ZTNA: Zero Trust Network Access

Zero Trust Network: Why You Need It and 5 Steps to Get Started

What is a Zero Trust Network?

The zero trust security model mandates that no user or entity should be trusted—whether inside the organization or outside of it. There is no network perimeter. Instead, there are micro-perimeters around specific systems, each with its own security policies. Each user or entity is only granted the minimal access they need to perform their role.

In the past, network security was mainly based on defending the perimeter. Systems like firewalls and intrusion detection/prevention systems (IDS/IPS) were deployed at the network edge, and were tasked with stopping intruders from penetrating the network. In a zero trust network, these tools are still used, but are complemented with advanced measures to stop attackers while already inside the corporate network.

Zero trust networks use the concept of micro-segmentation to break up the larger corporate network into multiple smaller networks, with minimal overlap between them. This means that even if a certain part of the network is breached, attackers cannot move laterally to other systems. Monitoring must be established to gain visibility over traffic flowing into the network and between network segments, to enable auditing and identify anomalous activity.

Challenges of the Old Network Security Model

The old network security model, which trusted entities inside the network perimeter, was always problematic, but recent changes to the IT environment have brought it to its knees. We are seeing enormous growth in remote work, growing use of cloud resources, Internet of Things (IoT) devices, and other elements connecting to the corporate system remotely.

Remote access to a corporate network has become the rule, not the exception. Remote access exposes internal IP addresses and creates new attack vectors. Attackers can easily compromise end-user devices via social engineering, and can then gain access to the entire network. Cloud resources and IoT devices are prone to misconfiguration, which attackers can similarly exploit to compromise these entities and penetrate the network.

In particular, virtual private network (VPN) is an aging technology that is difficult to secure and manage. Many organizations realize VPN is no longer a viable way to grant remote access to corporate systems.

These developments mean the demise of the old network perimeter, and give rise to the zero trust concept—never trust a user account or connection, whether it originates from inside or outside the corporate network.

Principles of Zero Trust Network Security

Here are some techniques and best practices that can help you move your network towards a zero-trust model:

  • Least privilege access—ensures everyone on the network should only have access to the applications and features they actually need. This limits an attacker’s ability to move laterally from one system to another, reducing the damage caused by a breach.
  • Micro-segmentation—divides the network into different network segments with different access credentials. This provides additional protection, preventing attackers from moving to other network segments when one network segment is compromised.
  • Data usage controls—limits what authorized users can do with data. This should be done dynamically, such as revoking the right to access financial datasets when an employee leaves the finance department.
  • Continuous monitoring—determines how users and entities interact with data and other systems. This can alert security teams to violations. But beyond alerting and manual response, monitoring can also be connected to adaptive security controls, which can automatically react to suspicious behavior.

Types of Zero Trust Network Solutions

The main technology solution used to deploy a zero trust network is Zero Trust Network Access (ZTNA). Gartner has identified two approaches vendors use when developing ZTNA solutions: endpoint-initiated ZTNA and service-initiated ZTNA.

Endpoint-Initiated ZTNA

This type of solution follows the Cloud Security Alliance (CSA) Software Defined Perimeter (SDP) specification, an early standard for zero trust networks. It typically follows this process:

  1. An agent is installed on the authenticated end user’s device, which sends information about the security context to a controller.
  2. The controller requests authentication from the device’s user and returns a list of allowed applications.
  3. The controller provides a connection from the device through a gateway, protecting the service from direct Internet access, denial of service (DoS) attacks and other threats originating from public networks.
  4. When the controller establishes a connection, some products remain in the data path. Others remove themselves and allow the device and service to interact directly.

Pros and cons
The advantage of this type of ZTNA is that it provides detailed information about the context of the connecting device. It is also possible to conduct health checks on the device and ensure it is updated and has been scanned for malware.

The disadvantage is that it is only relevant for managed devices. They are very difficult to deploy on personal devices. These may be used exclusively when the company uses a Bring Your Own Device (BYOD) policy, or occasionally when employees log into services from their home or from mobile devices.

In some cases this issue can be alleviated by using Unified Endpoint Security (UES), which users might be more willing to deploy on personal devices, and can serve as the agent in the ZTNA process.

Service-Initiated ZTNA

This type of solution is aligned with the Google BeyondCorp framework—a pattern created by Google for implementing zero trust in organizations. It works as follows:

  1. A connector, installed on the same network as the application, establishes and maintains an outbound connection to a cloud service provider.
  2. Users connect to the cloud service, and the cloud service authenticates users via an enterprise identity management technology.
  3. The cloud provider checks the user’s authorization to access protected applications.
  4. Only after successful authentication and authorization, traffic passes from the cloud service to the application, located behind the firewall.

This architecture isolates applications from direct access through a proxy. There is no need to open corporate firewalls for inbound traffic. However, the organization becomes dependent on the service provider’s network, and must ensure that the provider offers a sufficient level of security.

Pros and cons
The advantage of service-initiated ZTNA is that it is an attractive method for unmanaged devices, because there is no need for an agent on each end-user device.

The downside is that in some ZTNA solutions, the application’s protocol must be based on HTTP/HTTPS, which limits the solution to web applications. Applications using protocols like Secure Shell (SSH) or Remote Desktop Protocol (RDP) may not be supported.

5 Steps to Creating a Zero Trust Network

Zero trust networks do not rely on specific hardware, rather they rely on new security methods. You can use the following process to transform your existing infrastructure into a zero trust network:

  1. Create an inventory of assets—assess the value and vulnerability of company assets, such as mission critical applications, sensitive data, or intellectual property, by creating an asset inventory.
  2. Verify accounts, users, and devices—in many cases, breaches are the result of spoofed devices or compromised accounts. To maintain zero trust, devices and users must prove their identity and properties (for example, an unknown device must be verified as being safe). Verification can be carried out via multi factor authentication (MFA), behavioral analytics, endpoint agents, and analysis of device criteria.
  3. Define allowed workflows—identify who should have access to your assets, when, how, and why access is granted as part of normal business processes.
  4. Define policies and automate them—define an authentication policy based on available metadata, such as device, location, source, time, and context such as recent activity and the results of MFA. ZTNA can help you automate these processes.
  5. Testing, monitoring and maintenance—use threat modeling to identify where access should be restricted to eliminate the most pertinent threats, and minimize the impact on productivity. Security teams must continuously monitor device activity to detect anomalies, and actively adjust policies to prevent new threats.

Zero Trust Network with Cato SASE Cloud

Cato’s zero trust solution provides a zero trust network for securely accessing on-premises and cloud applications via any device. With a Cato Client or Clientless browser access, users securely connect to the nearest Cato PoP using strong Multi-Factor Authentication.

Built into Cato’s SASE platform, Cato ZTNA delivers the following key capabilities:

  • Scalability: Cato ZTNA instantly scales to support optimized and secure access to an unlimited number of users, devices, and locations, without requiring additional infrastructure.
  • Access and Authentication: Cato ZTNA enforces multi-factor authentication and granular application access policies, which restrict access to approved applications, both on-premises and cloud. Users don’t get access to the network layer, reducing risk significantly.
  • Threat Prevention: Cato ZTNA provides continuous protection against threats, applying deep packet inspection (DPI) for threat prevention to all traffic. Threat protection is seamlessly extended to Internet and application access, whether on-premises or in the cloud.
  • Performance: Cato ZTNA enables remote users to access business resources via a global private backbone, and not the unpredictable public Internet. This delivers a consistent and optimized experience to everyone, everywhere.