A zero trust network continuously authenticates and validates users and connected endpoints. The goal of zero trust security models is to ensure networks remain protected, while providing access to remote endpoints and users, including bring your own device (BYOD) endpoints and external-third party integrators.
A zero trust network lets all types of users leverage corporate resources, as long as these users and endpoints are continuously validated. According to Gartner, 60% of enterprises will replace their virtual private networks (VPNs) with ZTNA solutions.
To ensure safe access, a zero trust network uses zero trust network access (ZTNA) solutions. ZTNA solutions provide access controls that validate and authenticate users on a continuous basis.
In this article
What is ZTNA?
Zero trust network access (ZTNA) is a network security pattern that helps organizations implement zero trust concepts in their network ecosystem.
ZTNA is not a single technology. It encompasses a range of technologies for verifying a requesting user or device, and providing access according to predefined policies. ZTNA solutions create an environment that protects local cloud-based resources. Applications are assumed to be unknown and undiscoverable, and access is granted by a trusted broker.
The ZTNA trusted broker uses the following processes to authorize entities on the network:
- Login—when a user logs in, the broker verifies their identity.
- Device connection—shen a device connects to the network, the broker ensures the device is known, trusted, and has the relevant security updates.
- Least privilege—the broker restricts access according to the principle of least privilege (POLP). It grants access to users depending on their role, and only lets them access the resources necessary for their function, at the minimal level of privilege.
Related content: read our guide to zero trust security
Tal ZamirCTO, Perception Point
Tal Zamir is a 20-year software industry leader with a track record of solving urgent business challenges by reimagining how technology works.
TIPS FROM THE EXPERTS
- Incorporate behavioral analytics for anomaly detection
Beyond just validating user identity and device status, leverage behavioral analytics to detect anomalous behavior patterns. By analyzing how users typically interact with resources, ZTNA solutions can detect and flag unusual activity that may indicate compromised credentials or insider threats. - Continuously update trust algorithms
The criteria used by ZTNA solutions to determine trustworthiness should not be static. Regularly update and fine-tune these algorithms based on emerging threats, newly discovered vulnerabilities, and lessons learned from past incidents. - Implement adaptive multi-factor authentication (MFA)
Go beyond basic MFA by adopting adaptive MFA, which adjusts the authentication requirements based on the context of the access request (e.g., location, device health, time of access). This ensures that higher-risk scenarios are met with stricter authentication measures. - Enforce session timeouts and re-authentication
Implement strict session timeouts and require periodic re-authentication for users and devices. This reduces the risk of session hijacking and ensures that a compromised session does not lead to prolonged unauthorized access. - Monitor and control shadow IT with deep visibility tools
Use deep visibility tools to monitor unauthorized applications and services (shadow IT) within your network. Ensuring that only sanctioned applications and devices interact with your ZTNA environment will minimize exposure to potential threats.
Benefits of ZTNA
ZTNA solutions can provide the following benefits to organizations, as they adopt a zero trust security model.
Secure Cloud Access
Many organizations are running services in the public cloud, and research shows a majority of cloud users run on multiple cloud platforms. To reduce the attack surface, organizations need to limit access to these cloud-based resources.
ZTNA allows organizations to restrict access to cloud environments and applications based on their business needs. Each user and application can be assigned a role within the ZTNA solution. Each role is then granted the appropriate rights and privileges with respect to cloud-based infrastructure.
Secure Remote Access
In the wake of COVID-19, most organizations have moved largely or entirely to remote workforces. Many companies use virtual private networks (VPNs) to enable remote access. However, VPNs have significant limitations such as lack of scalability and integrated security.
A major problem with VPN is that by default, authenticated users gain full access to the entire network, regardless their role or the desired resource that is being accessed. This creates an inherent security vulnerability. ZTNA solutions recognize that users are connecting remotely or via their personal devices (BYOD), and gives them appropriate, limited access to the corporate network.
Protecting Against Account Compromise
Privileged account compromise is a common threat vector in modern networks. Attackers steal, infer, or otherwise compromise user account credentials, and then use them to authenticate on the organization’s systems. This grants the attacker the same level of access as a legitimate user.
