The New Branch Office and the Role of Zero Trust Network Access

For many years, opening a small branch office wasn’t easy. It was just as complex as opening any other office or plant. For connectivity, you would order an MPLS circuit from your vendor of choice and, depending on the country, wait somewhere between 30 and 120 days. MPLS was, and still is, expensive. The high cost comes with very limited bandwidth. Why then were they so popular? First and foremost, there were few other options. Second, the level of security and control you gained as an IT person was unprecedented.

The large majority of applications an enterprise leveraged lived in the private data center of a company. In a matter of years, the rise of the "Cloud" happened, and both applications and data became distributed. As a result, the way in which you delivered and secured both the applications and data became complex and, therefore, costly and brittle. In response, Silicon Valley seized on the opportunity, and in 2014, a new technology called software-defined wide area network (SD-WAN) emerged. 

This helped speed things up. Internet circuits are faster to install, and it was, therefore, quicker to get a site online. The timeframe was reduced from 120+ days to 30+ days in most cases. However, this still came with some complexity and cost. You would need a particular SD-WAN device from your chosen vendor, and someone would then need to install and configure it. More than likely, it would also need to be maintained, patched, and every so often, it would need to be replaced with new hardware.

But stop. Let's think about it. In today's new world, where users, data, and applications are distributed, not every branch location truly requires SD-WAN. SD-WAN is designed to connect users and offices to the internet and cloud-based services. However, with this design, the threat surface is increased, and the risk of lateral movement from a malicious user, who could be an insider or an attacker, is often increased. Why not do it differently? Why not treat these small offices like they are a user's home office? Why not just give users in these branch offices access over the internet to the applications they require access to?

After the pandemic, that's exactly what's needed. Now, employees may be coming into the office a few days per week, but other times they are working from home, or the in-laws, or at the local coffee shop. Employees have made clear that five days of commuting and being in the office is a thing of the past. Since that is the reality moving forward, does it make sense to invest further in SD-WAN infrastructure rather than accept the reality that the internet has become the enterprise network? What's needed now is a secure, remote access platform similar to all the other SaaS applications that are driving the business forward.

With the rise of Zero Trust Network Access (ZTNA) early on in the pandemic, it became possible to deliver on this approach. ZTNA is designed to give users access over the internet to just the applications and services they need to have access to. These services can be cloud-based or on-premise in one of the company's data centers. In this new world of remote work, this is now a proven technology that people are familiar with and understand.

Within months of emerging as a category, ZTNA capabilities were absorbed into a broader set of integrated, cloud-delivered security services called Security Service Edge.

With most ZTNA solutions, a lightweight connector is placed in front of the application, and these applications are then published to the required users. Only the application, at a granular level, is published. Users do not get full network access as they would with legacy solutions. This eliminates the lateral movement issue, significantly reducing the threat surface. The user requests access to an application, and the platform mediates the initial connection. This is key to zero trust. There are no passthrough connections allowed.

The user's identity is verified, and access is validated based on policy and context, such as user identity, device health, application type, and even the user's location. The user and device are given no network access. It should be noted that with this type of platform, the traffic should be inspected throughout the session, which means if anything changes, such as the user's IP address, the user is removed from the IDP, or the device posture fails, the access is revoked.

A good ZTNA platform will also have embedded DLP controls that disable upload and download as needed, block copy & paste of data, and can tell right away what data, if any, is being exfiltrated to an external source.

A critical capability of ZTNA solutions is per-application segmentation. Sophisticated attackers that access a server can still reach other applications running on the same server. With proper per-application segmentation, you again reduce the threat surface by delivering access to only the application and not the server host that and others.

Getting to this new cloud-based approach to access is a foundational change in enterprise architecture. Who knows how long the transition would have taken absent the pandemic and change in the very nature of work? But here we are, left to adapt and deal with the cards we have been dealt. At the end of the day, this new approach is better for everyone. Starting with the business, the attack surface is dramatically reduced, users are kept off the network, and every action and request is vetted and delivered in the cloud. For users, it is a familiar web interface and an intuitive SaaS experience. This is the way forward. In the cloud, security services are delivered from the edge, via the internet, no matter where the user is.

Jaye Tillson is Director of Strategy at Axis Security

Related articles: