Framing ZTNA and Security Parameters: Risks, Tenets and Best Practices

Share on facebook
Share on twitter
Share on linkedin

The Growing Need for Zero Trust Network Access

As we set the stage for wider adoption of Zero Trust Remote Access methodology and solutions, it’s worth a quick look back at the traditional mindset.

Traditional perimeters were obviously created on the assumption that all devices and users inside the network or security perimeter could be trusted, within the boundaries of internal access controls, and therefore allowed access to related resources. Emphasis was placed on preventing access from external devices and users, save the use of VPNs.

Unfortunately, as has been proven in too many breach incidents to count, this practice of entrusting user access to network defenses alone can lead to exploits via numerous methods, including password theft, account hijacking, and individuals taking advantage of overly-permissive access privileges. 

Roll the clock forward to the last decade and increased adoption of cloud applications and mobile technologies, underlined by the massive growth of the remote workforce, has resulted in a significant obfuscation and blurring of perimeters in general – with external attacks and insider threats further intensified. 

The prolific adoption of all things cloud (IaaS, PaaS, and SaaS) continues to drive massive fragmentation in security strategies and tooling used to address these challenges, with many practitioners scrambling to find scalable solutions that maintain business continuity while enabling adequate protection.

 

ZTNA – Better addressing internal and external security requirements

So how can organizations curb this tide of rising threat vectors across increasingly distributed users, devices, networks, and applications? One common thread that can be controlled across these vectors is securing the “access”. Evaluating every link, user, or host before being granted access goes a long way in securing enterprise access from any location. And this is where the concepts of Zero-Trust Access and Zero-Trust Network Access (ZTNA) have emerged as leading alternatives.

For its part, industry analyst firm Gartner defines ZTNA as: “a product or service that creates an identity- and context-based, logical access boundary around an application or set of applications. The applications are hidden from discovery, and access is restricted via a trusted broker to a set of named entities. The broker verifies the identity, context, and policy adherence of the specified participants before allowing access and prohibits lateral movement elsewhere in the network. This removes application assets from public visibility and significantly reduces the surface area for attack.”

Using this approach when considering options beyond the perimeter model, it is important to have a firm understanding of what can be trusted. Implementing a ZTNA security approach allows employees and external partners or third-party contractors to securely access an organization’s internal applications and collaborate, irrespective of the device they use (managed or unmanaged) or the location they are connecting from. 

ZTNA also typically adopts the strategy of employing micro-segmentation that shields an organization’s private applications within software-defined perimeters and provides “least privilege” access to authorized users thereby eliminating the risk of lateral movement associated with full network access.

 

Translating Zero Trust Network Access into Practice

So now let’s talk about the practical application of ZTNA.

The core principles of  ZTNA operate on preventative techniques meant to thwart breaches, minimize movement, and overall reduce the attack surface. 

 

Moving from network-level access to application-level access

First, ZTNA establishes a control surface (with micro-segmentation and application cloaking) where all the sensitive resources and access paths stay hidden until an obtained access request is authenticated, licensed, and trusted to comply with all the existing, relevant security policies.

 

Decoupling users from their devices

Next, ZTNA creates adaptive, identity, and context-aware access policies, enforcing separate user-centric and device-centric controls for enabling access to specific applications.  

 

Eliminating threat of data discovery on public internet

Now, with ZTNA in place, enterprises are no longer required to open inbound firewall ports to enable external connections, creating a virtual darknet with full application cloaking, thereby preventing the discovery of applications on the public Internet. 

 

Securing legacy applications

Importantly, the centralized monitoring capabilities typically enlisted by ZTNA provide deep visibility into legacy applications, detecting unusual user activity and preventing threats. Integration with multi-factor authentication and identity solutions supplement the authentication control checks, ensuring every access is authorized and secured.  

 

ZTNA Best Practices:

There are currently a lot of varied approaches to ZTNA being advanced among practitioners and solutions providers. However, the first step in building the ideal security approach is for organizations to fully review and understand its multi-cloud environment, private applications, users, and devices ecosystem. 

Thereafter, gaining detailed visibility into current usage and user behavioral patterns, along with supported business practices, helps security practitioners immensely in understanding diverse risks and requirements, and the notion of correctly enforcing contextual policies in real-time.

It is also important to understand that there is no such thing as an all-in-one ZTNA solution. Building an integrated security approach requires an architecture that accounts for the network, data, identity, context, and incidents. This is also a key step towards embracing another new model that Gartner has developed that combines networking and security services, including CASB and ZTNA into an overarching framework called “Secure Access Service Edge,” or SASE (pronounced “sassy”). 

To that end, CipherCloud delivers a market-leading approach to integrated CASB, ZTNA, and Data Loss Prevention, addressing a critical scope of customer requirements across these emerging models that span access, discovery, monitoring, data protection, policy enforcement and compliance.

For more information, check out our ZTNA datasheet or review our best practices webinar: Did you say ZTNA? How to: Securing Cloud Access and Remote Collaboration.

Tags

About The Author

Questions? We'll put you on the right path.

Ask about CipherCloud products, pricing, implementation, or anything else. Our knowledgeable reps are standing by, ready to help.

OR CALL 1-855-524-7437

See How CipherCloud Can Help Secure Your Data In The Cloud.

Request a FREE trial today and learn why millions of users and global companies trust CipherCloud as their data security solution.

Headquarters

CipherCloud, Inc.
2570 North First Street
Suite 200
San Jose CA 95131
USA

Visionary in Gartner 2020 Magic Quadrant for CASB

© Copyrights 2020 CipherCloud.com. All rights reserved.