The gist of traditional perimeter-based network protection boils down to a series of contrasts. It combines regular and privileged users, insecure and secure connections, as well as external and internal infrastructure segments under the same umbrella. This model creates the illusion of a trusted zone, which is typically an organization’s internal or local network. Increasingly, enterprises are turning to Zero Trust Network Access techniques to address the issue.
Why? Various perimeter protection tools are used for this purpose: firewalls, Intrusion Detection and/or Prevention Systems (IDS/IPS), Secure Web Gateways, and many others. This principle is highly effective as long as the boundaries of protection are clearly specified and the attacker is outside of those boundaries.
What if the border of the protected perimeter cannot be clearly defined, or some corporate resources are located on external networks and must be accessed securely? What if employees need to connect to the company's infrastructure from anywhere in the world?
With the current proliferation of cloud computing (including SaaS services), virtualization, the Internet of Things (IoT), the BYOD (Bring Your Own Device) concept, and the booming remote work, which especially contributes to an increase in the number of mobile and personal devices used for work purposes, the network perimeter is becoming increasingly blurred or stretched.
Not only do internal systems and devices have to be protected, but also external ones need an extra layer of defense. As a result, the classic perimeter-centric approach is becoming obsolete.
The Zero Trust concept
In 2010, Forrester Research analyst John Kindervag introduced the concept of Zero Trust (ZT) as a refinement of the traditional approach to network perimeter protection. The basic idea behind it is that there are no safe zones or trusted users inside or outside the corporate network. Here are the postulations that propel this model in the present-day enterprise ecosystem:
- The internal enterprise network is not considered a trusted zone.
- Devices on the internal network can be installed and configured by someone other than the enterprise’s personnel.
- No users and resources can be trusted by default.
- Not all corporate digital assets are located on the internal enterprise network.
- All connections can be intercepted and modified.
- The security status of all devices and assets must be monitored, and compliance with established policies must be verified.
Please note ZT itself is merely a concept, a set of somewhat vague requirements for building corporate infrastructure security and controlling access to it. These principles can be implemented in different ways. In 2018, another Forrester expert Chase Cunningham proposed the Zero Trust eXtended (ZTX) approach, which allows assessing the efficiency of ZT implementation in terms of technical, structural, and organizational changes.
At this point, Zero Trust Network Access (ZTNA) is the model recognized by almost all market players. It is geared toward applying the ideas of ZT in practice. When ZTNA is in place, the range of perimeter protection tools goes beyond traditional technologies and authentication mechanisms, such as proxying, Network Access Control (NAC), and firewalls.
Additionally, the compliance of workstations and nodes with the established security policies is subject to continuous monitoring. Excellent scalability is one of the main characteristics that sets the ZTNA model aside from the traditional one.
The pillars of Zero Trust Network Access
As previously mentioned, the purpose of Zero Trust Network Access is to implement the principles of Zero Trust. That is to say, it is a model for providing more controlled access outside and inside the network perimeter to the minimum necessary scope of resources so that users can accomplish their day-to-day tasks. The fundamentals of a ZTNA-based infrastructure are as follows:
- Protected area segmentation. Instead of trying to cover the entire perimeter at once, divide it into micro-perimeters (application, device, system, network, etc.), for each of which different security policies, protections, and controls can be established.
- Mandatory encryption. All communications and network traffic must be encrypted to prevent malicious interference.
- Access control. All users, systems, applications, devices, and processes must be scanned every time they connect to any protected resource.
- The principle of least privilege at all levels. If minimum privileges are granted, compromising a user or system will not entail unauthorized access to the entire infrastructure.
- Total control. Continuous collection and analysis of events, behavior, and the state of all infrastructure components will ensure the early response to security incidents.
ZTNA architecture and components
The Policy Engine (PE) and the Policy Administrator (PA) are the essential logical elements of the ZTNA model. The former manages access policies at the level of the user, device, system, and application, and the latter applies assigned policies, controls access to resources, and monitors the statuses of objects and subjects of access.
The two form the Policy Decision Point (PEP), where the user or device is checked to determine if they can proceed to the next step – the Policy Enforcement Point (PEP), which is responsible for connecting to and disconnecting from the corporate resource based on commands from PA.
This trio of components lays the foundations of a system comparable to a checkpoint. Several examples of such a benign barrier between a user and an enterprise service are the Next-Generation Firewall (NGFW) and the Cloud Access Security Broker (CASB).
