Zero trust network access : Granting access with zero trust
Zero trust network access (ZTNA) has evolved from serving primarily as a VPN replacement to becoming a key component of the standardized architecture for user-to-application zero trust networking. Gartner views ZTNA as an important organizational step towards increasing the maturity of a zero trust program.
In its forecast, Enterprise Network Equipment by Market Segment, Worldwide, 2019-2025, 4Q21, Gartner captured a 60% YoY growth rate for ZTNA, and the COVID crisis in 2020 only accelerated ZTNA’s adoption. To be successful, the senior leadership, IT staff, and users across the organization must collaborate to effectively achieve the design objectives and improve cybersecurity posture.
Organizations often ask, “What is the best way to get started?” The best approach is to start with remote users, develop segments and leverage ZTNA for access to private applications for all users, regardless of their location. We must consider the way users access applications and services, the distribution (quantities and types) of their locations (data centers, cloud environments and physical locations where employees work from) and project-based timelines.
Defining zero trust
A zero trust mindset has become a must-have component for building a secure digital ecosystem. Although the concept of zero trust has been around for 10 years, it is still evolving and improving. It has a few simple principles that dictate a complex integration of technologies that require smooth interoperability to prevent any disruption. Zero trust is a paradigm shift in how we design the security of digital environments. Organizations are adopting zero trust in their industrial and enterprise infrastructure and workflows.
John Kindervag, who architected the zero trust model in 2010, highlighted that security must be built into the DNA of the network itself. He defined concepts that would make zero trust architecture (ZTA) actionable, such as secure access to resources, granular access control on a need-to-know basis, not giving the benefit of the doubt to people inside the perimeter, and designing networks from the inside out.
NIST defines the concept as an “enterprise cybersecurity architecture that is based on zero trust principles and designed to prevent data breaches and limit internal lateral movement. A collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. Zero trust architecture (ZTA) is an enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies.”
The core of the concept, therefore, is identity and access for users and devices. Leading market analysts assess technologies based on the same principles; defining components related to the device and user attributes (context, time, date, geolocation, posture) to grant appropriate access or providing necessary information to the logical components of a tech solution that handle the orchestration of access policies.
Organizations are inclined to adopt the concept as it eases the operability of security. It also provides them with the flexibility, agility and scalability to access applications, enabling digital businesses to thrive without exposing their internal applications directly to the Internet. Although there isn’t a defined line between ZTNA and VPN as of now, the concept supports VPN technology. Another benefit of applying this concept is that it reduces a company’s attack surface by increasing visibility and control over its network infrastructure.
The DNA of the backbone
Zero trust architecture is strongly connected to network security and communication. The US National Security Agency (NSA) recommends that “zero trust principles and concepts must penetrate most aspects of the network and its operations ecosystem.”
How can we achieve that level of penetration? The principles listed below can guide security professionals in choosing the right technologies, with the right capabilities in their journey to a zero trusted enterprise network.
Never trust, always verify
Authenticate, monitor, and validate user identities and trustworthiness or the well-known AAAs. Implement the principle of least privilege when considering critical resources and remember that all requests and network traffic should be considered malicious/untrusted.
Identify, monitor and manage devices and other endpoints on a network. One of the network requirements highlighted by NSIT to support zero trust architecture is the enterprise capability to distinguish between assets that are owned or managed by the enterprise and the current security posture of those devices. NSA suggests logging, inspecting, and continuously monitoring all configuration changes, resource accesses and network traffic for suspicious activity.
Access to all resources should be conducted in a consistent and secure manner using multiple attributes (dynamic and static) to derive confidence levels for contextual access decisions.
Establishing design fundamentals
When considering the shift to the zero trust concept, organization leaders and cybersecurity professionals are strongly encouraged to consider the NIST Special Publication 800-207. In the process of making design decisions, remember to include a default deny posture of all connections to the network or the capability to adaptively offer the appropriate trust to user or device.
Some design fundamentals of applying ZTA are as follows:
- Micro-segmentation: Define micro-perimeters for each element for which different security policies, protection and controls can be established
- Encryption: Encrypt network traffic to prevent malicious interference, alongside all communications
- Access control: Enforce scanning of users, systems, applications, devices and processes every time they connect to protected resources
- Least privilege at all levels: If minimum privileges are granted, compromising a user or system will not entail unauthorized access to the entire infrastructure
- Total control: Continuous collection and analysis of events, behavior and the state of all infrastructure components will ensure an early response to security incidents
In the context of network, the most applicable fundamentals are those that enable access control at a very granular level, using technologies like network access control (NAC) in combination with security information and event management (SIEM) technologies, enabling control and visibility of all assets. NAC is used to enforce policies to protect the entire network from unauthorized or unmanaged devices. SIEM provides visibility and analyzes user activity patterns for abnormal behavior that can signal a potential attack or data breach.
Logical components of a ZTA
NIST proposes the following conceptual framework as an ideal model that illustrates the basic relationship and interaction between the components.
The policy engine (PE) is the ultimate decision maker in granting access to a resource for a given subject. It uses the enterprise policy and external sources like CDM systems and threat intelligence as inputs to a trust algorithm to grant, deny or revoke access to the resource.
The policy administrator (PA) component establishes and/or shuts down the communication path between a subject and a resource via commands to relevant PEPs. It can generate any session-specific authentication and authentication token or credential used by the client to access an enterprise resource. It works closely with policy engine and relies on its decision to allow or deny a session. Based on the outcome, if the session has been authorized and the request has been authenticated, the PA configures the PEP to allow the session to start. When the session is denied, PA signals the PEP to shut down the connection.
The policy enforcement point (PEP) system is responsible for enabling, monitoring and terminating connections between subject and enterprise resource. The PEP communicates with the PA to forward requests and/or receive policy updates from the PA. Even though this is a single logical component in ZTA it may be broken into two different components:
- the client (an agent on a laptop/endpoint)
- the resource side (a gateway component that controls access to a resource or a single portal component that acts as a gatekeeper for communication paths)
To move to a zero trust architecture, the journey will start with a series of upgrades and changes over time. Since it’s not a single technology but a larger security strategy and operational practice, such an architecture requires cooperation at all levels of an enterprise, from management to operations. Zero trust should not be taken lightly and will require significant efforts to implement successfully.
- Best Practices for Implementing Zero Trust Network Access
- NIST Special Publication 800-207 Zero Trust Architecture
- Embracing a Zero Trust Security Model – NSA
- Zero Trust Maturity Model
- Market Guide for Zero Trust Network Access – Gartner
About the authors
Portfolio Manager in Global BDS Cybersecurity Services
Gabriela is working with Atos for 5 years. She is working for 15 years in IT and Telecommunication area, her previous roles being Technological Lifecycle Manager for Global Siemens Account and Unified Communication and Collaboration Team Leader for UK market support. She studied L3 Senior Telecommunication Engineer.
Cyber Security Service Architect, Atos
Ana has been with Atos since 2020 on the position of Cyber Security Service Architect helping with service development for ADR and CERT. She describes herself as being precise, focused, determined, and notes that cybersecurity is a major passion of hers. She holds CompTIA Security+ certification, front-end programming skills and a keen eye for innovation and vision. Recently, she has been awarded within the company an Ideation trophy, for her contribution in researching an innovative idea that will bring an exceptional value to the market.