ZTNA: Secure remote access to protect your company from outside and inside threats

A white padlock on a dark digital background.
(Image credit: Shutterstock.com)

More people than ever, both inside and outside your company, need access to your corporate networks.

This need varies from an employee at a remote manufacturing site needing access to data across the corporate network, to an employee working from home accessing a cloud application. Also, to a third-party supplier engaged in joint access design requirements through a supplier portal, and through to an internal global product design team accessing results from confidential research or a design program.  

The Covid-19 pandemic heralded the beginning of the end for homogeneous access control policies with blunt access tools like VPNs. VPN implementations were fast, but VPNs weren't designed to grant differentiated access by user groups or to adjust access based on risk profiles.

Even with VPN or firewall-based protection, a single compromised credential can put a significant amount of valuable data in the hands of an attacker, making VPNs and firewalls ineffective for true cyber-risk management.

Recent attacks in the private sector have shown that the impact of such intrusions can extend well beyond damages for individual companies to entire value chains.

The Colonial Pipeline ransomware attack took advantage of a single compromised user account to impact energy stability in the United States.

The recent Kaseya hack hit hundreds of companies across the world with ransomware, a result of service provider Kaseya indirectly distributing the rogue software to service providers' end customers – an example of a “supply chain attack.”

That ransomware attack was followed by another one on UK rail operator Northern Rail, which hit its brand-new ticketing systems. 

The most secure move to make in this growing threat environment is adopting a Zero Trust network access (ZTNA) approach, which grants users the least access possible to systems while still enabling them to do their jobs.

After the Colonial Pipeline attack, US President Biden signed an Executive Order on 12 May, mandating both government agencies and companies to tighten their cybersecurity. Instead of just reacting to major incidents, they were told to do more to prevent them, and that ZTNA should be a vital tool to enable them to do deliver.

But what does such a technical strategy mean to your organization—wherever you are located in the world—and how do you make it happen?

Perimeter 81 is a Forrester New Wave™ ZTNA Leader 

Perimeter 81 is a Forrester New Wave™ ZTNA Leader 

Ditch your legacy VPN hardware and automate your network security with ZTNA.  Secure remote access from anywhere with just a few clicks. Onboard your entire organization in minutes, not days. Learn why Perimeter 81 is one of TechRadar's choices for the best ZTNA security providers. Download the report.

You might want to check out the best antivirus software.

Zero Trust through user identity-based segmented access 

In the report, “What Are Practical Projects for Implementing Zero Trust?” (published March 2021), Gartner recommends organizations implement Zero Trust by focusing on two complementary projects: (1) Zero Trust Network Access (ZTNA) and (2) identity-based segmentation.

The combination of both allows businesses to construct a complete access picture based on the full context of who is accessing information (including the user's identity and role, the devices they are accessing from, and behaviors used in the access), and the minimum set of things they need access to perform their business tasks including specific cloud workloads or data center applications.

Identity-based segmented access for specific groups or individual users and the rules around that access is re-evaluated for risk constantly.

With this approach, CIOs can not only secure remote workforces without constraining the business, but also solve common, complex access problems such as securing globally based remote IT admins—who may have detailed access requirements and privileges. They can also grant remote developers access to specific cloud workloads for changes they are authorized to make or restrict third-party access to the company crown jewels.

In addition, companies can also enforce specific compliance policies during access and conduct a full audit of who is allowed access to what resources and when they access them as well as monitoring risks from unauthorized or unusual behavior. All this can be flagged through machine learning.

Creating a better cybersecurity landscape

How can you get your organization to migrate to a more secure access policy, so you can foster business growth while managing the risk of expansion? Three easy steps will help:

Clean up existing application access privileges 

You might be surprised by how many former employees or past contractors still have access to your systems. Disgruntled individuals could certainly pose a threat, but it's more likely that cybercriminals could steal a former employee’s credentials in a separate breach.

Our tendency to reuse usernames and passwords across different applications means that one set of stolen credentials could lead to more than one distinct breach. Think of everyone who’s ever had access to your system as a doorway that cybercriminals could use to access your network—so it’s important to close and lock any door that isn’t being used.

For current employees and contractors, use the principle of least-privilege access for what they need to do. This concept means that users can only access the sources they need to perform their specific roles. In large organizations, applying these principles can be time-consuming, which is why you should lean on machine learning to develop access systems that recommend the right policies for you based on risk, usage, and behavioral metrics.

You might want to check out the best Windows 10 antivirus.

Tailor specific policies to individual user groups and applications they can access 

Wide access enables faster business speed but presents an ideal attack vector to cybercriminals, which is why you should apply policies to ensure that users can only access the applications they need to do their jobs. And if their jobs change, their access should change too.  

Creating user groups tied to specific application or workload micro-segments is one way to achieve that. Remote full-time employees, for example, should have a different set of policies than remote third-party contractors in terms of applications they can access. A testing lab should only provide access to a third-party test partner to those resources or applications they need to test. Identity-based segmentation will dramatically limit lateral movement and reduce the attack surface for both front-end and back-end access.

Make your access dynamic, so as your business grows, your risk does not 

As your business grows, your application base changes, your ecosystem widens, and your employee numbers increase. And the amount of valuable proprietary information you have grows as a result too.

Your access policies should adapt to help you manage your risk down, without stifling your business operations. This means that adding a new user or a new application or changing access rules should not be cumbersome, but very easy to implement using your tool of choice.

Similarly, dynamic access provisioning within your networks to avoid security gaps should be mainstream, not an afterthought.

The pandemic forced CIOs and IT teams to accelerate their digital transformation while at the same time putting new demands on security through changes in the business—like more prevalent and reliable remote access.

CIOs should not have to choose between business risk and business growth. As your business expands, and as attacks become more common and more sophisticated, it is time to protect what matters most, without constraining growth.

This will require not only a differentiated access policy by user group or individual, but also the ability to limit the attack surface from any compromised credentials to be as small as possible. ZTNA can definitely deliver.

You might want to check out the best endpoint protection software.

Vats Srivatsan, president and chief operations officer, ColorTokens

You might also want to check out our picks for the best business VPN.

Vats Srivatsan, President and Chief Operating Officer, ColorTokens.