Understanding Zero Trust Security (ZTA) And Zero Trust Network Access (ZTNA)
What is ZTNA, and do I really need it?
ZTNA (Zero Trust Network Access) is a subset of ZTA (Zero Trust Security) where the guiding principle can be simplified into an easy mantra - never believe that anyone or anything on your network is who they say they are. This philosophy is meant to guide your approach to network security and infrastructure.
There used to be implicit trust based on location - in other words, you could stroll into the office and successfully connect to the corporate network and go on with your day. Not so long ago, network security consisted primarily of firewalls and web gateways, protecting your network from outside threats - kind of like a castle with a moat.
(Potential graphic here – castle w/a moat, “good” People near the castle, “bad” people on the other side of the moat.)
Now, the world looks a lot different - remote/hybrid work is the new norm, with 9 out of 10 employees preferring to work at home at least some of the time, and 77% of all American employers offering at least some kind of hybrid/remote option.
With connections coming from everywhere, traditional perimeter security is no longer enough. Now, employees are joining their home network in a house with a teenager who is simultaneously scouring the web for movie downloads – and just like that, there’s a key logger installed that is recording every password they type. Operating systems go without critical security updates, antivirus definitions are out of date, and firewalls get disabled. Maybe you have a system that generates a new, extremely secure password every week. In that scenario, most of us end up writing that down on a post-it note which then gets stuck on a monitor in full view of the world. Or, perhaps more likely...that password is saved in Chrome or Safari, which then synchronizes across multiple devices including the phone that connects to public Wi-Fi in a coffee shop, grocery store, or on your city bus.
Not only do you now have to worry about WHERE connections are coming from, but WHAT is connecting? It’s not just a single user and their machine anymore - it’s a user, their smartphone, your security cameras, your thermostat, your printer…between IoT (Internet of Things) and BYOD (Bring Your Own Device) sometimes it feels like your network is wide open for the taking.
Looking at all the various devices that need to access your network and connect back out to the internet…it is easy to see why Zero Trust is so important.
The Purpose of Zero Trust Security
Obviously, the purpose of any security policy is to keep your assets safe. The core tenants of Zero Trust can be understood as this:
- Verify all aspects of identity - Credentials are not enough. You should be verifying that the device is authorized, along with additional attributes like location, presence of firewalls/antivirus software, up-to-date security patches, and compliance with internal risk policies.
- Reduce lateral movement in the network - If someone gets access to one resource (say, a printer), they should not be able to move on to your domain controller or your web server at will and with impunity.
- Access should be least-privileged - The minimum level of privilege someone needs to do their job should be granted. 81% of data breaches are related to compromised credentials, so even if your employees are entirely trustworthy, it can spell disaster if they can do more than they need to when a password gets cracked.
- Access is given on a per-session basis - You don’t just log in once and stay connected forever. Authorization should be continually evaluated and have a time limit that is long enough for work to be completed, but not indefinite.
- Security is constantly evaluated - There is no “set it and done” with Zero Trust Security. You must constantly monitor your assets and network infrastructure to look for ways to improve your security posture.
- (Zero trust security diagram here – could maybe be a network surrounded by the points listed above)
Zero Trust Security vs. VPN
Once upon a time, having a corporate VPN was the lynchpin of network security. If we go back to our castle metaphor, the VPN was like the moat around the castle - once you authenticated successfully, the drawbridge was lowered, and you had access to everything you needed. Now that we know we can’t count on the permitter to keep us safe, a VPN is no longer enough. Zero Trust Network Access replaces the need for a VPN by granting access to a resource only to authorized users that can authenticate specifically for that resource.
What are the benefits of Zero Trust Security?
The obvious answer is “prevent a data breach” but that’s not quite accurate. Zero Trust assumes that you will be breached because every incoming connection is a bad actor until it's proven not to be. Thus the real benefit of Zero Trust is minimizing the damage caused when the inevitable breach happens.
How is Zero Trust Security implemented?
There are a few ways to move your organization to a Zero Trust Security model overall. The best place to start is with Zero Trust Network Access – making sure your network is secure is critical to preventing data breaches. Here are some common ways to achieve ZTNA:
- Certificate-based authentication –As the recent Cisco hack shows us, having a VPN and MFA (Multi-factor authentication) is just not enough on its own anymore. Certificate-based authentication helps you ensure that only trusted, managed devices can connect to your network. Managing certificate enrollment used to be a huge headache, but with SCEP (Simple Certificate Enrollment Protocol) getting your devices enrolled is, well, simple.
- NAC - Using a NAC (Network Access Control) solution is an excellent way to implement Zero Trust Network Access. A NAC can help you set up risk policies and automate remediation for things like antivirus software not present, firewalls disabled, and malicious software installed. It can also identify all the devices that are connecting to your network, from a smartphone to a security camera.
- Microsegmentation - Microsegmentation is an excellent way to help prevent lateral movement. You break your security permitters into smaller zones that maintain their own security and access requirements (for example, you need special authentication to get into the files from the Finance or HR departments).
(maybe a diagram here, showing a NAC in front of a micro-segmented network and a user device with a certificate connecting in)
What Are Best Practices for Implementing a Zero Trust Security Solution?
- User Experience - An important best practice is to keep in mind the user experience. A security policy that prevents users from doing the work they need to do will be frustrating and, even worse, might incentivize them to try to circumvent it.
- Automation - Another best practice is to automate whatever you can. Zero Trust is a lot to think about, and just about every IT department has a lot on their plate. Solutions like a NAC that can automate remediating policy violations and generate compliance reports can go a long way toward reducing the workload of your already remarkably busy IT staff.
- Cloud-based – Zero-Security tools need to scale and innovate as new threats are exposed. A cloud-based vendor can scale and deliver new features with a minimum of setup and maintenance for your IT Department.
With the average data breach estimated to cost over $4 million dollars, Zero Trust Security and Zero Trust Network Access can provide more than just peace of mind – implementing these models and solutions can deliver huge cost savings as well.