It has been estimated by Global workplace analytics that almost 25-30% of the workforce will be working from home by the end of 2021. With the variety of different locations wherein remote workers operate and such vast connectivity outside the enterprise zone of control, how does the company protect the applications and users from advanced threats on the Internet? With the surge in cyberthreats, we can be sure that the adversary threats have evolved in nature and shall continue to, announcing the traditional security networks such as the VPN, obsolete. Their complicated frameworks of exercising security has made the accessibility to applications and organizational resources increasingly bureaucratic and therefore, slow. That is the benefit that ZTNA architecture provides: It secures access to all cloud applications through the zero trust network principles and context-aware policies for authentication and authorization. That context can be a combination of user identity, user or service location, time of the day, type of service, and security posture of the device.
ZTNA is a security model that implements zero trust principles, namely applying granular access controls and only trusting endpoints that are explicitly granted access to a given resource. They build upon the concept of ‘Zero Trust’ that asserts that organizations shouldn’t trust any entity, whether inside or outside the security perimeters, and instead must verify every user or device before granting them access to sensitive resources, ensuring data safety and integrity. The principles of the ZTNA architecture include: never trust always verify, least privilege and default deny, full visibility and inspection, centralized management. Zero Trust security, if considered for critical networks such as National Security Systems (NSS), Department of Defense (DoD) networks, and Defense Industrial Base (DIB) systems, can limit the breach of national and economic security significantly.
1. Secure access to any and all remote workers: ZTNA acts as a key enabler for Secure Access Service Edge (SASE), transforming the concept of a security perimeter from static, enterprise data centers to a more dynamic, policy-based, cloud-delivered edge, to support the access requirements of the distributed workforce. VPN architectures are slow and counter-productive in cloud-first deployments. Securing every remote user access through software and hardware-intensive VPNs can increase the capital expenditure and bandwidth costs. Zero Trust Network Access provides fast, direct-to-cloud access to the corporate resources, reducing network complexity, cost, and latency, while significantly improving the performance to facilitate remote workforce deployments.
2. Regulating the visibility of applications to users thereby reducing the risk of third party access to sensitive data: ZTNA implements least privileged controlled access, restricting user access to specific applications strictly on a “need to know” basis. All connections requests are verified before granting access to the internal resources. The broad, perimeter-based security approach of traditional security solutions permit full network access to any user with valid login keys, over-exposing sensitive corporate resources to compromised accounts and insider threats. Hackers gaining access to the entire underlying network can move freely through the internal systems undetected.
3. The streamlined infrastructure that provides unified-yet-granular access control to data, services and applications simplifies the time and management during merger and acquisition integrations : ZTNA enables secure, fast, uninterrupted, direct-to-cloud access to private applications, providing a consistent experience to remote users accessing both SaaS and private applications. VPN’s are not designed to handle the increasingly distributed workforce scenario. Backhauling every user connection through centralized VPN hubs creates bandwidth and performance issues, while leading to sub-par user experience. With Zero Trust Network Access, users can establish direct-to-app connections, enabling fast and secure access to corporate resources hosted either in IaaS environments or private data centers, while facilitating agile and scalable cloud deployments.
1.Identify
Involves inventory and categorization of systems, software, and other resources. This stage enables baselines to be set for anomaly detection.
2.Protect
Involves the handling of authentication and authorization. The protect function covers the verification and configuration of the resource identities that zero trust is based upon, and integrity checking for software, firmware, and hardware.
3.Detect
Deals with identifying anomalies and other network events. The key here is continuous, real-time monitoring to proactively detect potential threats.
4.Respond
Handles the containment and mitigation of threats once they are detected. These four functions are coupled with granular application-level access policies set to default-deny.
1. Secure access to any and all remote workers.
2. Regulating the visibility of applications to users thereby reducing the risk of third-party access to sensitive data.
3. The streamlined infrastructure that provides unified-yet-granular access control to data, services and applications simplifies the time and management during merger and acquisition integrations.
An agent installed on an authorized device sends information of the device’s security, measured by the information: geographic location, date, and time as well as deeper information such as whether the device is compromised with malware or not. Having received the details, the controller is prompted to nudge the user to authenticate. After the authentication of the controller and the user, the controller provisions connectivity from the device through a gateway such as a next-generation firewall capable of enforcing multiple security policies. The gateway shields applications from being accessed directly from the internet and protects them from distributed denial of service attacks. The user can only access applications that are explicitly allowed. An artifact remains in the data path – which is encrypted end-to-end – once the controller establishes connectivity in order to provide a periodic posture assessment to the trust broker (controller).
A connector installed in the same network as the application establishes and maintains an outbound connection to the provider’s cloud. Users that request access to the application are authenticated by a service in the cloud, which is followed by validation by an identity management product such as a single sign-on tool. Application traffic passes through the provider’s cloud, which provides isolation from direct access and attack via a proxy.
LTS Secure ZTNA & SASE offering // Link: https://ltssecure.com/soc-as-a-service/