Security Experts:

The New Paradigm for Work from Anywhere: Zero Trust Network Access (ZTNA)

It is important to listen to early adopters of ZTNA, as they can provide insights into key factors to success and help avoid pitfalls

While most of us might get tired of talking about the impact of the pandemic on today’s cybersecurity, we also need to acknowledge and accept that the future state of work is a hybrid one.

In this new work from anywhere era, traditional security perimeters have become obsolete as each employee’s home office effectively became an extension of the corporate office. In addition, many organizations accelerated their digital transformation by moving their workloads to the cloud. These dynamic changes lead to an expanded attack surface that requires a rethinking of how access to enterprise resources is granted.

In today’s perimeter-less environment, security practitioners can no longer assume implicit trust among applications, users, devices, services, and networks. That’s why many organizations have started to embrace a Zero Trust approach and are considering augmenting their conventional network access security concepts such as virtual private networks (VPNs) and demilitarized zones (DMZs) with Zero Trust Network Access (ZTNA) solutions. However, what best practices should security practitioners apply when implementing these emerging solutions?

ZTNA solutions create an identity- and context-based, logical access boundary around an application or a set of applications. Access is granted to users based on a broad set of factors, for instance, the device being used, as well as other attributes such as the device posture (e.g., if anti-malware is present and functioning), time/date of the access request, and geolocation. Upon assessing the contextual attributes, the solution then dynamically offers the appropriate level of access at that specific time. As there is a constant change in the risk levels of users, devices, and applications, access decisions are made for each individual access request.

While many organizations have reported that they still leverage traditional VPN for some of their legacy applications, most commonly ZTNA is implemented to augment VPNs as part of a bigger initiative towards a Secure Access Service Edge (SASE) paradigm. ZTNA offers an approach that centralizes the access policies and allows for very granular access controls, limiting users to only the applications that they are entitled to access, unlike a traditional VPN, which allows full tunnel access to an entire network segment. In turn, any lateral movement in the network is inherently ruled out. Furthermore, ZTNA provides a reliable isolation of an organization’s applications from the Internet, as they’re hidden from discovery, and access in turn is restricted via a trust broker to a set of named entities.

Key Factors to Success

When it comes to implementing emerging technologies like ZTNA, it is always important to listen to the early adopters, as they can provide insights into key factors to success and help avoid pitfalls. Based on discussions with organizations that have adopted ZTNA in the most recent past, the following key factors to success have materialized: 

• Assess Application Usage Prior to ZTNA Implementation: As one of the contextual attributes in granting access decisions is the relationship between users and your applications, it’s essential to gain insights into the application usage prior to the implementation process. To assist with this discovery process, some early adopters of ZTNA reported that they leveraged endpoint visibility solutions that would provide insights into the usage of both installed and web applications. Others simply interviewed the heads of specific departments (e.g., sales, finance, HR) to derive details. The insights were subsequently used to map users with the required application access and ultimately influence the scope of the policies. 

• Define Granular Access Policies: Don’t treat ZTNA the same way as traditional VPNs, whereby you would grant users access to all applications. Instead, spend some time to draw up granular access policies that are derived by identifying specific uses cases (e.g., contractor access, access to highly sensitive applications) and define user-specific policies.

• Eliminate Standing Application Entitlements: Take the opportunity to clean up application access privileges based on your assessment of application usage as part of the rollout of the ZTNA project. 

• Establish a Continuous Feedback Loop: As your business needs constantly evolve, so should your application access policies. Thus, it is essential to fine-tune established access policies on an ongoing basis. Many early adopters of ZTNA policies recommended a quarterly audit/review process during the initial phase of the implementation process, and then switching to a bi-annual process once the ZTNA program has matured. Ultimately, you want to establish a mindset that focuses on continuous improvement and refinement of the access policies.

 Assure User and Business Leader Buy-In: As with all technology implementations, it is vital to assure buy-in from both business leaders and users as early as possible. An important tool to implement is a user focus group as part of your initial planning process. These participants can try-storm and provide early input, as well as raise any concerns about user experience prior to moving into the implementation phase. This saves costs by avoiding otherwise necessary rounds of iterations and helps increase adoption rates overall.

Early ZTNA adopters are not only helpful when it comes to establishing best practices for implementation but can also provide guidance when it comes to what to look out for when selecting a ZTNA solution. In this context, the following guidance might be helpful for security practitioners that are starting their vendor evaluation process:

• Evaluate ZTNA offerings that are resilient, meaning functioning across disruptions, unintentional decay, or malicious actions that are fundamental to their operations.

• Assess ZTNA solutions for their ability to gather deep visibility into all endpoints, data, network, and applications within your organization, The more granular the insights, the smarter the access decisions.

• Choose ZTNA solutions aligned with your organization’s SASE architecture plans, which allows you to transition from a VPN-based approach to a software-defined perimeter over time by providing enterprise VPN and ZTNA capabilities in a single platform.

• Explore ZTNA solutions that come with built-in digital experience monitoring (DEM) capabilities to allow you to capture rich insights on the real-time experience of remote and mobile workers, empowering you to fine-tune your application access policies on an ongoing basis as described above.

• Select ZTNA solutions that conform with the National Institute of Standards and Technology (NIST) Zero Trust Architecture, whereby the policy enforcement should be as close as possible to the user, meaning they should be enforced directly at the endpoint. 

While there is no silver bullet to prevent cybersecurity attacks, ZTNA has become a necessity for organizations on their digital transformation journey by allowing to minimize the attack surface while ensuring the productivity of your remote workforce. 

view counter
Torsten George is currently a cyber security evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).