How Does ZTNA Work?
Zero trust aims to eradicate the inherited trust in a way that doesn’t harm user experiences or productivity.
It does that by allowing users to access only to the resources their role demands, and all access requests are strictly and repeatedly verified. The Principle of Least Privilege (PoLP) is core to ZTNA: user access and permissions are granted to only what you need to do your job.
For instance, remote users in the sales department may be granted read-only permissions to customer data within Salesforce, but are locked out of interacting with the codebase on GitHub.
Universal PoLP would demand the opposite setup for DevOps staff.
Streamlining this across an organization demands a thorough understanding of what each account requires. This principle also applies to non-human resources, such as:
- Systems
- Applications
- Devices
- Processes
By assigning these resources only the permissions required for their authorized activities, access rights are effectively minimized and controlled. It’s also the difference between ZTNA and VPN:
- VPNs simply establish an encrypted tunnel between the enterprise’s VPN server and the on-device client, regardless of underlying account behavior.
- ZTNA takes the device’s security status into account before issuing access to the individual resource.
This, too, is different – rather than granting access to the entirety of a connected network, ZTNA provides isolated access to only the requested resource.
How to Implement Zero Trust Network Access
From a CISO’s perspective, it’s vital to balance high-security verification while ensuring the customer and user experience is maintained. The end goal of ZTNA security is to have each access request carefully evaluated against established access policies; this should check factors like:
- The current status of the user’s credentials
- Whether the device posture meets the company’s security standards
- The specific application or service being requested
Step 1: Understand Who’s Who
Zero trust requires you to know who is accessing what. The first step of any zero trust implementation is focused on establishing a clear picture of the users, devices, and workloads that make up your corporate network.
To achieve this, many organizations opt for a corporate identity provider.
This allows for all employees, customers, and contractors to be pulled into the security ecosystem and individually accounted for. It also sets the foundation for a consistent method of enforcing authentication. While this provides granular visibility for users, it doesn’t grant inventory for all services that communicate over a network.
This can be achieved through network scanning – either inhouse, or via a third-party asset management tool. With this level of granularity, it becomes possible to identify your attack surface. Throughout the following steps, ensure you prioritize the most valuable digital assets.
The DAAS approach below breaks it down nicely into four steps:
- Data: What needs to be protected?
- Applications: Which applications handle sensitive information?
- Assets: What are your most critical assets?
- Services: Which services could a malicious actor target to disrupt normal IT operations?
Step 2: Leverage Secure Network Controls
A zero trust framework only provides users access according to the PoLP. All other users are essentially cut off from the vast swathes of the entire network that they have no business accessing.
So, how do you cut off all unnecessary inbound access?
Harmony SASE achieves this by establishing a secure gateway: all access requests are filtered via this gateway, which first establishes the role of the user and the associated resources they have access to. All unauthorized devices are automatically prevented from gaining access, and the individual nature of each connection means that no device has visibility into other ongoing connections.
Implementing this secure connection protocol looks a little different depending on the application being secured. There are two major application types:
- Self-hosted. The SASE gateway’s zero trust tunnel can be established between the application and the firewall’s policy layer.
- SaaS. SaaS access can be regulated with IP address whitelisting: this means that your SaaS solution can only accept requests that originate from the verified SASE gateway.
Step 3: Implement NGFW Protection
With a secure form of access established, it’s time to establish who is able to access what.
Whether self-hosted or SaaS-based, all network requests are routed via a Next-Gen Firewall. The NGFW can employ HTTPS inspection and TLS decryption to examine each packet of data. Alongside this, stateful inspection allows for a user and device’s behavior to be examined before access is granted.
With these tools in hand, ZTNA can be achieved!
From there, it’s important to continuously iterate: keeping a close eye on firewall logs helps to determine whether access policies are well-balanced. An outward-facing threat intelligence lens can further refine it, but this is becoming an increasingly demanding to-do list.
This is why a Secure Access Service Edge (SASE) solution may offer the most efficient way to implement ZTNA and innovate upon it within your organization.
Benefits of ZTNA
ZTNA enables organizations to implement a zero trust security model within their network ecosystems. This can be applied to a number of use cases and improves the organization’s security posture.
In the wake of COVID-19, most organizations have shifted to a mostly or wholly remote workforce. Many companies are using virtual private networks (VPNs) to support this. However, VPNs have a number of limitations, including scalability and their lack of integrated security.
One of the biggest issues with VPNs is that they grant an authenticated user complete access to the network, which increases the company’s exposure to cyber threats. ZTNA, implemented as part of a software-defined WAN (SD-WAN) or secure access service edge (SASE) solution, provides the ability to integrate ZTNA into a remote access solution, reducing remote workers’ access to the network to only what they require for their jobs.
Most organizations are embracing cloud computing, and many enterprises have multiple cloud platforms. To reduce their attack surface, organizations need to limit access to these cloud-based resources.
ZTNA enables an organization to limit access to their cloud environments and applications based upon business needs. Each user and application can be assigned a role within the ZTNA solution with the appropriate rights and permissions associated with the organization’s cloud-based infrastructure.
- Minimized Risk of Account Compromise
Account compromise is a common goal of cybercriminals. An attacker will attempt to steal or guess a user’s account credentials and use them to authenticate as the user to the organization’s systems. This provides the attacker with the same level of access as the legitimate user.
Implementing ZTNA helps to minimize this level of access and the damage that an attacker can cause using a compromised account. The attacker’s ability to move laterally through an organization’s ecosystem is limited by the rights and permissions assigned to the compromised user account.
Choose Full-Enterprise Zero Trust with Harmony SASE
Your network isn’t the only surface that needs to adhere to zero trust principles.
Communication channels and endpoints all require continuous, ongoing protection – and the principle of zero trust can be applied to all.
Check Point’s Harmony SASE goes one step further with a full-mesh network architecture that provides zero trust protection across every access point, for every user. Identity-centric security policies combine the real-term resource requirements of every team, with continuous verification to identify and stop suspicious behavior.
Discover how Harmony SASE grants zero-trust protection, in-depth reporting, and high performance with a demo today.
Feedback