What is Zero Trust Network Access (ZTNA)?
In a zero-trust security model, all user connections are authenticated, and users only receive the access and privileges they need to fulfill their role. This is very different from traditional security solutions like VPN, which offered users full access to the target network, implicitly trusting a user after they successfully authenticated.
Zero trust network access (ZTNA) solutions are designed to implement and enforce an organization’s zero trust strategy. Users who want to connect to your organization’s applications can connect only if they really need access, and if there is nothing unusual or anomalous about their access request. This significantly reduces the cyber risks and threats facing organizations.
To illustrate the impact of zero trust solutions on cybersecurity, in its 2021 Cost of Data Breach Report, IBM noted that organizations with a proven approach to zero trust had an average cost of a breach $1.76 million lower than organizations without zero trust—only $3.3 million for an organization with zero trust vs. $5.4 million without it. With most organizations moving workloads to the cloud, this is an important consideration for cloud cost management.
At the same time, according to the report, only 35% of organizations have partially or fully adopted zero trust, and 22% more plan to adopt it in the future. Of the organizations adopting zero trust, only 48% describe their zero trust implementation as mature. In total, only 17% of surveyed organizations have a mature zero trust implementation.
How Does ZTNA Work?
ZTNA solutions create a virtual perimeter around physical devices (on-premises) and logical resources (in the cloud). ZTNA is not a single technology. It incorporates several techniques for authenticating and providing access to requesting users or devices.
Most ZTNA techniques have the same focus: they ensure applications are hidden from view of a user until access is confirmed by a trusted broker. The broker uses the following process to check if access should be allowed:
- Users are initially authenticated when they log in
- The device connecting to the network is also checked to ensure it is known, trusted, and has the latest patches and security updates.
- Even if the user and device are trusted, access is only granted according to the principle of least privilege (POLP). The user or device is exactly the permissions they need depending on their role.
Requirements for ZTNA in the Cloud
1. Cloud Integrated Access
Access to cloud resources must be tightly connected to services in the cloud. Securing access to cloud resources requires integration with existing cloud access services, specifically identity and access management (IAM) and key management systems (KMS).
Integrating with cloud services enables a ZTNA solution to perform real-time monitoring and application access enforcement. This can reduce complex permission management, ensure identity protection for cloud-based applications, and centralize key management.
2. Identity Brokerage
Identity-based access is central to a zero trust strategy. However, identities distributed across networks, applications, and the cloud often create security weaknesses. A ZTNA solution must track and control identities for cloud access across networks, applications and cloud environments.
It is important to continuously monitor identities, to determine if an identity used to access your cloud is a shared account or has possible spoofing activity. When using shared accounts, it is important to track activity and attribute it to specific users.
3. Data and Context Awareness
Secure access cannot be achieved without monitoring the context in which a user is accessing applications and data. Modern ZTNA solutions make this context an inseparable part of the access policies and authorization process. This is a highly effective way to prevent account takeover and data theft in the cloud.
Another aspect of ZTNA is the ability to detect personally identifiable information (PII) and other types of sensitive data. This can allow ZTNA to perform data loss protection, ensuring data security and compliance.
4. Adapt to Dynamic Environments
ZTNA can analyze permissions, resource usage, and integrate KMS as part of authentication. It adjusts application permissions based on network policies and automatically creates policies as new resources become available. It also applies analytics to optimize access control rights based on runtime analysis of cloud and on-premise environments.
How to Choose a Zero Trust Solution for Your Cloud?
Here are some important considerations for evaluating zero trust solutions:
- Does the solution require endpoint proxies, and if so, which platform does it support?
- Does the solution require installing and managing a ZTNA proxy, and is it available both as cloud service and deployable agent?
- Does the solution require a Unified Endpoint Management (UEM) tool to assess device security posture, such as password level, encryption, and security patches?
- What options does the solution provide for controlling access via unmanaged devices, which are increasingly common?
- Does the ZTNA solution provide User and Entity Behavior Analysis (UEBA) for smart detection of anomalies in the environment?
- What is the global distribution of the ZTNA vendor and how many points of presence (PoP) does it operate?
- What types of applications does the ZTNA solution support—web applications, legacy applications, mobile applications, and APIs.
- What is the licensing model? Is it based on price per user, price per bandwidth, or some combination?
In this article, I explained the basics of ZTNA and covered four key requirements for zero trust access in the cloud:
- Cloud integrated access—ZTNA must integrate with native cloud services like IAM
- Identity brokerage—ZTNA must consistently manage identities across on-premise networks and clouds.
- Data and context awareness—ZTNA should take into account the current security context and the sensitivity of the data being accessed.
- Adapt to dynamic environments—ZTNA should analyze usage patterns and dynamically adapt its policies.
I hope this will be useful as you take your next steps towards zero trust adoption in the cloud.
By Gilad David Maayan