For long, virtual private networks (VPNs) were the answer for secured access for remote working users. With the ongoing global shift to remote working, organizations can no longer simply depend on VPNs to manage their confidential data. For instance, VPNs do not enable granular control, thus increasing the vulnerability to data breaches, compromised credentials, and insider threats.
In the "new normal" of remote access, employees need privileged rights to perform operational tasks from their homes. Increasingly, "work-from-home" employees use technologies like video conferencing and remote access solutions to complete their daily tasks.
As an innovative security approach, Zero Trust Network Access (ZTNA) essentially provides safe and secure remote access to organizational data, applications, and services (based on defined policies for access control). As a security strategy, enterprises can no longer trust users and third-party applications enough to access their internal environment. With ZTNA, they need to know:
A VPN is designed to provide secure network access to remote users. On the other hand, ZTNA provides access to specific network resources, thus requiring frequent authentication. This is the basic difference between the two security approaches.
On its part, a VPN simplifies access management to a network (or its resources) through a single sign-on (SSO) process. This is useful for users working remotely for a brief period. However, for an extended period, VPNs have a range of limitations, including lack of scalability, high access costs, and heavy maintenance. Additionally, VPNs increase the attack surface, enabling users (with SSO credentials) to access network data and resources.
On the other hand, the ZTNA approach provides granular access in place of network access. Based on the principle of "least privilege," ZTNA allows access only when the user credentials, location, and device are authenticated. With granular control, ZTNA users gain direct access to the business data and applications needed to do their work.
Here are some of the limitations of VPNs when compared to ZTNA:
Organizations can adopt either of the following approaches to implement ZTNA:
Standalone ZTNAIn this approach, organizations have to install and deploy every element of the ZTNA environment. Through a data center, this ZTNA can secure all connections. However, the organization must invest time and money into deploying, managing, and maintaining secure connections.
ZTNA-as-a-ServiceThis is a cloud-hosted service where organizations leverage the cloud infrastructure (from a cloud service provider) to deploy and enforce ZTNA security. A cloud-powered ZTNA ensures the lowest latency for all users by choosing an optimal traffic path. According to Gartner, 90% of organizations are implementing ZTNA as a cloud service.
To implement ZTNA successfully in any remote working environment, organizations must deploy a proper ZTNA model and architecture. The Zero Trust architecture must focus on delivering security for a smaller group of resources (or zones) – with a larger percentage of resources freely interacting with each other. Irrespective of their location (on-premises or cloud), this ZTNA strategy must not implicitly trust users and systems.
Here are three key components that are part of any secure ZTNA-based remote access solution:
This component is responsible for granting access to a particular resource. This is based on the role, attributes, and level of threat intelligence. The policy engine governs the remote access based on the access models defined by the policy administrator.
This component is responsible for connecting the client with the resource. Among resources, it negotiates to confirm if the connection is allowed. The policy administrator creates, modifies, and manages end-user policy, grants resource access, and automates remote access.
This component is responsible for creating and terminating connections between any untrusted user (or application) and an enterprise resource. The enforcement point implements a secure remote access jump client. This client effectively responds to a remote access request from a policy engine. Enforcement points are integral to ZTNAs as users do not have direct access to any resource.
Before implementing ZTNA for secure remote access, organizations must look into three key considerations, as outlined below:
Organizations that create their business applications always have technical debt. Redesigning and redeploying these applications are both expensive and disruptive to the business. Hence, it's not feasible to add security controls to these applications to make them compliant with the "zero trust" model.
Depending on the application architecture, organizations must consider using zero trust and secure remote access to connect to remote workers.
The presence of legacy applications and systems is not conducive to implementing a zero-trust model. Legacy systems depend on direct connection with operating users. In this case, the zero-trust model requires a layered approach for legacy systems. To detect malicious behavior, organizations can perform activities like:
Organizations using MS Windows 10 (or later versions) use P2P technology to share Windows software updates to save Internet bandwidth. This presents the risk of lateral movement between Windows systems that can compromise the ZTNA model.
Companies must consider hardening their endpoint security model to disallow any network communication on the same subnet.
As more organizations realize the importance of endpoint security, they are adopting zero-trust network access (ZTNA) technology. The emergence of the remote working model is also driving business investment into ZTNAs more than into VPNs.
At Incrux, we understand the risk of ignoring zero-trust security. With our technical expertise in endpoint security, we enable our customers to handle a variety of online attacks through remote access.
If you want to know more about implementing ZTNA in your business, contact us today!