What is Zero Trust Network Access (ZTNA)
The Background of ZTNA
The intent of Zero Trust Network Access (ZTNA) is to limit the blast radius of a compromised authenticated user once inside the network perimeter. ZTNA is a security approach that leverages the principles of Zero Trust to first verify the identity of users, devices, or systems then strictly limit access to only the specified technology assets, preventing the authenticated user from accessing assets beyond the required task.
Once the user's identity is verified, the user should have only enough access and authority to access a specific application within the network perimeter to fulfil their task. Traditional IT tools connecting remote sites, such as Virtual Private Networks (VPNs), operate on the principle of trust, granting the user complete access to the network segment, allowing the users to access all assets at that site within the VPN. Although VPNs encrypt all data in the tunnel, thereby providing confidentiality against eavesdropping attacks, , they cannot prevent comprised users to move laterally with devasting affects inside the network.
ZTNA provides organisations more control and visibility over their assets to better protect themselves from malicious threat actors and comprised technicians. When properly implemented, ZTNA also reduces the number of attack vectors into an organisation while providing the added benefit of additional security controls, such as Multi-Factor Authentication (MFA), per attack vector. By utilising the Zero Trust approach, organisations can benefit from improved security, visibility, and auditability, while reducing the risk and exposure of cyber-attacks.
When implemented as part of an Essential Eight, CIS18 or NIST security maturity framework, organisations begin with a full inventory of all technology assets inside the network perimeter which then allows proper backups, vulnerability assessment and ZTNA access controls.
Differences Between ZTNA and VPNs
VPN solutions were initially created to connect a head office with a branch office via a securely encrypted tunnel to preserve confidentiality of data in flight. VPNs were fit for that initial purpose of connecting two networks across the Internet, routing data between them. These network's included corporate networks that stored corporate resources and data with branch staff. Staff were trusted and the connection prevented eavesdroppers from stealing customer data in flight. Over time, VPNs have become highly prized targets for hackers as they are legacy solutions that provide access to an entire network of critical assets, including Operational Technology (OT), Internet of Things (IoT), Industrial Internet of Things (IIoT), Industrial Control Systems (ICS), and more. Once inside the VPN tunnel, the user, or hacker, has access to the entire branch office (or OT subnet).
Over the last decade, VPNs have worked well to secure the confidentiality of remote user's access to the client or corporate network, but over the last few years there has been a paradigm shift towards remote work. Through this change, worker patterns have evolved from working one - two days at home to three - four days.
Organisations have also embraced Industry 4.0 – the rise of IoT with smart devices deployed in revenue generating facilities such as mines, manufacturing, wind-farms, solar farms, power distribution. Industry 4.0 is digital transformation, enabling remote access to tweak parameters at a production site with the intention of improving ROI and safety (less humans on site). With this rapid transition, organisations need to protect their critical assets, as well as their client network environments when remotely accessing their environment. Take for instance the ABB cyber breach on 7 May 2023: a ransomware attack on their Active Directory servers (a key point of Identity Access Management) forcing ABB to shutdown all their VPNs connecting their customers to their HQ – highlighting the risk of supply chain attack via a routable tunnel connecting supply chain users to valuable assets.
The Zero Trust Security approach secures the remote user access to only the approved applications within the network on the principle of least privileged access. Where a user is permitted access to an application on the basis of least privilege, they have no access to anything except the permitted application. In contrast, VPNs operate on the basis of Full Trust - 'correct credentials' provide access to all the resources on the other side of the VPN tunnel. Compounding the vulnerabilities of this attack vector, VPN users often share credentials for multiple reasons: reduce VPN costs, workaround security complexity to accelerate customer service.
Zero Trust not only provides access to users under the correct context. Zero Trust restricts access to applications rather than full network access.
Advantages of Zero Trust?
Reduce Risk and Technology Debt
Zero Trust allows organisations to remove the legacy tools, systems and workarounds, such as VPNs, and transition to an entirely software-based solution.Greater Scalability
Zero Trust helps organisations scale with security and efficiency. With Zero Trust, organisations can use their existing infrastructure to adopt a Zero Trust Security approach, securely connecting their users and suppliers to the correct services without comprising the network security.Direct Application Access
Zero Trust provides the speed and simplicity for users to connect directly to the application, without comprising users experience or blocking traffic to the selected application.Visibility and Control
Zero Trust centralises control of all users and their assigned applications, enabling organisations to see the entire network activity of their users, user groups, third party suppliers in real-time. Zero Trust makes it easy to manage all users and their access across many different network environments. Zero Trust therefore reduces risk by increasing visibility, auditability, and control over the Cyber Kill Chain.Security Benefits of Zero Trust?
By adopting Zero Trust Network Access (ZTNA) approach for remote access, organizations improve their Essential Eight/CIS18/NIST security maturity, enhance their security posture and reduce the risk of cyberattacks. When applied in conjunction with the Mitre Att@ck framework, it becomes easier for Security Operations Centres (SOCs) to stop intruders in the Cyber Kill Chain with a kill switch to terminate only that one connection vs isolating an entire network segment as in the case of disabling VPN.
Zero Trust Application Segmentation
Zero Trust Segmentation allows organisations to segment applications to a granular level without impeding on the existing network infrastructure. This allows organisations to use Zero Trust Network Access to create identity-based network segments on top of the existing segmented network environment, helping improve security and control of users, applications and connection sections while enhancing security models such as network segmentation and Purdue Security Model for Industrial Control.Multi-Factor Authentication (MFA)
Zero Trust operates on the premise of least-privileged access, making MFA a large part of authenticating the user's identity to access applications. Multi-Factor Authentication (MFA) is an identity verification method used to prove the user is who they claim to be in the authentication process. MFA requires users to provide two or more forms of secrets to validate their identity. Traditional authentication requires the user to provide 2 secrets: a username (typically an email address) and a password. Since email addresses are well known and passwords are often weak, a second secret is required such as an MFA app on a phone or a One Time Passcode/Pin (OTP): the user must correctly provide all two secrets. This process verifies a user is who they claim to be before granting access to sensitive data or systems.Invisible Application Access
Zero Trust allows users to access applications without directly connecting to the targeted network. This creates an invisible connection between the user and the application, acting as a 'darknet'. This keeps the infrastructure invisible, reducing the risk of exposing the corporate network, while the user accesses the application to complete their task.Visibility and Control
Zero Trust centralises control of all users and their assigned applications, enabling organisations to see the entire network activity of their users, user groups, third party suppliers in real-time. Zero Trust makes it easy to manage all users and their access across many different network environments. Zero Trust therefore reduces risk by increasing visibility, auditability, and control over the Cyber Kill Chain.Talk to An Expert
Secure remote access to managed devices, systems and applications.
Light
Dark