Traditionally, remote access to corporate networks has been achieved through Virtual Private Networks (VPNs). Upon receiving log in credentials like a username and password, the VPN either allows or denies access to a user. But here’s where the problem lies. A VPN is said to work on the premise of “default allow,” meaning it admits users with verified credentials to the network by default. Once the VPN grants access to the network, that access is typically “flat,” meaning the user has very broad access across the network to all sorts of data, applications, and other digital resources.
ZTNA, in contrast, works under the “default deny” policy. It trusts no one at the outset. Only after verifying the user’s identity—often by the parameters of their device, location, and so forth—will it grant access rights limited only to those resources for which they are specifically granted permission. The user then communicates with those resources through an encrypted tunnel.
Under the ZTNA approach, there is a greatly reduced chance for the user to make “lateral movements” across the corporate network, in other words obtaining data and files not typically accessible on a corporate network. Ideally, a ZTNA solution will spin up a secure IPsec network tunnel for each system used. And, that tunnel doesn’t pass through the ZTNA solution directly. Rather, the ZTNA system is there to authorize communications, not serve as the conduit for them.
The work-from-home (WFH) trend has also led to increased interest in ZTNA. Both remote access challenges and the need for more applications in the cloud call for more security protections. Security issues aside, VPNs are just not ideal for large-scale remote access, because they can present challenges when trying to meet the demands of a huge at-home workforce. Here are some WFH security do’s and don’ts.
With a high proportion of employees needing to log onto the corporate network from home, ZTNA emerges as a superior approach. With ZTNA, any digital asset for which access is not granted will remain invisible to the user. ZTNA makes it as if each user has his or her separate VPN, customized at that moment to the specific solution or information they need to access. Furthermore, ZTNA enforces user access rights on cloud-based applications.
While it feels new to many, the concept of Zero Trust is not new at all. In fact, it’s been around for over 20 years as the “original best practice” for firewalls and network security. But you can see why it’s resurging now. Today’s business models and the evolving threat landscape make broad Zero Trust approaches more important, due to the expanded network access points from hybrid networks and work-from-home accessibility. The attack surface is bigger today than it has ever been, making Zero Trust network access essential.
ZTNA is one of the core elements of SASE, which is rapidly becoming the predominant network and security paradigm. Providing a way for people to securely connect virtually any device from any location, SASE solutions combine these capabilities into one cloud-based platform:
SASE operates at the network “edge,” but in truth, that “edge” is now everywhere: at home, on the road, on premises, in offices and beyond. All users are effectively the network edge today. Thus, there’s a natural alignment between ZTNA and SASE, because remote users need fine-grained access controls. ZTNA comprises the most complete realization of that objective.
While ZTNA is not intrinsic to the SD-WAN vision, it naturally complements SD-WAN—just as SD-WAN complements SASE. SD-WAN edge points could serve as access/policy-enforcement points for a ZTNA. Or, an SD-WAN solution could be the mechanism for managing the connections from users to services, and so forth.
Get the full guide to SASE
Putting a ZTNA solution into operation can be challenging, but the good news is that it works best with an incremental approach to deployment. There need not be a “rip and replace” experience. Instead, the best practice is to identify a subset of users that can be migrated to ZTNA from an existing VPN solution. Alternatively, ZTNA can substitute for a proposed VPN upgrade. IT staff are often eager volunteers for this kind of duty.
In working with this pilot group, IT teams identify the systems and assets on the corporate network that individual users need to access. Such information typically resides in the enterprise directory, and more often than not, this exercise reveals that the directory needs a cleanup regarding legacy access rights that a user should no longer have because of a change in role. The process can also highlight globally granted access rights that should no longer be global, and so forth, as these policies run counter to Zero Trust principles. Thus, there are many side benefits to implementing ZTNA.
ZTNA is becoming more common in the enterprise. The rising level of security threats, coupled with the work-from-home trend, make it a natural evolution in network access. The increasing prevalence of SASE also makes ZTNA a technology that many companies are now considering. Deploying ZTNA can be a step-by-step process that works in tandem with tidying up outdated access control policies. Organizations that are not currently evaluating ZTNA should undoubtedly put it on their radars.
Want to talk more about network security and how to build more effective strategies for today’s remote business environment? Contact us.