“Never trust, always verify” and “just enough” access. They’re the concepts on which zero-trust security networks are built. And in today’s work-from-anywhere on any device world, they’re the best way to keep your business data, network, and infrastructure safe.
Akshay Kakar, Citrix.
With an increasing number of employees working remote, organizational assets and resources are more susceptible to attacks from cyber criminals and unknown devices. Savvy businesses are rethinking their security postures to address these challenges, and many are looking to Zero Trust Network Access (ZTNA).
If you’re among them, there are a few things you need to be thinking about:
Know thy threats
If you’re running a hybrid IT architecture to enable remote work, it’s important to recognize both the internal and external threats the model creates. Workers may log on to corporate applications via managed desktops and laptops via a Virtual Private Network (VPN). But do these VPNs really offer the secure access that you require? And what about employees or contractors, who may be using non-company mobile devices, laptops, or desktops to gain access to your assets? With no conventional network perimeter to protect them, and the limitations of traditional VPN, you’re exposed to a number of threats:
- Bad actors attempting to use compromised credentials to gain access to your internal systems. VPNs help these attackers by allowing lateral movement throughout your network once they’ve established a foothold.
- Unmanaged devices could have malware on them that propagates through your network, leading to lost productivity, and worse, – data breaches.
- Authorized users – employees or contractors – who have legitimate access to your assets and abuse it, accidentally or deliberately. Such threats often take the longest to discover and can lead to significant data loss, from proprietary source code to customer information protected by compliance regulations.
To protect against them, you need to take a hard look at the security measures you have in place and determine whether they’re cutting it.
Out with the old
Traditional security measures, such as firewalls and VPNs are based on the “trust, but verify” principle. Although this may capture some threats, those who have already been granted authorization to your system could inadvertently or maliciously wreak havoc, having been previously allowed in.
By implementing a zero-trust strategy, you can avoid exposing yourself to such threats, and in the event you do get attacked, reduce the impact. A zero-trust architecture secures your login and remote access process by treating every login and device as an unknown potential attack surface and requiring:
- Least-privileged access: By default, devices that are granted permission can only access what they’re authenticated for and what they have requested. Zero trust is built on the principle of micro segmentation, which ensures that threats are not allowed to laterally progress through your network.
- Explicit verification and continuous validation: Every user attempting to access your network must be authenticated, validated, and authorized on an ongoing basis. Each login attempt goes through the same system of checks and balances to verify the identity and context of the user and the user’s endpoint device. The reality of today’s hybrid workforce is that one-time validation simply isn’t enough. Validation must be continuous every time app access is requested.
In with the new
All of this sounds good in theory. But does it work in practice? Consider the following.
Jane is preparing the company balance sheet for the annual shareholder review. While heading home, she receives a call from the CEO, telling her she needs to access the corporate-managed finance web app to make some final changes. She uses her personal laptop, an unmanaged device, to do it. Unknown to Jane, her device was recently infected with malware while she was shopping online.
What’s the problem? When accessing a sensitive web app through an unprotected native browser on a potentially insecure personal device, even via VPN or basic ZTNA solutions, malware can move from a device to the company’s network and applications, putting company data, customers, reputation, and revenue at risk.
Keep things safe
With the right ZTNA solution, you can leverage remote browser isolation (RBI) functionality to prevent malware from reaching the corporate network, as well as lateral movement of malware from a native browser or device to the rest of the network and applications.
With RBI, browsing experiences are isolated from the actual applications and devices so not to directly transfer any browsing data to or from them. Instead, users only receive screen updates. Users can still access applications as they would using a native browser, keeping company assets. IT Administrators can also enable functions like disabling screen captures, copy/paste, and downloading, in addition to URL filtering and session monitoring.
In today’s world of remote work, such scenarios are all too common. In enabling a zero-trust approach, you can adapt to the and gain the confidence of knowing your valuable assets, data, and resources are protected while keeping your workforce engaged and productive, no matter where they’re located.
Get started
Getting started with zero trust involves first understanding your specific requirements. Questions like the ones below would help:
- What endpoint devices are accessing my applications? Are they all managed devices, or do they include unmanaged devices such as those used by contractors or employees’ personal devices?
- How are the endpoint devices being secured? Would it help to consume information from endpoint software, such as anti-virus and device encryption, to identify risk and context before granting zero trust access?
- What applications are being accessed? Are these internal applications or does access to public SaaS also have to be protected?
- Who would be accessing these applications – employees, contractors, or both?
- Are we already using an identity provider, an SSO solution, or an MFA solution?
- What kind of data is available in the applications being accessed? Does the data need to be protected from loss?
As you’re building your key requirements, also focus on areas where your previous remote access solution, likely a VPN, fell short. For instance, VPN solutions were difficult to scale when we all moved to remote work at the onset of COVID-19. Hence, your new ZTNA solution must be easy to scale and administer.
Once you have identified your requirements, begin to explore the approaches available to you. Most ZTNA vendors will base their approach on the following:
Identity validation prior to app access – This is often executed through integration with an identity provider like Okta or Azure AD. In some cases, this may be offered natively as well.
What to watch for: Multiple identity validation mechanisms across the different app types – public SaaS, IT-managed, DaaS – can result in the user having to log in repetitively. This causes a poor user experience.
Context awareness – Most ZTNA vendors will consume context, such as device information, location, user risk profile etc., from endpoint vendors to make decisions on access.
What to watch for: Usually, only limited context is consumed by vendors which is often insufficient to make decisions about risk levels. As a result, a risky user or device may be granted access.
Adaptive Access Controls – Once identity and context has been verified, full, restricted or no access must be granted. Levels of access should change based on changes in context.
What to watch for: In most ZTNA solutions, full access is granted to the application once identity and context are validated. This means that a malicious insider or external threat can fully breach an application if they’re able to overcome identity and (often basic) context tests.
Segmented Access – ZTNA solutions grant access from the specific user to the specific application. This is different from VPNs where access is granted to the full network.
What to watch for: Several ZTNA solutions cannot control access from BYO or personal devices. This leaves an open attack surface for your organization.
Brokered, Outbound Connections – Connections are made from the app to the ZTNA service, which completes the rest of the connection. This way, the app does not need to broadcast its IP address, keeping it safer from DDoS attacks.
What to watch for: Multi-layered defense for your apps is still required. You still need application and API security for the apps. Your ZTNA and App Sec solutions should work well together and ideally be from one vendor to minimize vendor sprawl.
Most ZTNA solutions will satisfy each of the above requirements, but many will not meet the above requirements in thorough detail. It’s on you to identify the depth of capabilities of the vendors you’re engaging with. To further simplify, request a demo from your chosen vendors and ask them to show their capabilities in delivering three things:
- Broad and deep intelligence about the user identity and device context so you can establish just how much “trust” should be granted
- Granular controls that allow you to enforce policy over the typical segmented ZTNA access, so you can enforce true “just enough” access
- Protection for all users, including users on unmanaged devices, without overwhelming the user experience or administrative operations.
It’s estimated that by the end of 2023, roughly 90% of infrastructure and operations organizations will be remote-based. Now is the time to take action to ensure your organization is equipped today to handle the security risks the “new normal” of work has created and ensure your business continues to thrive tomorrow.
