In a zero-trust security model, all user connections are authenticated, and users only receive the access and privileges they need to fulfill their role. This is very different from traditional security solutions like VPN, which offered users full access to the target network, implicitly trusting a user after they successfully authenticated.
Zero trust network access (ZTNA) solutions are designed to implement and enforce an organization’s zero trust strategy. Users who want to connect to your organization’s applications can connect only if they really need access, and if there is nothing unusual or anomalous about their access request. This significantly reduces the cyber risks and threats facing organizations.
To illustrate the impact of zero trust solutions on cybersecurity, in its 2021 Cost of Data Breach Report, IBM noted that organizations with a proven approach to zero trust had an average cost of a breach $1.76 million lower than organizations without zero trust—only $3.3 million for an organization with zero trust vs. $5.4 million without it. With most organizations moving workloads to the cloud, this is an important consideration for cloud cost management.
At the same time, according to the report, only 35% of organizations have partially or fully adopted zero trust, and 22% more plan to adopt it in the future. Of the organizations adopting zero trust, only 48% describe their zero trust implementation as mature. In total, only 17% of surveyed organizations have a mature zero trust implementation.
ZTNA solutions create a virtual perimeter around physical devices (on-premises) and logical resources (in the cloud). ZTNA is not a single technology. It incorporates several techniques for authenticating and providing access to requesting users or devices.
Most ZTNA techniques have the same focus: they ensure applications are hidden from view of a user until access is confirmed by a trusted broker. The broker uses the following process to check if access should be allowed:
Access to cloud resources must be tightly connected to services in the cloud. Securing access to cloud resources requires integration with existing cloud access services, specifically identity and access management (IAM) and key management systems (KMS).
Integrating with cloud services enables a ZTNA solution to perform real-time monitoring and application access enforcement. This can reduce complex permission management, ensure identity protection for cloud-based applications, and centralize key management.
Identity-based access is central to a zero trust strategy. However, identities distributed across networks, applications, and the cloud often create security weaknesses. A ZTNA solution must track and control identities for cloud access across networks, applications and cloud environments.
It is important to continuously monitor identities, to determine if an identity used to access your cloud is a shared account or has possible spoofing activity. When using shared accounts, it is important to track activity and attribute it to specific users.
Secure access cannot be achieved without monitoring the context in which a user is accessing applications and data. Modern ZTNA solutions make this context an inseparable part of the access policies and authorization process. This is a highly effective way to prevent account takeover and data theft in the cloud.
Another aspect of ZTNA is the ability to detect personally identifiable information (PII) and other types of sensitive data. This can allow ZTNA to perform data loss protection, ensuring data security and compliance.
ZTNA can analyze permissions, resource usage, and integrate KMS as part of authentication. It adjusts application permissions based on network policies and automatically creates policies as new resources become available. It also applies analytics to optimize access control rights based on runtime analysis of cloud and on-premise environments.
Here are some important considerations for evaluating zero trust solutions:
In this article, I explained the basics of ZTNA and covered four key requirements for zero trust access in the cloud:
I hope this will be useful as you take your next steps towards zero trust adoption in the cloud.
By Gilad David Maayan