Implementing zero trust network access (ZTNA) is an excellent way to increase the security of key business assets on a corporate network.
Zero Trust shakes off the outdated and insecure notion that every user and device inside an organization’s network should be implicitly trusted. Instead, it aims to continuously authenticate users and devices. ZTNA also allows for much more fine-grained control over which resources can be accessed by each individual user or device.
The implementation of ZTNA in an organization with existing infrastructure can cause significant upheaval. Below, we discuss the five critical steps a company must take when implementing ZTNA. Zero Trust solutions providers such as Perimeter 81, offer to manage this transition for you.
1. Assess which business assets to focus on first
Implementing ZTNA is a journey that will take time to complete. You can’t protect every business asset to the same high standard all at the same time, so it’s prudent to begin by assessing which assets are most vital to your business processes and which are most at risk. These are the assets you will focus your attention on securing first, before moving on to less business-critical resources.
The relative importance of each business asset also informs security policies, service-level agreements (SLAs), and recovery point objectives (RPOs) for disaster recovery and business continuity.
2. Identify users, devices, and applications
The three primary groups of actors to consider in ZTNA are users, devices, and applications.
By identifying every type of user, you can build access policies that are determined by their roles in the company. You will need to identify which applications these users require access to. These access policies should be governed by the least privilege principle, where certain roles only have access to the minimum set of resources required to perform their job.
All devices must be identified and assigned security permissions, too. Devices like laptops, phones, printers, and security badge readers are all entry points into your systems, and they must be similarly secured and monitored.
Applications are typically the heart of your operation. They’re the resources you aim to protect from unauthorized access. Importantly, applications now often include Software-as-a-Service (SaaS) and can be hosted on public or private clouds. These must all be considered in a ZTNA implementation. They must be protected, and even relatively innocuous applications can act as entry points to other, more important systems.
3. Create zones of control with role-based access
ZTNA segments networks into zones of control. Network segmentation isn’t a new concept, but ZTNA solutions use micro-segmentation, essentially smaller zones of control than earlier, perimeter-based firewall solutions.
With the network accurately segmented, you can use role-based access controls (RBAC) to regulate the permissions that groups of users have in the organization. You can also control which devices on the network can communicate with particular applications. This greatly improves the control you have over the traffic on your networks and limits the damage an attacker could do if they were to gain access.
Preferably, your ZTNA solution should perform application-level control rather than simply network-level control. With application-level control, there is better visibility of what a user or device is specifically attempting to do with an application. This allows for smarter, more dynamic automated security with better segmented role-based policies.
4. Extend access off the network
With a solid ZTNA strategy in place, extending access to critical business functions for remote users and devices isn’t such a stressful idea. ZTNA protects your resources by improving the visibility of all endpoints, including laptops and phones being used by remote users. ZTNA solutions can continuously scan for vulnerabilities and unusual activity in remote devices.
As noted, ZTNA can be used for applications hosted outside company networks, such as cloud-based services. By using a central system for authentication, authorization, and security monitoring, a ZTNA solution solves many of the challenges of keeping off-site services secure.
5. Continuously verify users and devices
As ZTNA solutions have a much better view of what is happening on the network, dynamic continuous authentication and verification can be achieved. Instead of authenticating a user once and allowing them unrestricted access to your entire network, they’re instead continuously monitored and only allowed access to the applications they need.
Continuous verification can notice when a user or device unexpectedly changes behavior. These unexpected changes are sometimes due to security breaches, such as a browser session being hijacked or malware accidentally being installed. The dynamic nature of ZTNA allows for swift, automated action in these cases, shutting out malicious actors before they have the chance to do damage.
Summary
The usefulness of Zero Trust continues to grow, as more and more companies have remote employees and utilize cloud services. Through a step-by-step process outlined above, you can minimize the disruption that implementing ZTNA causes to your company and its employees.
The process typically starts with identifying which business assets are most critical to your business. List all users, devices, and applications in your business that have direct or indirect access to these assets. Create permission roles for each of the users and devices, keeping least privilege principles in mind.
Segment your network into micro zones of control, only allowing authorized roles to access each section. Extend this off the network with remote users, devices, and cloud-based apps, and continuously verify that users and devices are authorized to make the transactions they attempt.
Implementing Zero Trust takes careful preparation and should be rolled out in stages, but once it’s in place, your vital company resources will be significantly more secure. For further information, have a look at how to secure your network with Zero Trust and how ZTNA is helping to tackle the scourge of ransomware.
