity- and context-based, logical access boundary around an application or set of applications.

Let's think of some non-IT examples to help put this into context...

If you have a plumber come round your house to fix the toilet, do they really need access to all of your bedrooms, living room, dining room and garden to perform their job? No. 

A Lumberjack needs access to where the chainsaws are stored... but there's also a storage unit full of tools they will never need to use to get their job done. Do they need access to those too? No.

Hopefully this gives you a super basic idea behind the logic of 'Zero Trust'! The goal is to securely connect your users to the applications they need access to. and that's it!

Wave goodbye to remote access VPN 👋

Remote access VPN has long served us well, but the continued increase in remote working has cast a spotlight on the limitations of this ageing technology. Leading organisations to search for a better alternative, and something that addresses the challenges with remote access VPN. 

Remote access VPN challenges:

𑗏 Implicit Trust - Remote access VPN does a good job of getting you through the perimeter and onto the corporate network as if you were physically there, but at that point, you're implicitly trusted and given broad access to the resources on that network which may present unnecessary and enormous security risks.

𑗏 Potential Threat Vector - Remote access VPN has no awareness of the state of the device used to connect to the corporate network, creating a potential conduit for threats to enter the network from devices that may have been compromised.

𑗏 Inefficient Backhauling - Remote access VPN provides a single point-of-presence on the network, which will potentially necessitate backhauling of traffic from multiple locations, data centres, or applications through the remote access VPN tunnel.

𑗏 Lack of Visibility - Remote access VPN is unaware of the traffic and usage patterns it is facilitating making visibility into user activity ad application usage more challenging.

𑗏 User Experience - Remote access VPN clients are notorious for offering a poor user experience, adding latency or negatively impacting performance, suffering from connectivity issues, and generally being a burden on the help desk.

𑗏 Administration, Deployment and Enrolment - Remote access VPN clients are difficult to setup, deploy, enroll new users, decommission departing users. VPN is also challenging to administrator on the firewall or gateway side, especially with multiple nodes, firewall access rules, IP management and traffic flows and routing. IT can quickly become a full time job.

So, how does ZTNA differ?

As the name implies, ZTNA is founded on the principles of zero trust - or trust nothing, verify everything. Zero trust essentially eliminates the concept of the old castle wall and moat perimeter in favour of making every user, every device, and every networked application their own perimeter and only interconnecting them after validating credentials, verifying device health, and checking access policy. It improves security, segmentation, and control.

Another key difference in how ZTNA works is that users are not just dropped on the network complete freedom of movement. Instead, individual tunnels are established between the user and the specific gateway for the application they are authorised to access, and nothing more - providing a much more secure level of micro-segmentation.

The added micro-segmentation that ZTNA provides ensures there's no lateral movement of device or user access between resources on the network. Each user, device, and application or resource is literally its own secure perimeter and there's no longer any concept of implicit trust.

How about the UX?

ZTNA is inherently more dynamic and transparent by nature, working in the background without requiring interaction from the user beyond the initial identity validation. this experience can be so smooth and frictionless that users won't even realise they are connecting to applications via secure encrypted tunnels.

Where does ZTNA take the 'dub'? 🏆

✔️ Working from home: ZTNA solutions are a much easier solution for managing remote access for staff working from home. They make deployment and enrolment easier and more flexible, turning what may have been a full-time job with VPN into something much less resource intensive. It's also more transparent and simpler for your staff working remote.

✔️ Application micro-segmentation: ZTNA solutions provide much better application security with micro-segmentation, the integration of device health into access policies, continuous authentication verification and just the elimination of implicit trust and the lateral movement that comes along with VPN.

✔️ Stopping ransomware: ZTNA solutions eliminate a common vector of attack for Ransomware and other network infiltration attacks. Since ZTNA users are no longer 'on the network', threats that might otherwise get a foothold through VPN has no where to go with ZTNA.

✔️ On-board new applications and users quickly: ZTNA enables better security and more agility in quickly changing environments with users coming and going. Set-up new applications quickly and securely, easily enrol or decommission users and devices, and get insights into application status and usage.

There's a couple of options available out there, what should I be looking for?

Whilst considering the obvious checklist of supported platforms for clients, gateways, and identity providers, be sure to consider these important capabilities when comparing ZTNA solutions from different vendors.

Cloud-delivered, cloud-managed

Cloud management offers tremendous benefits from being able to be up and running instantly, to reduced management infrastructure, to deployment and enrolment, and enable access anywhere. One of the key advantages of cloud management is being able to log in and begin instantly, without adding additional management servers of infrastructure. Cloud management also offers instant secure access from anywhere on any device, supporting the way you want to work. It also makes it easy to enrol new users wherever they happen to be in the world.

Integration with your other cybersecurity solutions

While most ZTNA solutions can work perfectly fine as standalone products, there are significant benefits from having a solution that is tightly integrated with your other cybersecurity products such s your firewall and endpoints. A common, integrated cloud management console can be a force multiplier for you or your team. Using another buzzword the industry loves 'a single pane of glass' to manage all your IT security, including ZTNA in one place, can reduce training time and day-to-day management overhead. It can also provide unique insights across your various IT security products, especially if they share telemetry, dramatically bolstering security and offering a real-time response when a compromised device or threat gets on the network. They can work together to instantly respond to the presence of an attack or threat and stop it from moving laterally, spreading, or stealing data.

User and management experience

Ensure the solution you are considering offers both an excellent end-user experience as well as makes administration and management easy. These days, with more users working remotely from all over the world, enrolment and efficient device setup is critical to get new users productive as quickly as possible. Be sure to pay attention to how the ZTNA agent is deployed and how easy it is to add new users to policies. Also ensure the solution you're investing in offers a smooth frictionless experience for end users and provides the visibility you would expect, like real-time insight into application activity that will help you be proactive in identifying peak load, capacity, license usage, and even application issues.

Interested to learn more or have any Q's?

You can arrange a 30 minute remote demo with a member of the team today at www.spearshield.co.uk/contact or contact the team on 01473 948980.

ZTNA - 'Save time + increase visibility + protection + response.'

About Spear Shield

Phish fighting, threat hunting, cyber risk mitigation experts.
Based in Ipswich, Suffolk. Spear Shield are a team of cybersecurity risk and mitigation experts who align their award-winning solutions and services to help businesses solve their cybersecurity challenges.