What does ZTNA stand for?
Zero Trust Network Access
But what does that actually mean?
We can no longer assume that just because a device is already connected to the network that it is safe to allow it to have access to everything. Zero Trust Network Access solutions aim to continually verify who and what is using network resources. All endpoint devices are identified and made secure, while IT staff can get detailed visibility into and control over what devices are doing on the network.
What is the driver for ZTNA?
The Security Perimeter has moved from network to the endpoint.
With staff now working from anywhere, with the huge proliferation of Internet of Things devices on networks our operational environments now a require users and devices to be continuously verified as they access corporate resources.
To protect these resources it is necessary to implement a zero-trust access approach and keep access privileges to the minimum possible level.
Implementation of a zero-trust access approach includes the use of strong authentication capabilities, ubiquitous and powerful network access control tools and fine grained application access policies.
Which devices should ZTNA cover?
- Endpoints - PC's, MAC's, Tablets, Phones
- Cloud resources - Virtual machines, databases, containers, Hadoop nodes et
- Identity - Active Directory, LDAP, RADIUS
- Network infrastructure
- Virtual containers
So who does ZTNA help and why?
Any organisation wanting to maximise their security controls and minimise their threat landscape.
What type of actions are required to deploy a ZTNA solution?
From an endpoint perspective a ZTNA solution requires visibility, control, and advanced software protection. As well as securing endpoints our solution needs to identify and verify users by means of centralized authentication. Available methods for achieving this include single sign on, certificate management, guest management and Multi Factor Authentication. With remote access solutions ZTNA capabilities would include the ability to grant access on a per-session basis to individual applications only after devices and users are authenticated and verified. In fact a true ZTNA solution could use the same policies for both remote and local network access making the application of security policies homogenous regardless of user or device location.
So how does it work?
The zero-trust model moves security away from implied trust that is based on the network location of a user or device. Instead, trust is evaluated on a per-transaction basis.
The zero-trust model requires trust to be explicitly derived from a combination of identity and context-based controls at a very granular level.
Zero trust starts with a default deny posture for everyone and everything.
When a user or device requests access to a resource, their identity must be verified before access is granted. Verification is based not only on the identity of the user or device, but other attributes as well, including context such as date and time, geolocation, and device security posture.
Once access is granted it is continuously evaluated at a very granular level. Access is only given to the resource that is needed to perform a specific function for a limited time — not the entire network. If any attributes of the user or device change, the trust may be revoked and access to the resource removed.
Zero-trust access focuses on knowing and controlling who and what is accessing the network. Role-based access control (RBAC) is a critical component of zero trust access.
Only when the system knows who a user is can the appropriate level of access be granted based on their role.
Who is providing ZTNA solutions?
All of the usual suspects in the security vendor space have a ZTNA offering.
These include Fortinet, Crowdstrike, Palo Alto, Cisco
Bear in mind a full ZTNA solution requires the following elements many of which a typical enterprise will not yet have deployed.
An Endpoint client
Proxy based internet access
Security policy & enforcement
What are the challenges in deploying a ZTNA solution?
All of the elements mentioned before will need to be deployed across an organisation. The organisation as a whole will need to be carried along with the deployment because the balance to be made between security and usability is critical to the success of the project.
A ZTNA solution will affect every employee throughout an organisation and it will need to work for all of them.