Zero Trust Network Access – Implementing Zero Trust

Author
Reinhold Zurfluh
Published
23. August 2023

Many companies have recognised the benefits of the zero-trust concept, but most are yet to implement it. Moving from the concept to the practical implementation of zero trust requires the implementation of a zero-trust architecture and the selection of appropriate tools to enforce zero-trust principles across the organisation. An example of one of the most important components of a zero-trust architecture is “Zero Trust Network Access” (ZTNA). In this article, we will show you exactly what this means.

Historically, many organisations have adopted a trust-based, network-perimeter security strategy. However, this approach to security comes with several limitations, such as the softening of network boundaries, the risk of insider threats and the inadequate protection of existing security solutions. The zero-trust security model was developed to eliminate these vulnerabilities. An earlier article went into detail about how zero trust works and what needs to be taken into account during implementation.

Zero Trust Network Access – the VPN of the future

Implementing a zero-trust architecture generates a range of security benefits for an organisation. However, effective implementation and enforcement of zero-trust principles within an organisation requires access to the right security tools so that those principles can be enforced across the company.

In today’s world, where working from home and other remote locations has become the norm, secure remote access is a central security measure. Organisations looking to implement a zero-trust solution for their remote workers should take a closer look at Zero Trust Network Access (ZTNA). ZTNA, also known as software-defined perimeter (SDP), is a new approach for securing access to applications and services by users in the office and remotely.

How does ZTNA work?

The way ZTNA works is simple: access to a particular resource is always denied unless it is explicitly allowed. This approach enables the implementation of more stringent network security standards and micro-segmentation, which restricts lateral activities in the event of an attack on the system. Authenticated users on traditional network solutions built on VPN are implicitly granted access to all data on the same subnet. In most cases, unauthorised users are only prevented from accessing a resource via password-based authentication. ZTNA turns this paradigm on its head. Users see only those applications and resources that are explicitly allowed by your organisation’s security policy.

This makes ZTNA not only more secure than traditional network solutions, but also designed for today’s business needs. Traditional networks are based on a secure network boundary with trusted individuals inside and untrusted individuals outside. Today, this demarcation no longer exists. Users now work everywhere – not just in offices – and applications and data are increasingly being moved to the cloud. Accordingly, access solutions need to take this change into account.

ZTNA means that application access can be adjusted dynamically based on user identity, location, device type and other factors. ZTNA is a cloud-based service that allows connections from managed and unmanaged devices, verifies identity and authorises access to enterprise resources – whether they reside in an on-premises data centre or in the cloud.

Use cases for ZTNA

ZTNA is suitable for many use cases, such as:

  • An alternative to VPN
    ZTNA connects mobile and remote users more securely than traditional VPNs. ZTNA is more scaleable, provides a single security policy for all domains, works in hybrid IT environments and offers differentiated access. Gartner predicts that 60 percent of companies will move from VPN to ZTNA by the end of 2023.
  • Reduced risk of access by third parties
    Contractors, suppliers and other third parties are granted access to specific internal applications – and no more. Confidential applications should be “invisible” to unauthorised users and devices. ZTNA can significantly reduce the risks posed by insider threats.
  • Secure integration for mergers and acquisitions
    ZTNA reduces the time and administrative effort required for a successful merger or acquisition and generates an immediate benefit for the company.

How is ZTNA implemented?

There are two main approaches to implementing ZTNA. One is agent-based; the other, service-based.

Agent-based ZTNA implementation

In the agent-based ZTNA implementation, an agent installed on an authorised device sends information about the security context of that device to a controller. This context typically includes factors such as geographical location, date and time along with more advanced information, such as whether the endpoint is infected with malware. The controller prompts the system user for authentication. The controller establishes the connection from the end device through a gateway once both the user and the endpoint have been authenticated. The gateway protects applications against direct access from the Internet and unauthorised users or endpoints. The user can only access applications that are explicitly allowed.

Service-based ZTNA implementation

In a service-based ZTNA implementation, a connector is installed on the same network as the application to provide an outbound connection to the provider’s cloud. Users who want to access the application are authenticated by a service in the cloud. This is followed by validation using an identity management solution such as a single sign-on tool. Application traffic is routed through the provider’s cloud, protecting it from direct access and attacks via a proxy. Since no agent is required on the user’s endpoint, this is a good alternative for establishing connections and providing access to applications from unmanaged devices.

ZTNA and SASE

Secure Access Service Edge (SASE) integrates the function of the ZTNA controller into the SASE PoP, meaning that no SDP connector is required. Endpoints connect to the SASE PoP, undergo validation and the users are only granted access to applications (and sites) that are allowed by the security policy in the SASE architecture’s next-generation firewall (NGFW).

However, ZTNA is only a small component of the SASE solution. Once users are authorised and connected to the network, IT managers still need to take measures to protect against network-based threats. Not only does this require them to have the right infrastructure and optimisation capabilities to ensure a secure user experience, they also still have to manage the entire environment. The SASE solution overcomes these challenges by combining ZTNA with a comprehensive suite of security services – NGFW, SWG, anti-malware programs, CASB, and MDR – and with network services such as SD-WAN, WAN optimisation and a private backbone.

Companies using the SASE architecture thus enjoy both the benefits of Zero Trust Network Access as well as a comprehensive range of network and security solutions in a package that is easy to manage, optimised and highly scalable.

Secure remote access via Cato’s SASE Platform

Cato Networks’ SASE platform enables organisations to provide secure access to remote employees easily. Cato Client is an application that can be set up in minutes and automatically connects remote users to the Cato cloud solution. In addition, clientless access enables optimised and secure access to selected applications via a browser. In doing so, users simply navigate to an application portal – available across all of Cato’s 57 PoPs worldwide – authenticate via the configured SSO and immediately access the applications that have been approved for them. Both approaches use built-in ZTNA capabilities to provide secure access to specific network resources.

A zero-trust approach is essential to securing remote workers, which is why the Cato solution enables easy and effective implementation of ZTNA. Would you like to learn more? Yishay Yovel, Chief Strategy Officer of Cato Networks, shared the benefits of SASE at this year’s InfoGuard Security Lounge. Watch the video recording of his presentation.

CATO Networks – Referat SASE

Your zero-trust journey begins with our Zero Trust Readiness Assessment.

InfoGuard’s “Zero Trust Readiness Assessment” is the right place to start when it comes to identifying the risks and potential vulnerabilities in your current zero-trust strategy and assessing how it is implemented. Among other things, we will show you which good practices have not yet been sufficiently defined or implemented in your zero-trust strategy. In addition, discrepancies are evaluated in terms of their risk-criticality. Prioritised recommendations for action are developed on this basis and solutions identified. Interested? Then we look forward to receiving your enquiry:

Zero Trust Readiness Assessment

We will explain how zero trust can be used in OT infrastructures in another post in a few weeks. Make sure you don’t miss it by signing up for our blog update right away!

Share article