ZTNA: The New Way to Secure Remote Workers and the Cloud

Digital transformation, or DX, is driving enterprises worldwide to adapt their network and security strategies. Two key trends in particular have accelerated due to the pandemic: the adoption of cloud infrastructures, and the growth of a distributed workforce. Together, these trends have forced a restructuring of both networking and security. Now, enterprises need to deploy security services anytime, anywhere, across a diverse set of architectures and endpoints. Further, they need to control and secure the distributed workforce, internal resources and cloud infrastructures.

The traditional network security perimeter is gradually falling apart. However, conventional network security designs based on a physical perimeter are difficult – if not impossible – to translate to the new paradigms. A new model for security is needed, and increasingly enterprises are investigating zero trust.

What is zero trust?

The U.S. National Institute of Standards and Technology (NIST), in its publication, “Zero Trust Architecture*” offers this definition: “Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources… Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned)…”

To expand further, zero trust itself is not a technology or product, but a security concept. The key principle is to eliminate implicit, unverified trust to build a secure business access environment. “Never trust, always verify,” is the essential concept of ​​zero trust. Ultimately, the goal is to grant only the precise amount of authority and access needed, only for trusted and verified users. Zero trust eliminates the need for a physical boundary to differentiate trusted and untrusted users, devices and networks.

Many organizations have conducted trials and development based on zero trust, mostly to address challenges in identity management and access control. Zero Trust Network Access (ZTNA) is an outgrowth of the zero trust concept that has a goal of replacing traditional remote access methods (like VPNs) with more granular controls, greater flexibility and scalability, and higher reliability.

Why zero trust network access?

Traditional VPNs assume that any user authenticated by the enterprise’s perimeter controls, or any device within the corporate network, is automatically trusted. ZTNA utilizes a different methodology: no user or device is trusted to access any resources until its identity is fully verified and authenticated. Even then, access to resources like servers, applications and data is limited to only that which is permitted by the role or other classification of the user or device.

Another reason ZTNA is gaining interest is that a traditional VPN is not easy to scale. VPNs typically require manual configuration for each user and device, and management of constant changes can quickly become a nightmare. ZTNA gives enterprises a more flexible, scalable and automated way to control access and secure resources, no matter the physical location of the user or device.

ZTNA can help protect data everywhere

Hillstone

In terms of cloud adoption, ZTNA ideally applies a user-to-application – not network-centric – approach. This allows authentication based upon the identity as well as the context of users and devices, as well as of requested resources. This abstracts security beyond the traditional network perimeter to encompass the cloud and distributed workforce, allowing far greater scalability.

Another benefit of the user-to-application approach is that it provides a universal view of remote connections. This in turn can help configure consistent and accurate policies that grant tightly defined access only for legitimate users, and only to the applications and resources allowed by their privilege levels and credentials.

Several attributes of users and devices, such as patch level, presence of current antivirus, and password strength, could be checked before authentication and continuously monitored during the session. Only after the user and device meet these requirements will access be granted – and then only to the specific applications and resources allowed.

Security can be enhanced even further with a technology like Single Packet Authorization (SPA). With this method, no services in the data center or SaaS applications are exposed to the public network, which effectively renders them invisible to unauthorized users.

The trends that have accelerated during the pandemic – wider adoption of the cloud as well as explosive growth of the distributed workforce – require a reshaping of networking and security. ZTNA has the potential to extend cybersecurity anywhere and anytime, and to control and secure the remote and local workforce while protecting critical resources.

To learn more about ZTNA, view our white paper.