Can You Really Trust Zero Trust Network Access?

Why Yes

The global economy’s shift to hybrid work models is challenging enterprises to securely connect their work-from-anywhere employees. Supporting these highly distributed, dynamic, and diverse networks requires enterprises to be more flexible and accommodating, which results in remote access becoming an increasingly expanding attack surface. A crucial step in reducing this risk is transitioning from legacy VPNs, with their inherently risky castle-and-moat approach, to Zero Trust Network Access (ZTNA). The latter implements a much more restrictive access control mechanism, which allows users to connect to applications on a need-to-access only basis.

Why Not

ZTNA solutions, however, rely mostly on user authentication, and when this becomes compromised, a perpetrator still has the capability to wreak havoc in the enterprise network and its connected assets. User account takeovers are quite common and are achieved by way of social engineering (e.g. phishing) and other techniques. Security experts agree that enterprise security teams should work under the assumption that user accounts have been, or at some point will be, compromised.

What’s Next

Recognizing this risk, and as part of our continuous quest to provide our customers with better security, Cato has released the Client Connectivity Policy (CCP) feature. CCP acts as an additional layer of security when connecting remote employees to the enterprise network. It adds user or group-level validations based on the client platform (Operating system), location, and Device Posture information (fig. 1). Clients are granted access only after fully satisfying the defined connectivity policies.

It is no longer enough to pass ZTNA authentication in order to access the enterprise network. The additional security layer added by Cato’s CCP significantly reduces ZTNA related attack vectors, even for compromised accounts, and strengthens the enterprise’s overall security posture.

While Device Posture itself is commonly used as part of ZTNA, Cato’s CCP is unique in that Device Posture is just one source of information used to make access decisions (fig. 2). CCP also enables numerous different Device Posture checks that can be defined, and selectively implemented, for different users and groups. This provides security teams a high degree of flexibility when defining connectivity policies. For example, highly stringent requirements for users with access to highly sensitive enterprise assets e.g., “the crown jewels”, and more relaxed requirements for users with limited access and lower risk potential.

The Bottom Line

In the evolving threat landscape of remote access, Zero Trust is just too trusting. Cato’s Client Connectivity Policy takes ZTNA an extra step by adding a security layer capable of blocking access from unauthorized clients, even when the user account has been compromised. By using several independent evaluation criteria, and highly flexible Device Posture profiles, Cato’s CCP keeps your enterprise’s security posture one step ahead of your next attack.