Zero Trust Network Access deployment vectors
There are two common approaches to deploying the ZTNA model. They differ in whether or not additional software (agent) is installed on the device from which you plan to access corporate resources. This agent is responsible for authentication, establishing connections, encryption, status monitoring, and more.
In the first case, a user or device initiates a connection using a pre-installed agent. This technique has much in common with the Software-Defined Perimeter (SDP) model, which is designed to control access through authentication, identity-based access, and dynamically generated connectivity options.
The key advantages of this ZTNA architecture include complete control over devices and significant obstacles to connecting an unverified device. On the other hand, this is also a disadvantage for the enterprise because it imposes additional restrictions. The agent must be compatible with different operating systems and platform versions, or the organization has to install supported OS versions on devices and stay abreast of security updates.
Another approach is to provide ZTNA-based solutions as cloud services. In this case, a logical access boundary is created around corporate resources in the cloud infrastructure or data center so that they are hidden from the external user. Managing employee access, controlling network traffic, and scanning connected systems are accomplished through an intermediary, such as CASB.
The advantages of the ZTNA architecture as a cloud service are as follows:
- Quick and easy deployment.
- Relatively low cost.
- Centralized management.
- Decent scalability.
- No need to install additional software – consequently, this removes restrictions on connected devices and is convenient when organizing BYOD principles or telework.
The main disadvantage is the lack of real-time control over points of access, which reduces the level of security. Also, the fact that pre-installed agents are missing may increase the odds of denial-of-service attacks.
Putting ZTNA into practice
Full integration of Zero Trust principles into corporate infrastructure requires rebuilding it from the ground up. This includes changing the internal network architecture, equipment, security strategies, and possibly even employees’ approach to working with the company’s digital assets. This process is a no-go for most large organizations because it is very time-consuming and costly.
The other option presupposes upgrading the existing infrastructure based on current resources and capabilities. It seems both more reasonable and feasible. To implement the principles of ZTNA successfully in this scenario, you must first fine-tune the information security strategy of the enterprise as a whole and every element of it to comply with the Zero Trust concept.
Then, the analysis of IT infrastructure components will reveal what equipment and technologies that are already in use can become building blocks of ZTNA and what needs to be replaced. The following mechanisms should be implemented first:
- Identification of all users and devices.
- Access control for connected devices based on their statuses, compliance with the adopted security policies, and the results of vulnerability scans.
- Segmentation of the corporate network, including data centers.
- Access control based on BYOD principles.
- Authentication and authorization of each system, device, and user interacting with corporate web hosting services and infrastructure.
- Data access control.
- Network traffic monitoring.
That being said, companies can start implementing the ZTNA model to protect cloud resources and remote connections by combining it with traditional approaches to safeguarding the corporate perimeter.
The state of the global ZTNA market
Although the concept of Zero Trust appeared more than a decade ago, it is the events of 2020 (namely, the COVID-19 pandemic and mass transition to remote work) that became the main driving force for the development of solutions that implement the principles of ZTNA in network security.
According to Gartner, by 2023, 60% of companies are expected to abandon using VPNs to access corporate resources and will switch to Zero Trust Network Access solutions. Pulse Secure says in its 2020 Zero Trust Access Report that about 72% of responding organizations plan to harness Zero Trust ideas to mitigate information security risks.
Vendors offer solutions for implementing ZTNA principles in two main ways: as a cloud service and as a standalone tool administered and supported by the customer organization. In the second case, the solution can usually be integrated with a public cloud infrastructure.
ZTNA is also a key component of Secure Access Service Edge (SASE), a comprehensive approach to cloud security proposed by research firm Gartner in 2019. In addition to ZTNA, Software-Defined Wide-Area Network (SD-WAN), Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Firewall-as-a-Service (FWaaS) are mandatory components of SASE.
The concept of Zero Trust Network Access, which emerged as an adaptation of the traditional enterprise security approach to the present-day circumstances, is very promising. Implementing these principles in a corporate infrastructure allows IT professionals to maintain a high level of security despite the extending boundaries of the network perimeter due to the increased use of cloud technologies and remote work.
Predictably enough, major players in the niche of information security responded to the growing interest in the ZTNA model and released products that implement it. This market is now rife with such solutions. These are mostly cloud services that organize secure access for users and devices to corporate resources.
Despite the growing popularity of the Zero Trust concept, there are organizations for which the traditional approach to information security continues to be relevant, as neither cloud technology nor remote access is acceptable for them. For instance, this holds true for military structures, government-funded enterprises, and companies working with classified information.