What Is ZTNA and How Will it Affect Your Cloud?

What is Zero Trust Network Access (ZTNA)?

In a zero-trust security model, all user connections are authenticated, and users only receive the access and privileges they need to fulfill their role. This is very different from traditional security solutions like VPN, which offered users full access to the target network, implicitly trusting a user after they successfully authenticated.

Zero trust network access (ZTNA) solutions are designed to implement and enforce an organization’s zero trust strategy. Users who want to connect to your organization’s applications can connect only if they really need access, and if there is nothing unusual or anomalous about their access request. This significantly reduces the cyber risks and threats facing organizations.

To illustrate the impact of zero trust solutions on cybersecurity, in its 2021 Cost of Data Breach Report, IBM noted that organizations with a proven approach to zero trust had an average cost of a breach $1.76 million lower than organizations without zero trust—only $3.3 million for an organization with zero trust vs. $5.4 million without it. With most organizations moving workloads to the cloud, this is an important consideration for cloud cost management.

Removing Cybercrime

At the same time, according to the report, only 35% of organizations have partially or fully adopted zero trust, and 22% more plan to adopt it in the future. Of the organizations adopting zero trust, only 48% describe their zero trust implementation as mature. In total, only 17% of surveyed organizations have a mature zero trust implementation.

How Does ZTNA Work?

ZTNA solutions create a virtual perimeter around physical devices (on-premises) and logical resources (in the cloud). ZTNA is not a single technology. It incorporates several techniques for authenticating and providing access to requesting users or devices.

Most ZTNA techniques have the same focus: they ensure applications are hidden from view of a user until access is confirmed by a trusted broker. The broker uses the following process to check if access should be allowed:

  1. Users are initially authenticated when they log in
  2. The device connecting to the network is also checked to ensure it is known, trusted, and has the latest patches and security updates.
  3. Even if the user and device are trusted, access is only granted according to the principle of least privilege (POLP). The user or device is exactly the permissions they need depending on their role.

Requirements for ZTNA in the Cloud

1. Cloud Integrated Access

Access to cloud resources must be tightly connected to services in the cloud. Securing access to cloud resources requires integration with existing cloud access services, specifically identity and access management (IAM) and key management systems (KMS).

Integrating with cloud services enables a ZTNA solution to perform real-time monitoring and application access enforcement. This can reduce complex permission management, ensure identity protection for cloud-based applications, and centralize key management.

2. Identity Brokerage

Identity-based access is central to a zero trust strategy. However, identities distributed across networks, applications, and the cloud often create security weaknesses. A ZTNA solution must track and control identities for cloud access across networks, applications and cloud environments.

It is important to continuously monitor identities, to determine if an identity used to access your cloud is a shared account or has possible spoofing activity. When using shared accounts, it is important to track activity and attribute it to specific users.

3. Data and Context Awareness

Secure access cannot be achieved without monitoring the context in which a user is accessing applications and data. Modern ZTNA solutions make this context an inseparable part of the access policies and authorization process. This is a highly effective way to prevent account takeover and data theft in the cloud.

Another aspect of ZTNA is the ability to detect personally identifiable information (PII) and other types of sensitive data. This can allow ZTNA to perform data loss protection, ensuring data security and compliance.

4. Adapt to Dynamic Environments

ZTNA can analyze permissions, resource usage, and integrate KMS as part of authentication. It adjusts application permissions based on network policies and automatically creates policies as new resources become available. It also applies analytics to optimize access control rights based on runtime analysis of cloud and on-premise environments.

How to Choose a Zero Trust Solution for Your Cloud?

