Zero Trust Network: Why You Need It and 5 Steps to Get Started

What is a Zero Trust Network?

The zero trust security model mandates that no user or entity should be trusted—whether inside the organization or outside of it. There is no network perimeter. Instead, there are micro-perimeters around specific systems, each with its own security policies. Each user or entity is only granted the minimal access they need to perform their role.

In the past, network security was mainly based on defending the perimeter. Systems like firewalls and intrusion detection/prevention systems (IDS/IPS) were deployed at the network edge, and were tasked with stopping intruders from penetrating the network. In a zero trust network, these tools are still used, but are complemented with advanced measures to stop attackers while already inside the corporate network.

Zero trust networks use the concept of micro-segmentation to break up the larger corporate network into multiple smaller networks, with minimal overlap between them. This means that even if a certain part of the network is breached, attackers cannot move laterally to other systems. Monitoring must be established to gain visibility over traffic flowing into the network and between network segments, to enable auditing and identify anomalous activity.

Challenges of the Old Network Security Model

The old network security model, which trusted entities inside the network perimeter, was always problematic, but recent changes to the IT environment have brought it to its knees. We are seeing enormous growth in remote work, growing use of cloud resources, Internet of Things (IoT) devices, and other elements connecting to the corporate system remotely.

Remote access to a corporate network has become the rule, not the exception. Remote access exposes internal IP addresses and creates new attack vectors. Attackers can easily compromise end-user devices via social engineering, and can then gain access to the entire network. Cloud resources and IoT devices are prone to misconfiguration, which attackers can similarly exploit to compromise these entities and penetrate the network.

In particular, virtual private network (VPN) is an aging technology that is difficult to secure and manage. Many organizations realize VPN is no longer a viable way to grant remote access to corporate systems.

These developments mean the demise of the old network perimeter, and give rise to the zero trust concept—never trust a user account or connection, whether it originates from inside or outside the corporate network.

Principles of Zero Trust Network Security

Here are some techniques and best practices that can help you move your network towards a zero-trust model:

  • Least privilege access—ensures everyone on the network should only have access to the applications and features they actually need. This limits an attacker’s ability to move laterally from one system to another, reducing the damage caused by a breach.
  • Micro-segmentation—divides the network into different network segments with different access credentials. This provides additional protection, preventing attackers from moving to other network segments when one network segment is compromised.
  • Data usage controls—limits what authorized users can do with data. This should be done dynamically, such as revoking the right to access financial datasets when an employee leaves the finance department.
  • Continuous monitoring—determines how users and entities interact with data and other systems. This can alert security teams to violations. But beyond alerting and manual response, monitoring can also be connected to adaptive security controls, which can automatically react to suspicious behavior.

Types of Zero Trust Network Solutions

The main technology solution used to deploy a zero trust network is Zero Trust Network Access (ZTNA). Gartner has identified two approaches vendors use when developing ZTNA solutions: endpoint-initiated ZTNA and service-initiated ZTNA.

Endpoint-Initiated ZTNA

This type of solution follows the Cloud Security Alliance (CSA) Software Defined Perimeter (SDP) specification, an early standard for zero trust networks. It typically follows this process:

  1. An agent is installed on the authenticated end user’s device, which sends information about the security context to a controller.
  2. The controller requests authentication from the device’s user and returns a list of allowed applications.
  3. The controller provides a connection from the device through a gateway, protecting the service from direct Internet access, denial of service (DoS) attacks and other threats originating from public networks.
  4. When the controller establishes a connection, some products remain in the data path. Others remove themselves and allow the device and service to interact directly.

Pros and cons
The advantage of this type of ZTNA is that it provides detailed information about the context of the connecting device. It is also possible to conduct health checks on the device and ensure it is updated and has been scanned for malware.

The disadvantage is that it is only relevant for managed devices. They are very difficult to deploy on personal devices. These may be used exclusively when the company uses a Bring Your Own Device (BYOD) policy, or occasionally when employees log into services from their home or from mobile devices.

In some cases this issue can be alleviated by using Unified Endpoint Security (UES), which users might be more willing to deploy on personal devices, and can serve as the agent in the ZTNA process.

Service-Initiated ZTNA

This type of solution is aligned with the Google BeyondCorp framework—a pattern created by Google for implementing zero trust in organizations. It works as follows:

  1. A connector, installed on the same network as the application, establishes and maintains an outbound connection to a cloud service provider.
  2. Users connect to the cloud service, and the cloud service authenticates users via an enterprise identity management technology.
  3. The cloud provider checks the user’s authorization to access protected applications.
  4. Only after successful authentication and authorization, traffic passes from the cloud service to the application, located behind the firewall.

This architecture isolates applications from direct access through a proxy. There is no need to open corporate firewalls for inbound traffic. However, the organization becomes dependent on the service provider’s network, and must ensure that the provider offers a sufficient level of security.

Pros and cons
The advantage of service-initiated ZTNA is that it is an attractive method for unmanaged devices, because there is no need for an agent on each end-user device.

The downside is that in some ZTNA solutions, the application’s protocol must be based on HTTP/HTTPS, which limits the solution to web applications. Applications using protocols like Secure Shell (SSH) or Remote Desktop Protocol (RDP) may not be supported.

