Cyberthreats are growing in their pervasiveness, stealth, and severity, and the potential consequences of a breach are more severe than ever before. With increasing skepticism and wariness among security teams, it makes sense to embrace the “never trust, always verify” principle, also known as Zero Trust Network Access (ZTNA). ZTNA aims to authenticate and authorize every user and device, no matter where they are, before granting access to the apps and assets they need.
When authenticated users get access only to the resources they absolutely need for their jobs, the risk of data theft and exfiltration automatically goes down. But it doesn’t subside completely. Recent data indicates that despite 94% of organizations feeling confident about their understanding of ZTNA, 68% still experienced a cyberattack last year, according to a 2023 Hybrid Security Trends Report (PDF) from Netwrix..
Why ZTNA Fails
One of the main reasons why ZTNA fails is that most ZTNA implementations tend to focus entirely on securing remote access. The belief that users inside the office perimeter can be intrinsically trusted outright violates ZTNA’s “never trust” approach. It overlooks the threats posed by disgruntled employees and IT staffers that are inside the secure office premises, with authentic credentials but malicious intent. Moreover, even well-meaning employees are prone to making errors in judgment and everyday operations.
Another problem with the remote-only approach to ZTNA is that admins can no longer construct a single application access policy for on- and off-site users. This alone can create loopholes and affect the operational efficiency of organizations. However, extending ZTNA to internal users also has its challenges:
- Network Infrastructure: To implement ZTNA within the office, organizations need to ensure that their network infrastructure supports the necessary technologies and protocols. The traditional approach to ZTNA may involve deploying SDP (software-defined perimeter), VPNs (virtual private networks), or secure access gateways that can enforce the ZTNA principles within the local network.
- Network Segmentation: ZTNA relies on the segmentation of networks and resources to limit access based on user identity and device posture. Admins may have to reconfigure their internal network architecture to implement proper network segmentation and access controls.
- Legacy Devices and Applications: Agent-based ZTNA is sometimes incompatible with certain devices already being used within the organization. Legacy systems and applications hosted on internal data centers may also not integrate seamlessly with ZTNA.
Despite these challenges, extending ZTNA capabilities to users within the office is crucial for providing secure access and improving the overall security posture.
RBAC+ can Extend ZTNA to Users and IT Admins Inside the Office
RBAC+ extends the capabilities of RBAC (Role Based Access Control) which associates access policies with roles and assigns users to specific roles. RBAC+ goes a step further to incorporate user attributes, environmental factors, and just-in-time situational awareness to implement more dynamic, context-aware, and fine-grained access control policies.
RBAC+ allows organizations to map job roles to access policies within the ZTNA framework. This ensures that whether a user is in the office or outside, access to IT resources will be determined by the same ZTNA policy and user identity. In addition to the user identity, environmental and contextual factors, such as the device posture, user location, and time of the day, also guide ZTNA access control to detect anomalies and prevent abuse of privilege in real-time.
Modern organizations are now attempting to break silos and adopt cross-functional teams with approaches such as DevOps and SASE (Secure Access Service Edge), which integrates networking and security behind a single management console for better visibility, network performance, and security coverage. With RBAC+, organizations can define and manage today’s dynamic and overlapping job roles, globally or by location. They can customize roles and define extremely granular access policies for individual capabilities across networking and security frameworks.
Continuous Monitoring and Advanced DNS Protections Enhance ZTNA
At the heart of ZTNA is the ability to continually inspect traffic flows once users are granted access. Successful ZTNA implementations leverage AI and ML algorithms to identify suspicious activities based on historical data and available threat intelligence. This ensures that any suspicious access attempts or deviations from normal behavior by authenticated and authorized users can be detected and mitigated right away, reducing the risk of successful insider attacks.
Advanced DNS protections also play a crucial role in fortifying ZTNA, because cybercriminals often seek to redirect or manipulate DNS requests to mine credentials or exfiltrate data. Organizations can use advanced DNS protections, such as DNS filtering, DNSSEC (DNS Security Extensions), and DNS monitoring and analysis, to detect malicious DNS activities and identify and block domains used for phishing and other forms of cyberattacks. By preventing insiders’ access to malicious domains, organizations can enhance the overall effectiveness of ZTNA and mitigate risks to in-house IT resources.
Strengthen Access Control with Comprehensive ZTNA Capabilities
Threat actors are known to exploit weaknesses in access control and authorization. They are always on the hunt for privileged account credentials, and the dark web provides an easy-access platform for purchasing them. That is why access control must go beyond credentials and MFA (multi-factor authentication). While ZTNA is a key strategy for implementing continuous verification and stringent access controls, it must be complemented with additional components for comprehensive security. As a starting point, comprehensive ZTNA must extend zero-trust access to in-office and remote users consistently and seamlessly. It should also be fortified with continuous monitoring and advanced DNS protections for insider threats and attacks that bypass authentication and authorization mechanisms.