Many companies have recognised the benefits of the zero-trust concept, but most are yet to implement it. Moving from the concept to the practical implementation of zero trust requires the implementation of a zero-trust architecture and the selection of appropriate tools to enforce zero-trust principles across the organisation. An example of one of the most important components of a zero-trust architecture is “Zero Trust Network Access” (ZTNA). In this article, we will show you exactly what this means.
Historically, many organisations have adopted a trust-based, network-perimeter security strategy. However, this approach to security comes with several limitations, such as the softening of network boundaries, the risk of insider threats and the inadequate protection of existing security solutions. The zero-trust security model was developed to eliminate these vulnerabilities. An earlier article went into detail about how zero trust works and what needs to be taken into account during implementation.
Implementing a zero-trust architecture generates a range of security benefits for an organisation. However, effective implementation and enforcement of zero-trust principles within an organisation requires access to the right security tools so that those principles can be enforced across the company.
In today’s world, where working from home and other remote locations has become the norm, secure remote access is a central security measure. Organisations looking to implement a zero-trust solution for their remote workers should take a closer look at Zero Trust Network Access (ZTNA). ZTNA, also known as software-defined perimeter (SDP), is a new approach for securing access to applications and services by users in the office and remotely.
The way ZTNA works is simple: access to a particular resource is always denied unless it is explicitly allowed. This approach enables the implementation of more stringent network security standards and micro-segmentation, which restricts lateral activities in the event of an attack on the system. Authenticated users on traditional network solutions built on VPN are implicitly granted access to all data on the same subnet. In most cases, unauthorised users are only prevented from accessing a resource via password-based authentication. ZTNA turns this paradigm on its head. Users see only those applications and resources that are explicitly allowed by your organisation’s security policy.
This makes ZTNA not only more secure than traditional network solutions, but also designed for today’s business needs. Traditional networks are based on a secure network boundary with trusted individuals inside and untrusted individuals outside. Today, this demarcation no longer exists. Users now work everywhere – not just in offices – and applications and data are increasingly being moved to the cloud. Accordingly, access solutions need to take this change into account.
ZTNA means that application access can be adjusted dynamically based on user identity, location, device type and other factors. ZTNA is a cloud-based service that allows connections from managed and unmanaged devices, verifies identity and authorises access to enterprise resources – whether they reside in an on-premises data centre or in the cloud.
ZTNA is suitable for many use cases, such as:
There are two main approaches to implementing ZTNA. One is agent-based; the other, service-based.
Agent-based ZTNA implementation
In the agent-based ZTNA implementation, an agent installed on an authorised device sends information about the security context of that device to a controller. This context typically includes factors such as geographical location, date and time along with more advanced information, such as whether the endpoint is infected with malware. The controller prompts the system user for authentication. The controller establishes the connection from the end device through a gateway once both the user and the endpoint have been authenticated. The gateway protects applications against direct access from the Internet and unauthorised users or endpoints. The user can only access applications that are explicitly allowed.
Service-based ZTNA implementation
In a service-based ZTNA implementation, a connector is installed on the same network as the application to provide an outbound connection to the provider’s cloud. Users who want to access the application are authenticated by a service in the cloud. This is followed by validation using an identity management solution such as a single sign-on tool. Application traffic is routed through the provider’s cloud, protecting it from direct access and attacks via a proxy. Since no agent is required on the user’s endpoint, this is a good alternative for establishing connections and providing access to applications from unmanaged devices.
Secure Access Service Edge (SASE) integrates the function of the ZTNA controller into the SASE PoP, meaning that no SDP connector is required. Endpoints connect to the SASE PoP, undergo validation and the users are only granted access to applications (and sites) that are allowed by the security policy in the SASE architecture’s next-generation firewall (NGFW).
However, ZTNA is only a small component of the SASE solution. Once users are authorised and connected to the network, IT managers still need to take measures to protect against network-based threats. Not only does this require them to have the right infrastructure and optimisation capabilities to ensure a secure user experience, they also still have to manage the entire environment. The SASE solution overcomes these challenges by combining ZTNA with a comprehensive suite of security services – NGFW, SWG, anti-malware programs, CASB, and MDR – and with network services such as SD-WAN, WAN optimisation and a private backbone.
Companies using the SASE architecture thus enjoy both the benefits of Zero Trust Network Access as well as a comprehensive range of network and security solutions in a package that is easy to manage, optimised and highly scalable.
Cato Networks’ SASE platform enables organisations to provide secure access to remote employees easily. Cato Client is an application that can be set up in minutes and automatically connects remote users to the Cato cloud solution. In addition, clientless access enables optimised and secure access to selected applications via a browser. In doing so, users simply navigate to an application portal – available across all of Cato’s 57 PoPs worldwide – authenticate via the configured SSO and immediately access the applications that have been approved for them. Both approaches use built-in ZTNA capabilities to provide secure access to specific network resources.
A zero-trust approach is essential to securing remote workers, which is why the Cato solution enables easy and effective implementation of ZTNA. Would you like to learn more? Yishay Yovel, Chief Strategy Officer of Cato Networks, shared the benefits of SASE at this year’s InfoGuard Security Lounge. Watch the video recording of his presentation.
InfoGuard’s “Zero Trust Readiness Assessment” is the right place to start when it comes to identifying the risks and potential vulnerabilities in your current zero-trust strategy and assessing how it is implemented. Among other things, we will show you which good practices have not yet been sufficiently defined or implemented in your zero-trust strategy. In addition, discrepancies are evaluated in terms of their risk-criticality. Prioritised recommendations for action are developed on this basis and solutions identified. Interested? Then we look forward to receiving your enquiry:
We will explain how zero trust can be used in OT infrastructures in another post in a few weeks. Make sure you don’t miss it by signing up for our blog update right away!