Updated June 22, 2022. Originally published Nov. 3, 2020.
As organizational networks grow more and more complex, the zero trust security model has become increasingly popular among security professionals. By granting access based on user ID rather than device ID, the zero trust framework reduces the potential attack surface for cybercriminals and therefore lessens the risk of attacks. However, despite the 'zero' trust name, implementing this security model does generally require you to put a certain level of trust in your zero trust network access (ZTNA) provider.
This blog will explain what exactly ‘zero trust’ is and why it is critical to choose the right ZTNA provider for your specific needs. We will also provide you with an actionable set of questions to ask yourself and your provider as you set out to choose the ideal ZTNA vendor.
Zero trust is a modern security framework based on the principle "never trust, always verify." According to this framework, all internal and external users are continuously authorized before being granted access to systems, applications and data. In contrast to the traditional perimeter-based security paradigm, in the zero trust model all users are verified according to identities, not according to network, IP, location or other attributes.
In the not-so-distant past, enterprise networks were simple. Point-to-point connections and mainframes were easy to maintain, and they were solid and reliable. But, they were limited in their capabilities. Today’s working environment is smart and connected, with users, applications, resources and data spread across networks and in the cloud. This more modern architecture creates previously unimaginable connection possibilities, but its complexity can also lead to problems - particularly when it comes to security.
A standard network might look like this. As you can see, the architecture is complicated:
This complexity evokes multiple security controls and policies, with security techniques like NAC, BB FE, network segmentation, application security, CASB and more all utilized. Numerous policies are enforced for each environment. In some cases, this means multiple user directories and different “administrators” (that in some organizations are not even part of the same team) are managing different policies.
The result of this complexity in an “operational heaviness” that makes it difficult to respond to business requirements in a timely manner. Organizations struggle to provide employees and contractors with efficient, fast and secure access. Meanwhile, control, visibility and management are messy, and maintaining multiple secure environments with different solutions and policies quickly becomes overwhelming.
These challenges, combined with budget constraints, provide a window of opportunity for cyber attackers. Insufficient maintenance, a lack of integrations between security controls, and inherent security flaws make the network vulnerable. Hackers can enter the network with relatively little effort and then move laterally through internal systems without much resistance. The ability to stop an attacker after s/he has already entered the network is very limited. The result is unsophisticated attacks that cause substantial damage to the business.
One fairly straightforward way to limit attacks is to simply prevent network access from the outside. However, modern organizations need to offer connectivity options for their global workforce and partners, as well as a range of third party users such as suppliers and contractors. The solution to this conundrum is the Zero Trust model.
The Zero Trust model facilitates secure connectivity by ensuring no trust is automatically given to any entity, inside or outside of the perimeter, at any time. Instead, trust must be granted explicitly (and then verified continuously) according to the ID of the user or device. This means attributes like originating network and domain membership are no longer valid for granting access.
Zero Trust actually means zero inherent trust. Every device, user, app and network used to access business data is monitored, managed and secured at all times. No entity receives access until they are authenticated and verified.
Zero Trust Network Access (ZTNA), also known as software-defined perimeter (SDP), is the most common implementation of the zero-trust model. ZTNA is designed to improve the flexibility and scalability of application access and to enable digital businesses to avoid exposing internal applications directly to the internet – in order to reduce the risk of attacks.
The following diagram presents a common ZTNA network model. Users access the ZTNA cloud broker, who sends them to an authentication service, usually a cloud based IDP or an internal directory located in the ZTNA broker’s cloud. After a successful authentication, the ZTNA cloud broker will evaluate the policy based on the user’s identity and provide (or deny) access to the internal application.
In most cases, on-site users will still get network access to applications and resources, and in many cases even external users will get network access for some applications and protocols.
The value of ZTNA is quite clear. However, if we are talking about complex environments, it isn’t as smooth a transition as the diagram shows.
As we all know, the cybersecurity space is complex. There are different types of users, systems, applications, platforms and networks. CISOs and IT managers are required to consider and address many different use cases, ranging from controlled access to remote access to cross-organizational collaboration. Regulatory and compliance requirements also need to be taken into account, as do additional security considerations like multi-factor authentication (MFA), single sign-on (SSO), addressing latency coverage, and more.
Zero trust truly is a journey, and for all the reasons just mentioned it is crucial to think ahead when planning that journey. CISOs, CIOs and IT managers need to choose the right technology and provider for their organization’s current and future needs, keeping in mind that times change and agility is key. Zero trust should be implemented by design and as a practice, not as a quick fix or an alternative to good security hygiene.
When choosing a ZTNA provider and technology, here are seven important questions to ask.
Is the users’ data exposed?
Who has control of the access rules?
Where are our secrets (passwords, tokens, private keys) kept?
How is the risk of internal threats mitigated?
What is the scope of secure access? Does it include users, networks, apps, etc.?
What is the ZTNA provider’s infrastructure? Are the servers located in the cloud or in a data center? Who can access it?
What happens if the ZTNA provider is compromised? Are your organization and sensitive assets still secure?
These questions actually all boil down to one single question: Is the ZTNA provider providing a true zero-trust environment? While simultaneously touting ‘zero trust,’ many ZTNA providers hold and control:
Encryption keys
Traffic
Access policies
Passwords
Tokens
Private keys
When all is said and done, ZTNA providers potentially have access to all of the network’s vulnerability points – and all the sensitive, mission-critical assets you’re aiming to protect by adopting the zero trust framework. Indeed, in most implementation models, ZTNA offers zero trust with one large exception – your ZTNA provider itself. But if you are forced to inherently trust your provider, can you achieve zero trust at all?
To overcome this paradox, the best option is to choose a ZTNA provider that sits outside your organization’s trust boundary and cannot see or access your critical assets. Cyolo is a secure zero trust access solution that does not hold or control sensitive company information like keys and passwords information.
Cyolo was co-founded by a CISO who personally experienced the complexities and overhead organizations face when dealing regularly with secure access challenges. Cyolo’s unified platform securely connects on-site and remote users to the tools and data they need, in the organizational network, cloud or IoT environments and even offline networks, regardless of where they are or what device they are using.
Author
Eran Shmuely is the Chief Architect and Co-Founder of Cyolo. Prior to Cyolo, Eran was the Senior Security Engineer at Salesforce and the Open-Source Security Research Leader at GE Digital.