CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Identity & Access

Extending ZTNA to Protect Against Insider Threats

One of the main reasons why ZTNA fails is that most ZTNA implementations tend to focus entirely on securing remote access.

ZTNA Zero Trust

Cyberthreats are growing in their pervasiveness, stealth, and severity, and the potential consequences of a breach are more severe than ever before. With increasing skepticism and wariness among security teams, it makes sense to embrace the “never trust, always verify” principle, also known as Zero Trust Network Access (ZTNA). ZTNA aims to authenticate and authorize every user and device, no matter where they are, before granting access to the apps and assets they need.

When authenticated users get access only to the resources they absolutely need for their jobs, the risk of data theft and exfiltration automatically goes down. But it doesn’t subside completely. Recent data indicates that despite 94% of organizations feeling confident about their understanding of ZTNA, 68% still experienced a cyberattack last year, according to a 2023 Hybrid Security Trends Report (PDF) from Netwrix..

Why ZTNA Fails

One of the main reasons why ZTNA fails is that most ZTNA implementations tend to focus entirely on securing remote access. The belief that users inside the office perimeter can be intrinsically trusted outright violates ZTNA’s “never trust” approach. It overlooks the threats posed by disgruntled employees and IT staffers that are inside the secure office premises, with authentic credentials but malicious intent. Moreover, even well-meaning employees are prone to making errors in judgment and everyday operations.

Another problem with the remote-only approach to ZTNA is that admins can no longer construct a single application access policy for on- and off-site users. This alone can create loopholes and affect the operational efficiency of organizations. However, extending ZTNA to internal users also has its challenges:

  • Network Infrastructure: To implement ZTNA within the office, organizations need to ensure that their network infrastructure supports the necessary technologies and protocols. The traditional approach to ZTNA may involve deploying SDP (software-defined perimeter), VPNs (virtual private networks), or secure access gateways that can enforce the ZTNA principles within the local network.
  • Network Segmentation: ZTNA relies on the segmentation of networks and resources to limit access based on user identity and device posture. Admins may have to reconfigure their internal network architecture to implement proper network segmentation and access controls.
  • Legacy Devices and Applications: Agent-based ZTNA is sometimes incompatible with certain devices already being used within the organization. Legacy systems and applications hosted on internal data centers may also not integrate seamlessly with ZTNA.

Despite these challenges, extending ZTNA capabilities to users within the office is crucial for providing secure access and improving the overall security posture.

RBAC+ can Extend ZTNA to Users and IT Admins Inside the Office

RBAC+ extends the capabilities of RBAC (Role Based Access Control) which associates access policies with roles and assigns users to specific roles. RBAC+ goes a step further to incorporate user attributes, environmental factors, and just-in-time situational awareness to implement more dynamic, context-aware, and fine-grained access control policies.

RBAC+ allows organizations to map job roles to access policies within the ZTNA framework. This ensures that whether a user is in the office or outside, access to IT resources will be determined by the same ZTNA policy and user identity. In addition to the user identity, environmental and contextual factors, such as the device posture, user location, and time of the day, also guide ZTNA access control to detect anomalies and prevent abuse of privilege in real-time.

Advertisement. Scroll to continue reading.

Modern organizations are now attempting to break silos and adopt cross-functional teams with approaches such as DevOps and SASE (Secure Access Service Edge), which integrates networking and security behind a single management console for better visibility, network performance, and security coverage. With RBAC+, organizations can define and manage today’s dynamic and overlapping job roles, globally or by location. They can customize roles and define extremely granular access policies for individual capabilities across networking and security frameworks.

Continuous Monitoring and Advanced DNS Protections Enhance ZTNA

At the heart of ZTNA is the ability to continually inspect traffic flows once users are granted access. Successful ZTNA implementations leverage AI and ML algorithms to identify suspicious activities based on historical data and available threat intelligence. This ensures that any suspicious access attempts or deviations from normal behavior by authenticated and authorized users can be detected and mitigated right away, reducing the risk of successful insider attacks.

Advanced DNS protections also play a crucial role in fortifying ZTNA, because cybercriminals often seek to redirect or manipulate DNS requests to mine credentials or exfiltrate data. Organizations can use advanced DNS protections, such as DNS filtering, DNSSEC (DNS Security Extensions), and DNS monitoring and analysis, to detect malicious DNS activities and identify and block domains used for phishing and other forms of cyberattacks. By preventing insiders’ access to malicious domains, organizations can enhance the overall effectiveness of ZTNA and mitigate risks to in-house IT resources.

Strengthen Access Control with Comprehensive ZTNA Capabilities

Threat actors are known to exploit weaknesses in access control and authorization. They are always on the hunt for privileged account credentials, and the dark web provides an easy-access platform for purchasing them. That is why access control must go beyond credentials and MFA (multi-factor authentication). While ZTNA is a key strategy for implementing continuous verification and stringent access controls, it must be complemented with additional components for comprehensive security. As a starting point, comprehensive ZTNA must extend zero-trust access to in-office and remote users consistently and seamlessly. It should also be fortified with continuous monitoring and advanced DNS protections for insider threats and attacks that bypass authentication and authorization mechanisms.

Related: Universal ZTNA is Fundamental to Your Zero Trust Strategy

Related: The History and Evolution of Zero Trust

Written By

Etay Maor is Senior Director of Security Strategy for Cato Networks. Previously, he was Chief Security Officer for IntSights and held senior security positions at IBM and RSA Security's Cyber Threats Research Labs. An adjunct professor at Boston College, he holds a BA in computer science and a MA in counter-terrorism and cyber terrorism from Reichman University (IDC Herzliya), Tel Aviv.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...


The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...