Multi-cloud environments for application storage, the digitization of production environments, hybrid work environments with the need for remote access to applications: Zero Trust Network Access is very helpful, argues Nathan Howe, vice president of emerging technology at Zscaler, in a guest post.
During the pandemic, the limitations of classic remote access solutions became apparent. The connections via VPN proved to be vulnerable and not very scalable in the short term to meet the high demand with high performance. The user experience when remotely accessing applications in the data center or private cloud environments suffered. Digitization has also accelerated immensely, not least in the wake of the pandemic, and hardware and services exposed on the Internet have opened up new targets for hackers.
Organizations must react accordingly to completely new security challenges. Zero Trust Network Access (ZTNA) has proven in the first phase of the pandemic that employees can access the applications they need efficiently and securely if access rights are assigned based on the Least Privileged Access model. Access to the entire network is no longer generated for access to an application but only to the required application if its authorization has been confirmed. The Zscaler Zero Trust Exchange with enhanced functionality for ZTNA minimizes the level of exposure of enterprise applications to the Internet and de-risks enterprise-owned applications through a highly integrated platform approach.
Cloud-based Zero Trust Network Access makes the difference.
Every company and organization is responsible for their data and the access rights of third parties and should carry out a risk assessment. Some applications need to be delivered over the Internet, while others do not. In the second case, it is appropriate that these applications are blocked from access and even from being found on the Internet by unauthorized persons.
In addition, access by third parties or remote access for maintenance purposes in the production environment should be limited to an essential group of people. These two scenarios no longer require opening access to the entire network. Tunneled access to the required application using Zero Trust Network Access enables maintenance access or supply chain management processes and makes the rest of the network invisible.
The following feature sets of a cloud-based security platform help minimize application exposure:
Zero Trust Network Access (ZTNA) enables granular segmentation at the individual application level, thereby improving the security ecosystem. An authorized user can only access permitted applications based on predefined access rights. Since there is no network access, no lateral movement within a network is possible. A broker in the form of a cloud security platform uses guidelines to determine access to the application based on the user’s identity and other context-based criteria.
The fact that a workload moved to the cloud must be reachable in different ways is becoming the focus of a security discussion in today’s multi-cloud scenarios. The workload of application and data must be accessible for the IT administration and employees, be able to communicate with other applications via the Internet, and connect to the central data center. If the necessary access rights are not mapped correctly in these directions, the attack surface and the risk to a company’s infrastructure can increase. Defined access authorizations for permitted and encapsulated communication between cloud workloads can also provide more security for such a setup.
Isolation through browser-based access
Another level of risk mitigation can be applied via browser-based access. Even if the user has access rights for access, this is not established directly to the application but only via Remote Desktop Protocol (RDP) or SSH, where only an image of the actual application is displayed without the whole connection client to the application to manufacture. In this way, the application is protected from malicious content of the user or their device, such as an attempt to inject malicious code into an internal app.
Secure access to OT environments by privileging remote access
With the increasing digitalization of their production environments, companies also have to think about who may access the machine control for maintenance purposes. In this case, it is essential to establish a convergence between the two previously separate worlds of IT and OT so that only an authorized person has access. Until now, the difficulty has been how to assign access rights to this external person if the company does not manage the device used for this purpose. A web portal can provide privileged access if no RDP or SSH access can be set up for the device.
Invitation to sniff as a defense mechanism
Ultimately, companies that rely on ZTNA also have to consider the risk that compromised users, or their devices can pose. In this case, the malware actor gains access to the applications that the employee has access to via a stolen identity. If an attacker tries to access intentionally placed honey pots with a stolen identity, such an attack can be exposed, but the most critical data can also be protected.
With the expanded functionality of the Zscaler Tero Trust Exchange, companies can use network segmentation, isolation, and deception to build additional protection mechanisms into their defense strategy, depending on their risk affinity. The new range of functions based on Zero Trust Network Access enables much more granular defense mechanisms required for the various modern user cases of remote access for remote employees, third parties, or the maintenance of machines.