Zero Trust has become a standard approach for many organizations to secure network access for their remote workers. Based on the principle that no user, device, or application can be trusted by default, the security framework has seen rapid adoption.
However, the nature of work is changing in this post-pandemic era, and there has been a dramatic rise in hybrid work. Today, employees regularly work both in the office and remotely. Recent reports show that by the end of 2022, 53% of U.S. workers were engaging in this “hybrid” work model.
Unfortunately, current Zero Trust Network Access (ZTNA) models have yet to adapt to this changed reality. While they have proven to be valuable for protecting remote workers, this approach only covers part of the problem. Today's ZTNA solutions for remote workers are cloud-delivered, and they typically become inactive when the user is onsite, thereby reverting to less secure, perimeter-based security approaches in the LAN. This presents a major challenge in today's hybrid work world, where organizations would like to extend the security benefits of Zero Trust to all employees, not just their remote workers.
What is Zero Trust Network Access (ZTNA)?
In brief, the concept of Zero Trust requires all users, whether inside or outside an organization's network, to be authenticated, authorized, and continuously validated before accessing certain applications and data. Benefits of ZTNA include:
- Enhanced Security Posture: ZTNA operates on the principle of “never trust, always verify.” This approach reduces the chances of unauthorized access because it doesn’t implicitly trust any user or device based on network location.
- Reduced Attack Surface: By ensuring users can access only applications and resources they’re explicitly authorized for, ZTNA minimizes the potential pathways for attackers.
- Granular Control: ZTNA provides detailed control over who can access what, allowing security teams to implement and enforce fine-grained security policies.
- Continuous Trust Assessment: Unlike VPNs, which mainly authenticate users at the initial connection, ZTNA continuously evaluates the trustworthiness of a connection, considering factors like device health, user behavior, and context.
- VPN Replacement: Traditional VPN-based remote access is difficult to scale, only authenticates users at the initial connection, and provides unrestricted access to the internal network once connected. ZTNA offers cloud-native scalability, continuous trust assessment of users and devices, and fine-grained access control that allows users to access only designated applications and resources.
- Visibility: ZTNA solutions offer comprehensive visibility into who is accessing what, when, and from where. This enhanced monitoring capability is crucial for detecting and responding to suspicious activities.
At the end of the day, by adopting this approach, security teams can ensure a more robust defense against breaches, adapt to the evolving business landscape, and achieve a clearer oversight of network activities. This not only enhances the organization’s security but also reduces the administrative overhead and complexities traditionally associated with securing network access.
According to an Okta report on the state of Zero Trust security, 55 percent of organizations have already implemented a Zero Trust initiative, and 97 percent plan to launch one in the next 12 to 18 months. According to the report, as early as 2025, at least 70 percent of all new remote access deployments will be handled predominantly via ZTNA instead of VPNs of the past.
Hybrid work creates a gap in Zero Trust strategies
Despite workforces' partial migrations back to the corporate campus, Zero Trust concepts have largely not followed them onsite. Hybrid working models present a challenge for security teams because ZTNA solutions, which are designed to secure remote workers, automatically disable themselves once the user logs in to the office environment. This means that users who work onsite regress to a less secure "perimeter" approach to security. It also means that security teams must maintain two distinct and separate security stacks for their users – one for users when they work remotely and one for users when they work onsite.
Campus network security is typically powered by traditional Network Access Control (NAC), 802.1X, and VLAN-Provided products that assume users and devices can be fundamentally trusted within the protected corporate environment. This legacy "perimeter" security model presents a serious problem when compromised devices or malicious actors get into the network. Once trusted access is gained, they can move laterally in the network to steal data or run ransomware.
Zero Trust takes a different approach – the philosophy is to "assume breach ."If organizations want to minimize their security risks, they must assume that breaches have already taken place or that it is only a matter of time before they do.
The unique challenges of on-premises ZTNA
Some vendors suggest that they can deliver ZTNA for on-premises workers via the cloud or via a virtual machine dropped into the local area network. There are a number of significant shortcomings to these approaches that security teams should be aware of, including:
- User-to-Application Performance: A ZTNA solution deployed in the cloud or on an edge device can introduce significant latency for private applications for a couple of reasons:
- Inline Inspection and enforcement: Inline inspection of malware or content in the cloud is slow and expensive, with all the data having to go through a single, bottlenecked point of inspection in the cloud or on the LAN
- Hair Pinning (or tromboning): Traffic flows need to go to the cloud and back onsite or to a single server and back
- Local Resource Access: Headless devices on the local network, such as printers and IP phones, are difficult to reach
- OT and IoT devices: These devices inherently cannot host a Zero Trust client, making it difficult to apply a Zero Trust model for these types of devices
- Network traffic visibility: Without the ability to see all network traffic onsite, Zero Trust solutions cannot fully replace legacy security systems.
New approaches for a universal Zero Trust strategy are emerging
Despite these diverse challenges, new approaches are emerging that make it possible to implement a holistic Zero Trust strategy for on-premise users. These new emerging solutions combine all the key principles of Zero Trust – identity validation, least privilege access, and continuous trust validation – with an additional set of innovations required for the requirements of on-premises security – OT/IoT device awareness, adaptive micro-segmentation, and deployment to the LAN edge as close to the user as possible. IT and security leaders should consider a key set of requirements for this type of solution:
- Support for a broad set of users
- The ZTNA solution of choice needs to be expanded to include a broad set of users, including employees but also contractors, partners, customers, visitors, patients, clients, members, and others.
- Support for a broad set of devices
- The solution should recognize and continuously assess the trust status of corporate-owned devices such as laptops, servers, tablets, and phones.
- In addition, the solution should apply Zero Trust to OT and IoT devices as well.
- Inline, real-time inspection and enforcement
- It is crucial that the ZTNA solution be deployed inline in the network as close to the user as possible to apply real-time security enforcement as well as ensure acceptable user-to-application performance.
- Support for client and clientless access requests
- Broad identity support
- Integrations with identity and access management (IAM) solutions, including Active Directory, as well as AI/ML-based behavior analysis and anomaly detection for users and devices, are needed to increase security.
- Single point of management and policy control
- All ZTNA policies must be managed from a single window and policy repository. And all logs and analytical data should be available in a single consolidated data lake.
- Integration with broader Security Service Edge (SSE)
- ZTNA should fit naturally as a seamlessly integrated component of a broader Internet/SaaS security suite (SSE) as well as a broader secure networking platform (Secure Access Service Edge or SASE) for WAN edge optimization. The ZTNA solution should be integrated into the unified management platform, policy repositories, and data lakes of these suites to provide reduced complexity of administration and improved contextual security across these broader platforms.
ZTNA solutions proved themselves invaluable during the pandemic. But their principles are not just for securing remote work. Advanced Zero Trust solutions can support all hybrid environments in which applications are provided via the cloud to ensure the security of today’s remote and onsite workforce.
Dan Maier is the CMO at Versa Networks.