5 Steps to Creating a Zero Trust Network

Zero trust networks do not rely on specific hardware, rather they rely on new security methods. You can use the following process to transform your existing infrastructure into a zero trust network:

  1. Create an inventory of assets—assess the value and vulnerability of company assets, such as mission critical applications, sensitive data, or intellectual property, by creating an asset inventory.
  2. Verify accounts, users, and devices—in many cases, breaches are the result of spoofed devices or compromised accounts. To maintain zero trust, devices and users must prove their identity and properties (for example, an unknown device must be verified as being safe). Verification can be carried out via multi factor authentication (MFA), behavioral analytics, endpoint agents, and analysis of device criteria.
  3. Define allowed workflows—identify who should have access to your assets, when, how, and why access is granted as part of normal business processes.
  4. Define policies and automate them—define an authentication policy based on available metadata, such as device, location, source, time, and context such as recent activity and the results of MFA. ZTNA can help you automate these processes.
  5. Testing, monitoring and maintenance—use threat modeling to identify where access should be restricted to eliminate the most pertinent threats, and minimize the impact on productivity. Security teams must continuously monitor device activity to detect anomalies, and actively adjust policies to prevent new threats.

Zero Trust Network with Cato SASE Cloud

Cato’s zero trust solution – Cato SDP – provides a zero trust network for securely accessing on-premises and cloud applications via any device. With a Cato Client or Clientless browser access, users securely connect to the nearest Cato PoP using strong Multi-Factor Authentication.

Built into Cato’s SASE platform, Cato SDP delivers the following key capabilities:

  • Scalability: Cato SDP instantly scales to support optimized and secure access to an unlimited number of users, devices, and locations, without requiring additional infrastructure.
  • Access and Authentication: Cato SDP enforces multi-factor authentication and granular application access policies, which restrict access to approved applications, both on-premises and cloud. Users don’t get access to the network layer, reducing risk significantly.
  • Threat Prevention: Cato SDP provides continuous protection against threats, applying deep packet inspection (DPI) for threat prevention to all traffic. Threat protection is seamlessly extended to Internet and application access, whether on-premises or in the cloud.
  • Performance: Cato SDP enables remote users to access business resources via a global private backbone, and not the unpredictable public Internet. This delivers a consistent and optimized experience to everyone, everywhere.

FAQ

  • What is Zero Trust Network Access (ZTNA)?

    Zero Trust Network Access is a modern approach to securing access to applications and services. ZTNA denies everyone and everything access to a resource unless explicitly allowed. This approach enables tighter network security and micro-segmentation that can limit lateral movement if a breach occurs.

  • How is ZTNA different from software-defined perimeter (SDP)?

    SDP and ZTNA today are functionally the same. Both describe an architecture that denies everyone and everything access to a resource unless explicitly allowed.

  • Why is ZTNA important?

    ZTNA is not only more secure than legacy network solutions, but it’s designed for today’s business. Users work everywhere — not only in offices — and applications and data are increasingly moving to the cloud. Access solutions need to be able to reflect those changes. With ZTNA, application access can dynamically adjust based on user identity, location, device type, and more.

  • How does ZTNA work?

    ZTNA uses granular application-level access policies set to default-deny for all users and devices. A user connects to and authenticates against a Zero Trust controller, which implements the appropriate security policy and checks device attributes. Once the user and device meet the specified requirements, access is granted to specific applications and network resources based upon the user’s identity. The user’s and device’s status are continuously verified to maintain access.

  • How is ZTNA different from VPN?

    ZTNA uses an identity authentication approach whereby all users and devices are verified and authenticated before being granted access to any network-based asset. Users can only see and access the specific resources allowed to them by policy.

    A VPN is a private network connection based on a virtual secure tunnel between the user and a general terminus point in the network. Access is based on user credentials. Once users connects to the network, they can see all resources on the network with only passwords restricting access.

  • How can I implement ZTNA?

    In client-initiated ZTNA, an agent installed on an authorized device sends information about that device’s security context to a controller. The controller prompts the device’s user for authentication. After both the user and the device are authenticated, the controller provisions connectivity from the device through a gateway such as a next-generation firewall capable of enforcing multiple security policies. The user can only access applications that are explicitly allowed.
    In service-initiated ZTNA, a connector installed in the same network as the application establishes and maintains an outbound connection to the provider’s cloud. A user requesting access to the application is authenticated by a service in the cloud, followed by validation by an identity management product. Application traffic passes through the provider’s cloud, which provides isolation from direct access and attack via a proxy. No agent is needed on the user’s device.

  • Will ZTNA replace SASE?

    ZTNA is only a small part of SASE. Once users are authorized and connected to the network, there is still a need to protect against network-based threats. IT leaders still need the right infrastructure and optimization capabilities in place to protect the user experience. And they still need to manage their overall deployment.
    SASE addresses those challenges by bundling ZTNA with a complete suite of security services — NGFW, SWG, anti-malware, and MDR — and with network services such as SD-WAN, WAN optimization, and bandwidth aggregation.

  • What security capabilities does ZTNA lack?

    ZTNA addresses the need for secure network and application access but it doesn’t perform security functions such as checking for malware, detecting and remediating cyber threats, protecting web-surfing devices from infection, and enforcing company policies on all network traffic. That’s why the full suite of security services in SASE is a complement to ZTNA.

  • How do Zero Trust and SASE work together?

    With SASE, the ZT controller function becomes part of the SASE PoP and there’s no need for a separate connector. Devices connect to the SASE PoP, get validated and users are only given access to those applications (and sites) allowed by the security policy in the SASE Next-Generation Firewall (NGFW) and Secure Web Gateway (SWG).

    SASE addresses other security and networking needs by bundling ZTNA with a complete suite of security services — NGFW, SWG, anti-malware, and MDR — and with network services such as SD-WAN, WAN optimization, and bandwidth aggregation. Enterprises that leverage SASE receive the benefits of Zero Trust Network Access plus a full suite of network and security solutions, all converged together into a package that is simple to manage, optimized, and highly scalable.

LEARN MORE ABOUT CATO REMOTE ACCESS