Zero Trust: The key to greater organisational security

If recent months have taught businesses anything about network security, it is that the more remote workstations they provide, the more access points and end devices are involved and the greater the amount of potential breaking points.

While the shift to remote working has in many ways benefitted workforces and ensured business continuity for organisations across the globe, it has also expanded the attack surface for cybercriminals dramatically. 

We have also seen that rapid changes aren’t always the safest - even when they’re essential. The recent attacks on critical infrastructure such as the Colonial Pipeline and SolarWinds speak for themselves, lodging mounting concerns in the minds of security experts in charge of not only large companies but small and medium-sized enterprises, too. 

Now that a remote or hybrid IT infrastructure has become the norm, the once safe and secure concept of perimeter-based security is no longer viable as a robust security strategy. As increasing numbers of employees access resources from outside a network, access can no longer be granted based on location, where that once established border has since dissolved.

Unsurprisingly, the growing network complexity of cloud environments and the secure expansion of the home office is causing quite a headache for IT managers. According to data analyst Splunk’s The State of Security in 2022 report, three out of four (78%) IT managers have found that remote workers are more difficult to secure. Additionally, 65% of organisations reported a measurable increase in cyberattacks, which they attribute to remote working. 

By 2024, market analysts predict the cost of data breaches will rise to $5 trillion, almost double pre-pandemic and pre-remote work levels back in 2019. With this in mind, the question of how to reduce the complexity and the vulnerability of cloud-based work environment becomes critical. 

IT administrators face a vigorous task - they must provide applications, data and services via distributed networks and the cloud both reliably and flexibly. The solutions therefore must offer individuality and precision, both to the necessary workflows and security mechanisms, serving productivity and security in equal measure.

Predicated on the Zero Trust security approach, itself loosely based on the motto “never trust, always verify”, Zero Trust Network Access (ZTNA) provides an effective answer to the current challenges around hybrid work and remote infrastructures.

Never trust, always verify

ZTNA enables identity and context-based access to corporate resources that is controlled at the application level and provides dedicated application connections. The basic principle is to continually reassess the trustworthiness of network participants and thus prevent the emergence of dangerous security gaps or attacks at an early stage.

Another core function of ZTNA is the option to assign each user individual access rights per application. The security guidelines and verification mechanisms can be adapted and are therefore precise and tailored in use. As a result, a single employee only accesses those applications, functions, services and data required for their personal workflows (known as the “principle of least privilege”). 

The method behind it is simple but effective: the more targeted the access, the lower the risk of unwanted network activities. Since no user is trusted at any time, but verification is always carried out, the occurrence of vulnerabilities is reduced not only by test procedures, but tight verification steps. With ZTNA, you not only protect the applications, but the entire global corporate network, enabling remote workforces at the same time.

Brokers act as an intermediary

In most cases, ZTNA is based on a trust broker which mediates between the user and the communication target (i.e. an application, a function, or a service). It is typically offered as a cloud service or sometimes hosted in the company’s own network. Since access does not take place directly at the network level but is decoupled from it, the users involved cannot see which IP applications can be used to reach individual destinations such as applications. The broker ensures that only dedicated applications and not entire servers or networks are accessible to a user.

Where the security mechanisms in a ZTNA-protected network not only take effect during the initial authentication, but continuously check for any changes against the set guidelines, the broker acts as a gatekeeper of sorts and central security authority. In the event of an anomaly, the ZTNA model reacts immediately and bypasses the threat using automated adaptation processes.

More precise, more secure and more powerful than a VPN

The ZTNA framework differs from Virtual Private Networks (VPN) first and foremost in scalability. While both models aim to enable individual network participants to use the company’s own IT resources securely via remote access, VPNs came into existence when networks were more static and clearly structured, and with significantly fewer requests and traffic. A user going through an initial authentication once and then granted unrestricted access to the entire company network may have met the security requirements in VPN times, but today the model poses unnecessary risk.

Furthermore, in perimeter-based VPNs it is not possible to decouple the user from individual applications. If an attacker with ‘unsavoury’ intentions manages to sabotage a user’s access, they have direct access to the entire company network with VPN. 

Essentially, VPNs were never made for the masses of devices, users and access that emerged almost overnight with the advent of the COVID-related home office. When using VPNs, companies not only expose themselves and their distributed work infrastructure to the increased risk of cyber attacks, they also face significant performance problems when requests and traffic peaks. In summary, static models such as VPN have largely had their day, simply because more precision and flexibility is now required.

Is ZTNA for the long haul or another short-lived trend? 

With their flexibility and scalability, Zero Trust models enable companies to provide secure yet fast workflows for working from home or on the go. Indeed, as hybrid work becomes more pervasive, a solid distribution of ZTNA seems to be emerging. By 2023, Garner predicts that 60% of businesses will phase out most of their remote access VPNs in favour of ZTNA, which suggests something closer to an establishment of a new IT architecture rather than a short-lived trend. 

Service providers manage ZTNA services

If these predictions hold true, numerous companies will be faced with the task of implementing a new security strategy for their networks in the future. ZTNA provides a clear answer as to what they can do to address current security challenges in their remote networks, but how best to do it remains an open question. Because no matter how plausible the principle of ZTNA sounds, the implementation involves far more than a ‘one-and-done’.

For this reason, IT managers must consider whether it will be viable to take on the introduction, management and operation of the new Zero Trust architecture themselves. For example, with a stand-alone solution, or to entrust it to an experienced IT partner who can manage it accordingly, relative to the overall size of the company and its internal IT resources.

The fact that companies do not need to invest in their own Network Operations Centre (NOC) or even Security Operations Centre (SOC) with round-the-clock monitoring (or expand one at great cost) is a significant advantage of ZTNA. Another benefit is that ZTNA can be used both standalone and as a SASE or XDR integration. 

This integrative approach not only ensures easy-care and flexible integration of Zero Trust mechanisms, but also reduces the complexity in user and high-request networks. Companies that use ZTNA as a cloud-hosted service clearly benefit from the provider's infrastructure - from deployment to enforcing security-related Zero Trust policies.