Zero Trust Network Access (ZTNA): The Enterprise Shift in Architectural Security
Behind the push for “never trust, always verify” security
Traditional perimeter security has failed. Or, at least, the outside-in perimeter has long outlived its usefulness.
With the convergence of trends like cloud, remote work, mobility, connected devices, IoT, the edge, and more, enterprise security and infrastructure teams are having to rethink their approach to securing data and assets. Historically, the assumption has been that whatever user or device lay behind enterprise firewalls, VPNs, remote desktops — things placed on the internal network — could be trusted. But today, not only have sophisticated attackers and threats like malware and ransomware become adept at bypassing firewalls and moving laterally through the network, but increasingly, the bulk of enterprise resources no longer exist on the internal enterprise network at all — they are in the cloud, or composed of a multitude of devices and equipment scattered throughout the world.
As a result, the paradigm of securing resources has changed from securing the network, holistically, to securing devices, apps, and data, individually, as well as ensuring that the right people have access to the right things. In other words, you can’t punch a hole in your firewall and open up your perimeter to let trusted users in, without risking intrusion from the bad guys, as well. Instead, you have to assume that users and devices are untrusted, by default, and entitlement-based, “right size” access to resources for only specific, verified users — ensuring that even in the rare event that a device is compromised, the attacker could never laterally traverse to other places in the network. This push to “never trust, always verify” is the driving element behind the recent and accelerated adoption of Zero Trust and the model’s core value.
Enabling enterprise connectivity while trusting nothing
While the idea of Zero Trust has existed for years, it has only recently come into mainstream practice — and it’s making a massive splash. Initially coined by Forrester Research in 2010, Zero Trust was recently adopted by Gartner, the global research and advisory firm, as a core element of their secure access service edge (SASE) paradigm.
It’s important, at this juncture, to define what organizations really mean when they say, “Zero Trust,” as it’s often confused as a term, if not misused as a marketing buzzword. Zero Trust is a security principle — a vast, almost philosophical concept — that refers to limiting excessive trust on the network by adhering to the principle of least privilege, or the idea that a user or device should have the bare minimum access required to perform their function. Rather than provide trust in a network-centric fashion (when it needs to be given), it should be given dynamically, based on changing context like user and device identity, location, time of day, and more.
In practice, most organizations using the term “Zero Trust” are really referring to Zero Trust Network Access (ZTNA). Developed by Gartner, ZTNA is a practical framework for applying Zero Trust principles, where organizations control access through either micro-segmentation or Software-Defined Perimeter methods, or both. This allows organizations to create fine-grained access by limiting access to specific applications.
In terms of adoption, Zero Trust has come into the mainstream: according to a survey of leading cybersecurity executives by Okta, 60% of organizations in North America have launched Zero Trust projects. Another study puts that number even higher, with 94% deploying Zero Trust in some capacity, together with the fact that, despite the pandemic, a majority of businesses (58%) are still increasing their security budgets. The federal government, too, has weighed in on Zero Trust, with the NIST recently releasing their Zero Trust Architecture publication, which details a roadmap for adopting Zero Trust across an enterprise or organization. Similarly, nearly half of federal IT executives say their government agency is moving towards a Zero Trust model of security.
What’s clear is that, regardless of their approaches, a majority of organizations are embracing “never trust, always verify” as a core security strategy, and Zero Trust projects are increasingly moving from pilot and into full production. Still, there is often confusion about what a Zero Trust strategy means for the enterprise — and the elements that are needed to operationalize Zero Trust at a practical level.
Operationalizing Zero Trust with identity-based authorization
While Zero Trust, itself, is a goal-oriented framework, there are practical tools and strategies that organizations will need to embrace to realize ZTNA in practice.
Many organizations have begun Zero Trust projects by implementing stronger authentication — verifying that users are who they say they are — with tools like IAMs and multi-factor authentication (MFA) and single sign-on (SSO). However, Zero Trust cannot be viewed as a silo of either authentication or authorization, as it requires them both in combination. Authentication, for instance, is a means of creating a stronger outer perimeter and keeping bad actors out, but it alone isn’t enough to realize Zero Trust. Zero Trust is also, if not principally, an authorization problem. This refers to the set of rules that determine what a user (or machine) can actually do within the enterprise, once they are verified. These “who-can-do-what” and “what-can-do-what” policies are vital for ensuring that users can access the specific resources they need — and only those resources — while ensuring that no malicious actor can move laterally in the network and compromise enterprise data and assets.
But is not enough to create access policies that simply dictate what users can do within the enterprise — access an application, make changes to a database, and so on. At a practical level, enterprises must also enable “just in time” and “just enough” access, dynamically created to enable seamless connectivity for any user, without creating excessive trust by placing them on the network. This means that enterprises must shift from a fixed and inflexible approach that enforces permissions in the data center, to a flexible perimeter that enforces policy at the edge — at the identity, application, or network levels, as needed. This allows organizations to streamline both networking and security services to enable an identity-based perimeter, flexibly delivered via hardware, software, or as a cloud-based service. This means that no enterprise assets will be visible to any user — i.e. the enterprise is a true “black box” — until the user is verified with policy, trust is established, and they can connect to individual applications. As a best practice, access policies must be continuously monitored and revised, to account for constant changes in user behavior and in the enterprise. Towards those goals, enterprises will increasingly leverage technologies like ZTNA, to micro-segment their networks, and Software-Defined Perimeter, to right-size access for specific users.
Traditional perimeter security strategies may have failed. However, now that approaches like Zero Trust are finding their way into the mainstream, enterprises have new tools for securing their data and assets in a borderless, hyper-connected world.