¿Qué es el acceso a la red Zero Trust (ZTNA)?

The zero trust model describes the security principle of “never trust, always verify”. Zero Trust Network Access (ZTNA) is a way of implementing this security model across an enterprise’s access points. In practice, this is based on the Principle of Least Privilege (PoLP), which says that users should only be able to access the resources they require for their day-to-day work.

Más información ZTNA solution brief

¿Qué es el acceso a la red Zero Trust (ZTNA)?

How Does ZTNA Work?

Zero trust aims to eradicate the inherited trust in a way that doesn’t harm user experiences or productivity.

It does that by allowing users to access only to the resources their role demands, and all access requests are strictly and repeatedly verified. The Principle of Least Privilege (PoLP) is core to ZTNA: user access and permissions are granted to only what you need to do your job. 

For instance, remote users in the sales department may be granted read-only permissions to customer data within Salesforce, but are locked out of interacting with the codebase on GitHub.

Universal PoLP would demand the opposite setup for DevOps staff.

Streamlining this across an organization demands a thorough understanding of what each account requires. This principle also applies to non-human resources, such as:

  • Systems
  • Aplicaciones
  • dispositivos
  • Processes

By assigning these resources only the permissions required for their authorized activities, access rights are effectively minimized and controlled. It’s also the difference between ZTNA and VPN:

  • VPN simply establish an encrypted tunnel between the enterprise’s VPN server and the on-device client, regardless of underlying account behavior.
  • ZTNA takes the device’s security status into account before issuing access to the individual resource.

This, too, is different – rather than granting access to the entirety of a connected network, ZTNA provides isolated access to only the requested resource.

Cómo implementar el acceso a la red Zero Trust

From a CISO’s perspective, it’s vital to balance high-security verification while ensuring the customer and user experience is maintained. The end goal of ZTNA security is to have each access request carefully evaluated against established access policies; this should check factors like:

 

  • The current status of the user’s credentials
  • Whether the device posture meets the company’s security standards
  • The specific application or service being requested

Step 1: Understand Who’s Who

Zero trust requires you to know who is accessing what. The first step of any zero trust implementation is focused on establishing a clear picture of the users, devices, and workloads that make up your corporate network.

To achieve this, many organizations opt for a corporate identity provider. 

This allows for all employees, customers, and contractors to be pulled into the security ecosystem and individually accounted for. It also sets the foundation for a consistent method of enforcing authentication. While this provides granular visibility for users, it doesn’t grant inventory for all services that communicate over a network.

This can be achieved through network scanning – either inhouse, or via a third-party asset management tool. With this level of granularity, it becomes possible to identify your attack surface. Throughout the following steps, ensure you prioritize the most valuable digital assets.

The DAAS approach below breaks it down nicely into four steps:

  1. Data: What needs to be protected?
  2. Applications: Which applications handle sensitive information?
  3. Assets: What are your most critical assets?
  4. Services: Which services could a malicious actor target to disrupt normal IT operations?

Step 2: Leverage Secure Network Controls

A zero trust framework only provides users access according to the PoLP. All other users are essentially cut off from the vast swathes of the entire network that they have no business accessing.

So, how do you cut off all unnecessary inbound access? 

Harmony SASE achieves this by establishing a secure gateway: all access requests are filtered via this gateway, which first establishes the role of the user and the associated resources they have access to. All unauthorized devices are automatically prevented from gaining access, and the individual nature of each connection means that no device has visibility into other ongoing connections.

Implementing this secure connection protocol looks a little different depending on the application being secured. There are two major application types:

  • Self-hosted. The SASE gateway’s zero trust tunnel can be established between the application and the firewall’s policy layer.
  • SaaS. SaaS access can be regulated with IP address whitelisting: this means that your SaaS solution can only accept requests that originate from the verified SASE gateway.

Step 3: Implement NGFW Protection

With a secure form of access established, it’s time to establish who is able to access what.

Whether self-hosted or SaaS-based, all network requests are routed via a Next-Gen Firewall. The NGFW can employ HTTPS inspection and TLS decryption to examine each packet of data. Alongside this, stateful inspection allows for a user and device’s behavior to be examined before access is granted.

With these tools in hand, ZTNA can be achieved!

From there, it’s important to continuously iterate: keeping a close eye on firewall logs helps to determine whether access policies are well-balanced. An outward-facing threat intelligence lens can further refine it, but this is becoming an increasingly demanding to-do list.

This is why a Secure Access Service Edge (SASE) solution may offer the most efficient way to implement ZTNA and innovate upon it within your organization.

Beneficios de ZTNA

ZTNA permite a las organizaciones implementar un modelo de seguridad de confianza cero dentro de sus ecosistemas de red. Esto se puede aplicar a varios casos de uso y mejora la postura de seguridad de la organización.

  • Acceso remoto seguro

A raíz del COVID-19, la mayoría de las organizaciones han cambiado a una fuerza laboral mayoritariamente o totalmente remota. Muchas empresas están utilizando redes privadas virtuales (VPN) para respaldar esto. Sin embargo, las VPN tienen una serie de limitaciones, incluida la escalabilidad y la falta de seguridad integrada.

Uno de los mayores problemas de las VPN es que otorgan a un usuario autenticado acceso completo a la red, lo que aumenta la exposición de la empresa a las amenazas cibernéticas. ZTNA, implementado como parte de una solución WAN definida por software (SD-WAN) o Secure Access Service Edge  (SASE), brinda la capacidad de integrar ZTNA en una solución de acceso remoto, reduciendo el acceso de los trabajadores remotos a la red solo a lo que necesitan. requieren para sus trabajos.

  • Acceso seguro a la nube

La mayoría de las organizaciones están adoptando la computación en la nube y muchas empresas tienen múltiples plataformas en la nube. Para reducir su superficie de ataque, las organizaciones deben limitar el acceso a estos recursos basados en la nube.

ZTNA permite a una organización limitar el acceso a sus entornos y aplicaciones en la nube según las necesidades comerciales. A cada usuario y aplicación se le puede asignar una función dentro de la solución ZTNA con los derechos y permisos adecuados asociados con la infraestructura basada en la nube de la organización.

  • Riesgo minimizado de compromiso de cuenta

El compromiso de la cuenta es un objetivo común de los ciberdelincuentes. Un atacante intentará robar o adivinar las credenciales de la cuenta de un usuario y usarlas para autenticarse como usuario en los sistemas de la organización. Esto proporciona al atacante el mismo nivel de acceso que el usuario legítimo.

La implementación de ZTNA ayuda a minimizar este nivel de acceso y el daño que un atacante puede causar al usar una cuenta comprometida. La capacidad del atacante para moverse lateralmente a través del ecosistema de una organización está limitada por los derechos y permisos asignados a la cuenta de usuario comprometida.

Choose Full-Enterprise Zero Trust with Harmony SASE

Your network isn’t the only surface that needs to adhere to zero trust principles.

Communication channels and endpoints all require continuous, ongoing protection – and the principle of zero trust can be applied to all.

Check Point’s Harmony SASE goes one step further with a full-mesh network architecture that provides zero trust protection across every access point, for every user. Identity-centric security policies combine the real-term resource requirements of every team, with continuous verification to identify and stop suspicious behavior.

Discover how Harmony SASE grants zero-trust protection, in-depth reporting, and high performance with a demo today.