Zero Trust Network Access - ZTNA

What is Zero Trust Network Access (ZTNA) ?

  • Zero Trust Network Access (ZTNA) is an IT security solution that provides secure least privileged access to an organization's data, resources/applications and services based on the defined access control policies of Who ,What, When, Why and How with visibility. ZTNA is all about Micro Segmented remote access which narrowing down the attack surface and thus improves the organizations cybersecurity posture. In simple terms, ZTNA is a dynamic security with no trust issues that makes hackers go for uncertainty.

Core features of Zero Trust Network Access (ZTNA) ?

  • The Core Features of ZTNA include:
    • Extended Identity for Endpoints
    • Role based Access Control
    • Device Trust
    • Universal Protocol support
    • Resources invisible on Internet
    • Protect both User and App traffic (North-South) as well App to App traffic (East-West)
    • Defense in depth through multi-layered verification

Key Zero Trust Frameworks & Product Architectures

  • Zero Trust Frameworks are strategic guidelines that outline the principles and practices for implementing Zero Trust security. They provide a high-level roadmap without being specific to any particular technology or product. Notable examples of Zero Trust Frameworks include the NIST SP 800-207 document and the CISA Zero Trust Maturity Model.
  • NIST SP 800-207: Zero Trust Architecture - This influential document, created by the National Institute of Standards and Technology, outlines the core principles of Zero Trust and provides a comprehensive reference model.
  • CISA Zero Trust Maturity Model - Developed by the Cybersecurity & Infrastructure Security Agency, this model defines five pillars for implementing Zero Trust and offers a staged approach for organizations to assess their progress.
  • On the other hand, Zero Trust Product Architectures are technical blueprints that detail how specific products incorporate Zero Trust principles. These architectures explain how different technologies and components work together to achieve the desired level of Zero Trust security. Typically, individual security vendors create these architectures for their ZTNA (Zero Trust Network Access) or other Zero Trust-related products
  • 1.⁠ ⁠Zero Trust Network Access (ZTNA) architectures - Various security vendors offer ZTNA products, each with its own unique technical architecture. These architectures typically involve components such as user authentication gateways, policy engines, and secure tunnels for application access. For detailed information on specific ZTNA vendor architectures, refer to their documentation.
    • Software Defined Perimeter
    • Zero-Trust Overlay Network
    • Identity Aware Proxy
    • Privileged Access Management
    • Host-based Firewall Control
    • Identity Defined Network
  • 2.⁠ ⁠Cloud Access Security Broker (CASB) architectures - CASBs can be utilized to enforce Zero Trust principles for cloud applications. CASB architectures encompass components for policy enforcement, data security, and API access control. To understand the product architectures of specific CASB vendors, consult their documentation.
  • Remember, frameworks and product architectures play distinct roles in implementing Zero Trust security. Frameworks provide strategic guidance, while product architectures offer technical blueprints for specific products.

Foundation of Zero Trust or ZTNA Pillars

    • Identity: This pillar emphasizes the importance of robust identity management through the implementation of Multi-Factor Authentication (MFA) and precise access controls based on user identity.
    • Devices: Ensuring the security and well-being of devices that connect to the network is of utmost importance. This entails implementing measures for endpoint security and conducting compliance checks
    • Network, Data, and Applications (Workloads): This pillar encompasses various aspects such as network segmentation, data protection through encryption and classification, and implementing access controls for applications.
    • Visibility and Analytics: Gaining a comprehensive understanding of user activity, network traffic, and potential threats is crucial for effective security measures.
    • Automation and Orchestration: Streamlining operations and reducing human error can be achieved through the automation of security tasks and workflows.
  • Seven Broader Pillars:
    In addition to the five pillars mentioned by CISA, some resources define a broader view of Zero Trust Architecture (ZTA) with two additional pillars:
    • Securing the Workforce: Educating and training employees on best practices in cybersecurity plays a vital role in establishing a strong security posture.
    • Safeguarding Workload Integrity: Protecting applications and workloads from vulnerabilities and attacks is a significant aspect of Zero Trust.

