Securing important resources and applications is now vital, particularly with the continued rise in cyberattacks. But, how can you manage critical new levels of security without interruptions to your business operations, creating havoc with your employees and defiling your current defenses? More and more enterprises are leveraging Zero Trust to enhance their security posture, shift their reliance from infrastructure to the cloud, and have greater access control through granular policy enforcement. So what is ZTNA and how does it differ from the traditional VPN?
What is ZTNA?
ZTNA stands for Zero Trust Network Access, a type of security model that provides secure remote access to applications and services regardless of where they are hosted. The model considers all traffic as hostile. In the context of remote user access, the model does not trust any user until verification of their identities is complete. A software-defined perimeter (SDP) between users and applications completes the ZNTA model. SDP will consider the correct user credentials and multiple contextual factors before it grants a user access.
With COVID-19, the mobile workforce has grown exponentially, which will remain that way for the foreseeable future. Remote workers are working from insecure networks or using their own devices, making them more vulnerable to cyberattacks. A CAIC report indicates that between January and June 2020, 67% of cyber breaches were the result of compromised or stolen credentials. Statistics such as these show the growing importance of adopting security models like ZTNA to protect corporate application and data.
How is ZTNA different to VPN?
ZTNA and VPN serve a similar purpose of providing secure remote access. However, there are critical differences between the two types of technologies.
1. Network Access vs Identity-based and Application access
Most VPN solutions use IP-based access control (i.e. source, destination IP address and protocol) to create access policies. An issue with these solutions is that the IP address does not provide much information about a user and frequently changes, making it difficult to tell all the users apart and track them, and often requires complex configuration such as separate IP allocation for different user groups. Access policies based on protocols also provides minimal granularity with regards to what applications users can access as many modern applications share the same sets of protocols and ports.
On the other hand, ZTNA uses SDP to control access based on the user’s identity and application. ZTNA enables the development of more granular policies and gives users access only to sanctioned applications. Furthermore, the level of access provided depends on a risk assessment of contextual information, such as a device’s security posture and location.
2. Appliance-based v Cloud-delivered
Another common issue coming from an appliance-based solution like VPN is scalability and management overheads.
Typically, datacentres and head offices often require the deployment of VPN appliances. Users connect their VPN clients to the applicances to access corporate resources. Users may need to switch between VPN connection points, depending on the location of the resources or what the core network needs to support a single VPN entry point for resources across multiple sites. As the underlyinginfrastructure for VPN is often under or over-provisioned, this can result in businesses failing to meet their goals, poor user experience and excessive overheads.
Unlike VPN, ZTNA is not bound by infrastructure or a location. It is a cloud-based service whereby you can have the flexibility of scaling up and down on a needs-by-needs basis. Behind the scene, your service provider will take care of the underlying infrastructure and maintenance. Your IT team will be relieved from capacity planning, hardware/software ordering, deployment and ongoing maintenance.
How does ZTNA relate to SASE?
The SASE architecture aims to address network and security issues relating to the increasing reliance on the Cloud and mobility adoption. SASE enables applications and services to reside in the Cloud and on-prem, and permit users to work anywhere. The two critical elements of SASEtecture are identity-driven and securing all edges, including the mobile workforce. As part of the core features of SASE, ZTNA provides identity-based authentication, context-based access control and secure remote access from a mobile workforce.
Taking you further…
Whether you are looking at a standalone ZTNA solution or a full SASE architecture, you should also consider inspection capability. A ZTNA solution should not just play the role of granting user access, but also continuously monitor user traffic for any abnormal or malicious activity. Another aspect to look at is how well you can integrate your existing solutions and minimise complexity and silos. ZTNA will not cover every security aspect, but it should form part of your collective solutions to achieve better cybersecurity.