Securing your network with Zero Trust
Never trust, always verify
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
“Never trust, always verify” and “just enough” access. They’re the concepts on which zero-trust security networks are built. And in today’s work-from-anywhere on any device world, they’re the best way to keep your business data, network, and infrastructure safe.
Akshay Kakar,Citrix.
With an increasing number of employees working remote, organizational assets and resources are more susceptible to attacks from cyber criminals and unknown devices. Savvy businesses are rethinking their security postures to address these challenges, and many are looking toZero Trust Network Access (ZTNA).
If you’re among them, there are a few things you need to be thinking about:
Know thy threats
If you’re running a hybrid IT architecture to enableremote work, it’s important to recognize both the internal and external threats the model creates. Workers may log on to corporate applications via managed desktops and laptops via aVirtual Private Network (VPN). But do these VPNs really offer the secure access that you require? And what about employees or contractors, who may be using non-company mobile devices, laptops, or desktops to gain access to your assets? With no conventional network perimeter to protect them, and the limitations of traditional VPN, you’re exposed to a number of threats:
To protect against them, you need to take a hard look at the security measures you have in place and determine whether they’re cutting it.
Out with the old
Traditional security measures, such asfirewallsand VPNs are based on the “trust, but verify” principle. Although this may capture some threats, those who have already been granted authorization to your system could inadvertently or maliciously wreak havoc, having been previously allowed in.
By implementing a zero-trust strategy, you can avoid exposing yourself to such threats, and in the event you do get attacked, reduce the impact. A zero-trust architecture secures your login and remote access process by treating every login and device as an unknown potential attack surface and requiring:
In with the new
All of this sounds good in theory. But does it work in practice? Consider the following.
Jane is preparing the company balance sheet for the annual shareholder review. While heading home, she receives a call from the CEO, telling her she needs to access the corporate-managed finance web app to make some final changes. She uses her personal laptop, an unmanaged device, to do it. Unknown to Jane, her device was recently infected with malware while she was shopping online.
What’s the problem? When accessing a sensitive web app through an unprotected native browser on a potentially insecure personal device, even via VPN or basic ZTNA solutions, malware can move from a device to the company’s network and applications, putting company data, customers, reputation, and revenue at risk.
Keep things safe
With the right ZTNA solution, you can leverage remote browser isolation (RBI) functionality to prevent malware from reaching the corporate network, as well as lateral movement of malware from a native browser or device to the rest of the network and applications.
With RBI, browsing experiences are isolated from the actual applications and devices so not to directly transfer any browsing data to or from them. Instead, users only receive screen updates. Users can still access applications as they would using a native browser, keeping company assets. IT Administrators can also enable functions like disabling screen captures, copy/paste, and downloading, in addition to URL filtering and session monitoring.
In today’s world of remote work, such scenarios are all too common. In enabling a zero-trust approach, you can adapt to the and gain the confidence of knowing your valuable assets, data, and resources are protected while keeping your workforce engaged and productive, no matter where they’re located.
Get started
Getting started with zero trust involves first understanding your specific requirements. Questions like the ones below would help:
As you’re building your key requirements, also focus on areas where your previous remote access solution, likely a VPN, fell short. For instance, VPN solutions were difficult to scale when we all moved to remote work at the onset of COVID-19. Hence, your new ZTNA solution must be easy to scale and administer.
Once you have identified your requirements, begin to explore the approaches available to you. Most ZTNA vendors will base their approach on the following:
Identity validation prior to app access– This is often executed through integration with an identity provider like Okta or Azure AD. In some cases, this may be offered natively as well.
What to watch for: Multiple identity validation mechanisms across the different app types – public SaaS, IT-managed, DaaS – can result in the user having to log in repetitively. This causes a poor user experience.
Context awareness– Most ZTNA vendors will consume context, such as device information, location, user risk profile etc., from endpoint vendors to make decisions on access.
What to watch for: Usually, only limited context is consumed by vendors which is often insufficient to make decisions about risk levels. As a result, a risky user or device may be granted access.
Adaptive Access Controls– Once identity and context has been verified, full, restricted or no access must be granted. Levels of access should change based on changes in context.
What to watch for: In most ZTNA solutions, full access is granted to the application once identity and context are validated. This means that a malicious insider or external threat can fully breach an application if they’re able to overcome identity and (often basic) context tests.
Segmented Access–ZTNA solutions grant access from the specific user to the specific application. This is different from VPNs where access is granted to the full network.
What to watch for: Several ZTNA solutions cannot control access from BYO or personal devices. This leaves an open attack surface for your organization.
Brokered, Outbound Connections– Connections are made from the app to the ZTNA service, which completes the rest of the connection. This way, the app does not need to broadcast its IP address, keeping it safer from DDoS attacks.
What to watch for: Multi-layered defense for your apps is still required. You still need application and API security for the apps. Your ZTNA and App Sec solutions should work well together and ideally be from one vendor to minimize vendor sprawl.
Most ZTNA solutions will satisfy each of the above requirements, but many will not meet the above requirements in thorough detail. It’s on you to identify the depth of capabilities of the vendors you’re engaging with. To further simplify, request a demo from your chosen vendors and ask them to show their capabilities in delivering three things:
It’s estimated that by the end of 2023, roughly 90% of infrastructure and operations organizations will be remote-based. Now is the time to take action to ensure your organization is equipped today to handle the security risks the “new normal” of work has created and ensure your business continues to thrive tomorrow.
We’ve featured the best secure file transfer solutions.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Akshay Kakar, Citrix.
A new form of macOS malware is being used by devious North Korean hackers
Scammers are using fake copyright infringement claims to hack businesses
Trying to get the AMD Ryzen 7 9800X3D CPU? It seems only scalpers have it and they’re jacking up the price