Zero Trust Design Principle

  • The fundamental concept of Zero Trust security centers around the principle of "never trust, always verify." This cautious approach gives rise to several crucial design principles:
    • Continuous Verification: No entity, whether it is a user, device, application, or service, is inherently trusted. Each attempt to access a resource necessitates rigorous authentication and authorization. This verification process occurs consistently, not just during the initial login.
    • Least Privilege Access: Users and devices are only granted the minimum level of access required to carry out their tasks. This principle reduces the potential damage in the event of a breach, as a compromised account would have limited access to steal or manipulate data.
    • Assume Breach: Security is designed with the assumption that a breach has already taken place or is inevitable. This mindset prioritizes limiting the impact of an attack and preventing lateral movement within the network.
    • Context-Aware Access: Access decisions are based on various contextual factors beyond just identity. These factors may include location, device health, time of day, and the specific application being accessed.
    • Microsegmentation: The network is divided into smaller segments with restricted access between them. This makes it more challenging for attackers to move laterally within the network, even if they manage to gain access to one segment.
  • By adhering to these design principles, Zero Trust aims to establish a more secure and adaptable security posture for modern IT environments.

Key components of a Zero Trust architecture?

  • The key components of a Zero Trust architecture include:
    • Identity and access management (IAM): IAM is used to verify the identity of users and devices before granting access to resources.
    • Microsegmentation: Microsegmentation is used to segment the network into smaller, more secure zones.
    • Risk-based access control: Risk-based access control is used to grant access to resources based on the risk associated with the user or device.
    • Continuous monitoring: Continuous monitoring is used to detect and respond to threats in real time.

How does ZTNA work ?

  • Traditional methods of remote access, such as VPNs, can pose security risks. However, ZTNA (Zero Trust Network Access) addresses this issue by providing secure access to specific applications and resources rather than granting access to the entire network. Here is a breakdown of how ZTNA works:
  • Key principles:
    • Never trust, always verify: Unlike VPNs, ZTNA does not automatically grant access based on network connectivity. Instead, every user and device undergo continuous authentication.
    • Least privilege access: Users are only given access to the applications or resources necessary for their job, reducing the potential impact of a security breach.
  • The ZTNA workflow:
    • User initiates access: A remote user attempts to access an internal application.
    • Authentication: The ZTNA service verifies the user's credentials and device. Additional factors like location may also be taken into account.
    • Policy check: The ZTNA service examines pre-defined access control policies to determine if the user is authorized for the requested application.
    • Secure tunnel creation: If authorized, a secure encrypted tunnel is established between the user's device and the specific application.
    • Access granted: The user can now access the application without being directly connected to the organization's network.
  • By implementing ZTNA, organizations can enhance their remote access security and mitigate potential vulnerabilities.

What are all the interesting Use Cases, we can implement Zero Trust Network Access?

    • Secure Remote Access to workloads
    • Alternative to VPN Access
    • Workloads micro-segmentation
    • Application Dependency
    • Multi-cloud/ Enterprise / Cloud workloads protection

What are all the problems facing in VPN / Traditional Security Access ?

