What is ZTNA, and do I really need it?

ZTNA (Zero Trust Network Access) is a subset of ZTA (Zero Trust Security) where the guiding principle can be simplified into an easy mantra - never believe that anyone or anything on your network is who they say they are. This philosophy is meant to guide your approach to network security and infrastructure.

There used to be implicit trust based on location - in other words, you could stroll into the office and successfully connect to the corporate network and go on with your day. Not so long ago, network security consisted primarily of firewalls and web gateways, protecting your network from outside threats - kind of like a castle with a moat.

(Potential graphic here – castle w/a moat, “good” People near the castle, “bad” people on the other side of the moat.)

Now, the world looks a lot different - remote/hybrid work is the new norm, with 9 out of 10 employees preferring to work at home at least some of the time, and 77% of all American employers offering at least some kind of hybrid/remote option.

With connections coming from everywhere, traditional perimeter security is no longer enough. Now, employees are joining their home network in a house with a teenager who is simultaneously scouring the web for movie downloads – and just like that, there’s a key logger installed that is recording every password they type. Operating systems go without critical security updates, antivirus definitions are out of date, and firewalls get disabled. Maybe you have a system that generates a new, extremely secure password every week. In that scenario, most of us end up writing that down on a post-it note which then gets stuck on a monitor in full view of the world. Or, perhaps more likely...that password is saved in Chrome or Safari, which then synchronizes across multiple devices including the phone that connects to public Wi-Fi in a coffee shop, grocery store, or on your city bus.

Not only do you now have to worry about WHERE connections are coming from, but WHAT is connecting? It’s not just a single user and their machine anymore - it’s a user, their smartphone, your security cameras, your thermostat, your printer…between IoT (Internet of Things) and BYOD (Bring Your Own Device) sometimes it feels like your network is wide open for the taking.

Looking at all the various devices that need to access your network and connect back out to the internet…it is easy to see why Zero Trust is so important.

The Purpose of Zero Trust Security

Obviously, the purpose of any security policy is to keep your assets safe. The core tenants of Zero Trust can be understood as this:

• Verify all aspects of identity - Credentials are not enough. You should be verifying that the device is authorized, along with additional attributes like location, presence of firewalls/antivirus software, up-to-date security patches, and compliance with internal risk policies.
• Reduce lateral movement in the network - If someone gets access to one resource (say, a printer), they should not be able to move on to your domain controller or your web server at will and with impunity.
• Access should be least-privileged - The minimum level of privilege someone needs to do their job should be granted. 81% of data breaches are related to compromised credentials, so even if your employees are entirely trustworthy, it can spell disaster if they can do more than they need to when a password gets cracked.
• Access is given on a per-session basis - You don’t just log in once and stay connected forever. Authorization should be continually evaluated and have a time limit that is long enough for work to be completed, but not indefinite.
• Security is constantly evaluated - There is no “set it and done” with Zero Trust Security. You must constantly monitor your assets and network infrastructure to look for ways to improve your security posture.
• (Zero trust security diagram here – could maybe be a network surrounded by the points listed above)

Zero Trust Security vs. VPN

Once upon a time, having a corporate VPN was the lynchpin of network security. If we go back to our castle metaphor, the VPN was like the moat around the castle - once you authenticated successfully, the drawbridge was lowered, and you had access to everything you needed. Now that we know we can’t count on the permitter to keep us safe, a VPN is no longer enough. Zero Trust Network Access replaces the need for a VPN by granting access to a resource only to authorized users that can authenticate specifically for that resource.