Implementing ZTNA can address this threat, and minimize the damage that an attacker can inflict using a compromised account. The attacker’s ability to move laterally across the network is limited by the privileges assigned to the compromised user account.
Considerations for Choosing a Zero Trust Network Access Solution
Here are a few key considerations when selecting technologies that will make up your ZTNA solution:
- Agent vs. agentless—whether the solution requires an endpoint to be deployed on devices. Agents can significantly limit the solution’s value for devices that are not owned by the organization.
- Support for workloads—whether the solution supports web applications, legacy applications, containerized infrastructure, etc.
- Cloud based vs. on premises—whether the solution is delivered as a cloud service or deployed on premises. Cloud-based solutions are easier to deploy and provide better protection against DDoS due to their elastic scalability. However, on-premise solutions may provide more flexibility in some scenarios.
- Authentication—which protocols and standards the solution supports. It is important to make sure that the solution can integrate with the organization’s identity provider, such as Active Directory.
- Points of presence POPs)—for cloud based solutions, it is important to evaluate the solution’s global reach and whether it has PoPs in all the locations the organization operates or does business in.
- Unified Endpoint Management (UEM) integration—it is common for ZTNA solutions to work together with UEM platforms. It is important to evaluate whether the solution integrates with the UEM platform already used by the organization.
Zero Trust for Securing Remote Access with Perception Point
Perception Point helps achieve this new ZTNA architecture by adding enterprise-grade security to standard browsers like Chrome, Edge, and Safari. The solution fuses advanced threat detection with browser-level governance and DLP controls providing organizations of all sizes with unprecedented ability to detect, prevent and remediate web threats including sophisticated phishing attacks, ransomware, exploits, Zero-Days, and more.
By transforming the organizational browser into a protected work environment, the access to sensitive corporate infrastructure and SaaS applications is secure from data loss and insider threats. The solution is seamlessly deployed on the endpoints via a browser extension and is managed centrally from a cloud-based console. There is no need to tunnel/proxy traffic through Perception Point.
An all-included managed Incident Response service is available for all customers 24/7. Perception Point’s team of cybersecurity experts will manage incidents, provide analysis and reporting, and optimize detection on-the-fly. The service drastically minimizes the need for internal IT or SOC team resources, reducing the time required to react and mitigate web-borne attacks by up to 75%.
Customers deploying the solution will experience fewer breaches, while providing their users with a better experience as they have the freedom to browse the web, use SaaS applications that they require, and access privileged corporate data, confidently, securely, and without added latency.
Contact us for a demo of our Advanced Browser Security solution, today.
Zero trust network access (ZTNA) is a network security pattern that helps organizations implement zero trust concepts in their network ecosystem. ZTNA is not a single technology. It encompasses a range of technologies for verifying a requesting user or device, and providing access according to predefined policies. ZTNA solutions create an environment that protects local cloud-based resources. Applications are assumed to be unknown and undiscoverable, and access is granted by a trusted broker.
ZTNA solutions can provide the following benefits to organizations, as they adopt a zero trust security model including:
– Secure Cloud Access
– Secure Remote Access
– Protecting Against Account Compromise
Here are a few key considerations when selecting technologies that will make up your ZTNA solution:
– Agent vs. agentless—whether the solution requires an endpoint to be deployed on devices. Agents can significantly limit the solution’s value for devices that are not owned by the organization.
– Support for workloads—whether the solution supports web applications, legacy applications, containerized infrastructure, etc.
– Cloud based vs. on premises—whether the solution is delivered as a cloud service or deployed on premises. Cloud-based solutions are easier to deploy and provide better protection against DDoS due to their elastic scalability. However, on-premise solutions may provide more flexibility in some scenarios.
– Authentication—which protocols and standards the solution supports. It is important to make sure that the solution can integrate with the organization’s identity provider, such as Active Directory.
– Points of presence POPs)—for cloud based solutions, it is important to evaluate the solution’s global reach and whether it has PoPs in all the locations the organization operates or does business in.
– Unified Endpoint Management (UEM) integration—it is common for ZTNA solutions to work together with UEM platforms. It is important to evaluate whether the solution integrates with the UEM platform already used by the organization.