Here are some important considerations for evaluating zero trust solutions:

  • Does the solution require endpoint proxies, and if so, which platform does it support?
  • Does the solution require installing and managing a ZTNA proxy, and is it available both as cloud service and deployable agent?
  • Does the solution require a Unified Endpoint Management (UEM) tool to assess device security posture, such as password level, encryption, and security patches?
  • What options does the solution provide for controlling access via unmanaged devices, which are increasingly common?
  • Does the ZTNA solution provide User and Entity Behavior Analysis (UEBA) for smart detection of anomalies in the environment?
  • What is the global distribution of the ZTNA vendor and how many points of presence (PoP) does it operate?
  • What types of applications does the ZTNA solution support—web applications, legacy applications, mobile applications, and APIs.
  • What is the licensing model? Is it based on price per user, price per bandwidth, or some combination?

Conclusion

In this article, I explained the basics of ZTNA and covered four key requirements for zero trust access in the cloud:

  • Cloud integrated access—ZTNA must integrate with native cloud services like IAM
  • Identity brokerage—ZTNA must consistently manage identities across on-premise networks and clouds.
  • Data and context awareness—ZTNA should take into account the current security context and the sensitivity of the data being accessed.
  • Adapt to dynamic environments—ZTNA should analyze usage patterns and dynamically adapt its policies.

I hope this will be useful as you take your next steps towards zero trust adoption in the cloud.

By Gilad David Maayan

THOUGHT LEADERS

Maxim Melamedov
The Cloud is Heading to an Entirely New Formation in 2023
Trouble is Brewing Cloud Paradise - 2023 Will Determine Company's Long-Term Plans for Cloud Use The relationship between developers and the cloud was practically love at first sight. For years, migration to the cloud in ...
Metasploit-Penetration-Testing-Software-Pen-Testing-Security
Leading Cloud Vulnerability Scanners
Vulnerability Scanners Cyber security vulnerabilities are a constant nuisance and it certainly doesn't help with the world in a current state of disarray and uncertainty. Vulnerabilities leave businesses and individuals subject to a wide range ...
Jen Klostermann
The Fintech Landscape Today
The Fintech Landscape The Nitty Gritty Although the COVID-19 pandemic has highlighted its existence, most of us have been using fintech in some form or another for quite some time. It’s a big part of ...
Anita Raj
Coronavirus: Can technology help fight the pandemic?
Coronavirus and Telemedicine Technology COVID-19 has brought the world to a near standstill. From NBA to Met Ball and Coachella, all major events and festivals are canceled. Disneyland is shut and movies are postponed. Flights ...
Gilad David Maayan
Network Security in the Public Cloud: 2023 Guide
Network Security in the Public Cloud What is Network Security? Network security is a strategic approach to securing an organization’s resources and data across the corporate network. It helps protect organizations of all sizes, industries, ...
Stacey Farrar
Modern Auth and Exchange Online Migrations: What IT Professionals Should Know
Modern Auth and Exchange Online Migrations Microsoft has phased out Basic Authentication (Basic Auth), replacing it with Modern Authentication (Modern Auth) to provide increased protection and user security. Through this, Microsoft has turned off Basic ...
Louis
How CISOs get multicloud security right with CIEM
More CISOs will have to deliver revenue growth to protect their budgets and grow their careers in 2023 and beyond, and a core part of that will be getting multicloud security right. It’s the most common infrastructure strategy for ...
Get Smarter
Who Has Time for Higher Education
Higher Education A big challenge for professionals of all ages is time. Balancing the responsibilities of work and life leave little time for self-improvement in the form of education. But ongoing education is more than ...
Holiday Photos.png
It’s Magic
Disaster Recovery Plan.png
David Fletcher Blown Image

PLURALSITE

Pluralsight provides online courses on popular programming languages and developer tools. Other courses cover fields such as IT security best practices, server infrastructure, and virtualization. 

Visit Site

(ISC)²

(ISC)² provides IT training, certifications, and exams that run online, on your premises, or in classrooms. Self-study resources are available. You can also train groups of 10 or more of your employees.

Visit Site

CYBRARY

CYBRARY Open source Cyber Security learning. The world's largest cyber security community. Cybrary provides free IT training certificates. Courses for beginners, intermediates, and advanced users are available.

Visit Site