  • VPNs have historically served a valuable purpose, but they come with drawbacks that are more pronounced in today's remote work environment. Here are the challenges faced by traditional security access methods like VPNs:
  • Security Weaknesses:
    • All or Nothing Access: VPNs provide access to the entire internal network once connected, creating a large attack surface if credentials are compromised.
    • Limited Granular Control: VPNs cannot restrict access to specific applications or resources, posing a risk for users needing access to sensitive data.
    • Vulnerable to Compromised Credentials: Stolen VPN credentials can grant attackers access to the entire network.
    • Increased Risk of Lateral Movement: Attackers can easily move laterally within the network once inside via VPN.
  • Scalability and Performance Issues:
    • Limited Capacity: Traditional VPN appliances may struggle to support a large number of remote users due to limited capacity.
    • Performance Bottleneck: Routing all traffic through a central VPN server can lead to performance issues, especially for bandwidth-intensive applications.
  • User Experience Challenges:
    • Complexity: Setting up and using VPNs can be complex, leading to potential security risks if users resort to workarounds.
    • Connectivity Issues: VPN connections can be unreliable, impacting user productivity
    • Limited Device Compatibility: Not all devices are compatible with VPNs, which can be problematic for a mobile workforce using personal devices.
  • While VPNs may be useful, they are not fully equipped to secure today's dynamic and cloud-based IT environments. Zero Trust Network Access (ZTNA) provides a more secure and adaptable approach for granting remote access.

Is ZTNA and VPN the same ?

  • VPN : Virtual Protection Network, now becoming a Vital Portal of Node to hackers . VPN uses a point-to-point(P2P) connection or encrypted "tunnel" to protect an internal endpoint's IP address from being exposedpublicly while still allowing a direct connection.VPNs were primarily used to grant complete access to a LAN, offering a private, encrypted tunnel for remote employees to connect to the corporate network. But, it lacks theflexibility and coherency to control and monitor exactly what users can do and which apps they can access. Once a user is granted access, they can access anything on the network, leading to security gaps and policyenforcement issues.
  • ZTNA - The zero trust Network security works in direct contrast to the VPN model. Instead of establishing asmall boundary within the network, zero trust protects the entire network's security and, more specifically, theinformation assets within it by individually verifying each user and device before granting access to a given application. In zero trust, authorization and authentication happen continuously throughout the network, ratherthan just once at the boundary. This model restricts unnecessary lateral movement between apps, servicesand systems, accounting for both insider threats and the possibility that an attacker might compromise alegitimate account. Limiting which parties have privileged access to sensitive data greatly reducesopportunities for hackers to steal it.

How does Zero Trust differ from traditional security models?

  • Traditional security models focus on protecting the perimeter of the network. However, Zero Trust takes adifferent approach by assuming that no one is trusted, even if they are inside the network. This means that allusers and devices are subject to the same level of scrutiny, regardless of where they are located.

Benefits of Zero Trust

  • Zero Trust has many benefits, including:
    • Increased security: Zero Trust helps to protect organizations from a wide range of threats, including malware,ransomware, and data breaches.
    • Reduced complexity: Zero Trust simplifies security by eliminating the need for complex perimeter security measures.
    • Improved agility: Zero Trust makes it easier for organizations to adapt to change, such as the increasing use of cloud computing and remote work.
    • Reduced costs: Zero Trust can help organizations reduce their security costs by eliminating the need for expensive perimeter security measures.

Challenges in ZTNA deployments?

  • ZTNA is easy to deploy considering it has a completely automated workflow and doesn’t depend on hardware appliances like VPN gateways. The challenges come in when the enterprises encounter various product architectures from different vendors. The means, there is some confusion in what are baseline requirements and what are augmented product features.
    • Cost: Zero Trust can be expensive to implement, especially for large organizations.
    • Complexity: Zero Trust can be complex to implement and manage, especially for organizations with complex IT environments.
    • Culture: Zero Trust requires a change in security culture, as it requires organizations to move away from a perimeter-based security model.

Key ZTNA Product Considerations Parameters

AGENT TYPEAgent based Or Agent -Less
DEPLOYMENT MODELGateway mode or Enclave Model
  • Proxy Centric - Proxy can be dedicated or shared like SSE Pop
  • Relay dependent or independent
  • Direct - Peer to Peer
  • Universal Protocol
  • Limited to HTTP(S), RDP, SSH etc
  • North-South only (User to App)
  • Includes East-West (User to App & App to App)
  • TLS based
  • UDP/TCP tunnels with pinholing
Copyright 2023 © COSGrid Systems Pvt. Ltd., All Rights Reserved