Even acknowledged security experts cannot say for sure what prevails in the Zero Trust Network Access (ZTNA) concept – a real technological foundation or marketing hype invented by vendors to boost sales. Let’s try to eliminate this ambiguity and understand if there is a separate category of Zero Trust solutions or if all the principles of this digital philosophy can be implemented with existing products.
Differences between Zero Trust and ZTNA
The Zero Trust security model emerged more than a decade ago. As is the case with virtually any concept, though, it does not specifically say what to do. Defined by Gartner in 2018, the term ZTNA refers to a technology that allows Zero Trust ideas to be put into practice. It provides rigid access controls for users outside an organization and those who are inside the company’s network environment. Importantly, every individual gets the minimum level of privileges required for their work.
ZTNA emerged in response to two recent trends: the overwhelming evolution of public cloud services and the mass shift to remote working. Furthermore, today’s IT environment is growingly dynamic. It is noteworthy that ZTNA can be viewed as a set of functions implemented with various products already available on the market. Unsurprisingly, some vendors deliberately tie their technology stack to this acronym in order to increase their customer audiences.
Many analysts think of this tech as a subdomain of Zero Trust architecture – the initial but not the only building block of the whole concept. Historically, the Zero Trust model was based on several principles, such as narrowing down the perimeter to the level of data. It was at this level that the decision to grant access to a user, an application, or a process became necessary.
Again, the idea behind the Zero Trust strategy is primary, and ZTNA as well as other frameworks that came later are implementations of what this concept can offer in practical terms. Although the underlying approach surfaced a long time ago, each company still interprets it in its own way. Therefore, the implementations of ZTNA may differ across the board. To an extent, these differences relate to the set of software products and equipment already used by the organization.
Here is another common perspective: the primary goal of Zero Trust Network Access is to boil down the perimeter to an elementary “application – user” or “application – service” pair. In this scenario, such basic interaction actually becomes the perimeter.
Whereas specialists used to rely on the paradigm of blacklists and whitelists of processes and users, it is now difficult to keep a record of prohibited and allowed entities because of their sheer number. This fact became a major catalyst for the debut of the Zero Trust model, where the decision to grant relevant permissions is made at the moment the resource is being accessed.
Is it possible to build a Zero Trust system from scratch?
Do Zero Trust systems match the advertised concept? Is it possible to build an architecture in which the same rules apply to all users, or is the emergence of privileged accounts inevitable? How do we model threats in a network with no trusted connections, given that ZTNA assumes events are already happening according to the worst possible scenario? This section will provide the answers.
ISPs have used this approach to interact with their customers for quite some time. That being said, if we dwell on the foundation for creating a system with the Zero Trust idea at its core, then the confidence in the Internet service provider, the hardware or software vendor, or the cloud service operator comes to the fore. One of the ways to build this trust is to hire a third party that will impartially check the protection mechanisms and the implementation of user roles with elevated access privileges.
Threat modeling remains relevant for such systems because the intruder model is an integral component of this process. It is necessary to describe the actions of a potential attacker who has a minimum level of permissions. In other words, the Zero Trust concept is simply a modification of a threat model rather than its replacement.
ZTNA implementation scenarios in a corporate infrastructure
To ensure cross-platform compatibility, it is best to build a system without software agents. The use of thin clients and web access makes it easier to maintain and update the solution while simplifying the connectivity and addressing the issue of perimeter fuzzing. Despite some handy features, which are especially useful from an auditing perspective, agents may cause a lot of problems. Therefore, it is wise to accept some loss of control over devices but get a simpler and more secure system.
In a digital infrastructure that leverages a risk-based security approach, different controls should be applied for accessing different data and resources. For example, some of the sales staff in the company may not use mobile device management (MDM) agents, but they still have access to some of the internal services they need. At the same time, some employees need the client part along with an endpoint detection and response (EDR) solution to do their job.
It isn’t possible to completely abandon the use of software agents, because the functionality of ZTNA will be severely reduced in that case. The basic idea of Zero Trust access is to organize a session monitored in real time. This is difficult to achieve without an agent.
The “classic” equipment options a company may use for remote access include a fully managed corporate laptop, on the one hand, and a barely controlled home device belonging to an employee, on the other hand. The former can run a ZTNA agent along with other endpoint protection tools, and the latter should establish access without using a software agent.
A completely agent-less scheme is unlikely to emerge anytime soon, as agents are often required to maximize session validity. However, in the current technology climate, vendors should be able to organize the effective work of their customers without the reliance on agents.
Context sources for ZTNA
When deciding to grant or deny access under the ZTNA umbrella, a system must take into account several parameters related to the context of the current connection. Here are the most common parameters:
- Network context – connection type, network type, geolocation, and Network Access Control (NAC) details.
- Device context – software installed on the device, default language, and the status of software updates.
- User context – verification, correlation of access with the user’s role in the organization, and specific tasks the employee fulfills (for example, business trips).
- Business context – a particular employee’s duties in his or her department.
- Security context – correlation of data received from a device with specific indicators of compromise.
- Information about vulnerabilities at the network and application layers.
How to deploy ZTNA
Implementing the Zero Trust security model is always a paradigm shift and a kind of revolution within a company. It also implies leaving the comfort zone to an extent. Therefore, you should first and foremost procure unanimous support of this idea from your colleagues and senior management. Then, you can formulate a strategy and assess the associated risks.
The next step is to create usage scenarios and define different user roles along with the resources they need. You should also select the tools required to modify the existing infrastructure and bring it into conformity with the ZTNA concept.
It is important to pay special attention to the first, small steps on the way toward establishing the Zero Trust concept within the enterprise. In particular, a good starting point is to depart from using IP addresses in security policies and switch to the verification of each user, implement network segmentation, and abolish the separation of users into local and remote.
Enforcing effective user verification controls is hugely important because about 70% of breaches occur due to the lack of a proper authentication system. It is important that the initial stages of ZTNA implementation demonstrate a quick return on investment. In addition, do not forget that migration to new technologies should be done gradually rather than overnight.
The Zero Trust Network Access architecture is part of the Zero Trust concept, but the technological implications of this term may vary depending on the vendor, system integrator, or a specific expert’s position in an organization. The ideas that are implemented under the ZTNA banner originally appeared in InfoSec products more than 10 years ago, but they have been presented in a single marketing “wrapping” for a relatively short time.
In most cases, it is possible to create a Zero Trust model through tools that a company is already using. Therefore, this concept is not attached to a specific vendor, but it requires seamless interoperability of different security products.