The Zero Trust security model has become popular among CISOs and CIOs, as enterprise networks become more and more complex. Based on user ID and by eliminating transitive trust, Zero Trust Access reduces the risk of cyber attacks. However, implementing this secure model does require trusting your ZTNA provider.
This blog post will explain what ‘zero trust’ is, explain the value of choosing the right ZTNA provider for your needs, and provide you with an actionable set of questions to ask yourself and your provider that will help you choose the best one for your needs.
This blog post is based on the webinar “Zero Trust: From Vision to Execution”, which you can access here. Let’s get started.
What is Zero Trust?
In the past, enterprise networks were simple. Point-to-point connections and mainframes were easy to maintain, and they were solid and reliable. But, they were limited. Today’s working environment is smart and connected. Users, applications, resources and data are spread across networks and in the cloud. This architecture provides multiple possibilities, but it is complex.
A standard network might look like this. As you can see, the architecture is complicated:
This new complexity evokes multiple security controls and policies. Security techniques like NAC, BB FE, network segmentation, application security, CASB and more are utilized. Numerous policies are enforced for each environment. In some cases, this means multiple user directories and different “administrators” (that in some organizations are not part of the same team) are managing different policies.
This complexity results in an “operational heaviness”, which makes it difficult to respond to business requirements in a timely manner. Organizations struggle to provide employees and contractors with efficient, fast and secure access. Control, visibility and management are messy and maintaining multiple secure environments with different solutions and policies feels like the matrix.
These challenges, combined with budget constraints, provide a window of opportunity for cyber attackers. Insufficient maintenance, a lack of integrations between security controls and security flaws make the network vulnerable. Hackers can enter the network with relatively little effort. They can then easily move through internal systems without much resistance. The ability to deal with an attacker after he/she has entered the network is very limited. The result is unsophisticated attacks that cause great damage to the business.
Network access from the outside and from within the organization to the critical assets should not be allowed. Yet, organizations need better connectivity for their global workforce and partners. The solution to this conundrum is the zero-trust model.
The zero-trust model facilitates secure connectivity by ensuring no trust is automatically given to any entity, inside or outside of the perimeter, at any time creating a zero trust architecture ensuring zero trust cybersecurity. Instead, trust has to be granted explicitly according to the ID of the user when connecting to systems. This means that no transitive trust is allowed, and attributes like originating network and domain membership are no longer valid for granting access.
As you can see, Zero Trust is all about continuous identity verification of all interacting entities in the organizational cyber space. Every device, user, app and network used to access business data is monitored, managed and secured, at all times. No entity has access until they are verified and it’s proven they can be trusted.
Choosing a Zero Trust Network Access (ZTNA) Provider: The Challenges
Zero Trust Network Access (ZTNA), also known as software-defined perimeter (SDP), is the most common implementation of the zero-trust model. ZTNA is designed to improve the flexibility and scalability of application access, and to enable digital businesses to avoid exposing internal applications directly to the internet – in order to reduce the risk of external attackers.
The following diagram presents a common ZTNA network model. Users access the ZTNA cloud broker. The cloud broker will send them to an authentication service, usually a cloud based IDP or an internal directory located in the ZTNA cloud broker. After a successful authentication, the ZTNA cloud broker will evaluate the policy based on the user’s identity and provide access to the internal application.
In most cases, onsite users will still get network access to applications and resources, and in many cases even external users will get network access for some applications and protocols.
The value of ZTNA is quite clear, yet if we are talking about complex environments, it isn’t such a smooth transition as the diagram shows.
The cybersecurity space is complex. There are different types of users, systems, applications, platforms and networks. CISOs and IT managers are required to address many different use cases such as controlled access, remote access and cross-organizational collaboration. Regulatory and compliance requirements also need to be taken into consideration. There are also additional security aspects to be examined, such as fitting in MFA, choosing SSO or other login, addressing latency and coverage, and the list goes on.
This is why zero trust is a journey and thinking ahead when planning zero trust network access is crucial. CISOs, CIOs and IT Managers need to choose the right technology and provider for the organization’s current and future needs and keep in mind that times change, so agility is key. Zero trust has to be implemented by design and as a practice, not as a quick fix.
7 Questions to Ask Yourself When Picking Your ZTNA Provider
When choosing a ZTNA provider and technology, here are seven questions to ask yourself.
- Is the users’ data exposed?
- Who has control of the access rules?
- Where are our secrets (passwords, tokens, private keys) kept?
- How is the risk of internal threats mitigated?
- What is the scope of secure access? Does it include users, networks, apps, etc.?
- What is the ZTNA provider’s infrastructure? Are the servers located in the cloud or in a data center? Who can access it?
- The last but very important question – What happens if the ZTNA provider is compromised? Is the organization still secure?
These questions all boil down to: is the ZTNA provider really providing zero-trust? The answer to that questions is crucial because many ZTNA providers hold and control:
- Encryption keys
- Access policies
- Private keys
- And more
Learn more from the webinar “Can you Trust Your Zero Trust Provider?”.
In other words, ZTNA providers have access to all of the network’s vulnerability points. This is exactly what you are trying to protect and should well-consider when creating a zero trust environment So ZTNA is zero trust with an exception, because you do have to trust your ZTNA provider. Actually, you are forced to trust the ZTNA provider as well as its providers. As you have probably already understood, this brings back the issue of transitive trust. This is quite the paradox.
To overcome this paradox, we have to plan a secure zero trust journey. In this journey, no customer data should be put at risk, all apps and protocols should be secured, and our resources and users should not be strained. By asking the right questions and choosing a Zero Trust Provider you can trust, you can ensure you are implementing a truly secure zero trust journey.
That’s it! We hope you learned about what to look out for when choosing a ZT provider, how to implement a secure Zero Trust network and which questions to ask when choosing your provider.
Read More about Zero Trust Connectivity
To learn more about how to adopt a zero trust strategy and how it can be implemented in your organization, read this whitepaper “ 5 Things to Consider Before Adopting a Zero Trust Strategy”.
About Cyolo – a Secure Zero Trust Provider
Cyolo is a secure zero trust solution that does not hold and control sensitive company information like keys and passwords information. It was established by CISOs as a grassroots solution, after experiencing the complexities and overhead organizations face when dealing with secure access challenges daily. Cyolo’s unified platform securely connects local and mobile users to the tools and data they need, in the organizational network, cloud or IoT environments and even offline networks, regardless of where they are or what device they are using. Request a demo to learn more.