Zero Trust Network Access, or ZTNA, is a network security framework that has been gaining steam in recent years as organizations become more aware and concerned about growing cybersecurity risks from a plethora of sources. However, all too often organizations are treating ZTNA as a one-stop shop for their security needs rather than as an ideal to advance towards. In this article, we will cover what ZTNA is, why it shouldn’t be treated as the be-all, end-all like it sometimes is, and how organizations and IT departments can avoid potential pitfalls while taking advantage of a ZTNA framework.
Zero Trust Network Access: What It Is
The traditional form of network security is what’s known as perimeter defense. To put it simply, the perimeter approach acts like the walls and moat around around a castle, protecting from external threats. In practical terms, perimeter-based network security usually takes the form of defenses like VPNs and firewalls. However, once this perimeter has been crossed—either innocuously, for example by an employee, or by an attacker—network access is unrestricted, allowing the accessor to move around freely within the network.
Flaws in the traditional perimeter-based approach have been exposed a number of times over the last decade in high-profile cyberattacks, such as the NotPetya ransomware attack in 2017 that severely affected major corporations including Maersk and TNT Express, causing billions of dollars in lost revenue and IT costs to get networks back online. While excessive within-network access at these firms was not the only security flaw that contributed to the success of the virus, it certainly contributed to the scale of the damage caused.
In contrast with the perimeter-based network security framework, ZTNA is like a castle that has drawbridges, gates, and citadels within it. Once a user accesses the network, they are not simply given free reign; rather, they are subject to an ongoing identity verification process, and access to resources is controlled at a more granular level.
ZTNA builds upon another closely related concept in network security, that of “defense in depth,” which emphasizes layers of security and redundancies in defenses to protect from intrusion, through techniques like encryption and data masking; some would even argue that ZTNA and defense in depth are different terms for the same concept. However, one key element of ZTNA that isn’t as commonly associated with defense in depth is the continuous identity verification element.
There are a number of methods, protocols, and technologies through which a ZTNA architecture is established. These include identity verification and continuous authentication through the use of access providers, access control methods such as micro-segmentation and least-privilege access, and ongoing monitoring to detect suspicious activity and take action, including adjusting access controls, accordingly. There are plenty of great resources out there to learn more about the technical details of ZTNA, including here on HackerNoon.
Why ZTNA Isn’t A Silver Bullet
With all that being said, there are a number of reasons why ZTNA shouldn’t be treated as an impenetrable shield for an organization’s network. For instance:
-
Establishing ZTNA is complex. While a properly established ZTNA architecture can be highly effective in increasing an organization’s network security, the key word there is ‘properly.’ Changing the way access controls are set up by itself can be a challenging and cumbersome process, and one that needs to be managed with care to avoid disrupting key business operations. Additionally, establishing a ZTNA system requires identifying all of the assets and resources that need to be protected in the first place so that access controls can be established, a time consuming process in and of itself, and one where mistakes and things falling through the cracks can open the door to security vulnerabilities.
-
Branding can be misleading. With ZTNA’s growing prominence as both a concept and a term, service providers have been picking up on interest in it by marketing products specifically labeled as delivering “zero trust” solutions. Often, this framing is little more than the vendor slapping a buzzword on a pre-existing product. This can be problematic, as organizations may pay significant sums for products that aren’t actually what they are looking for, and mistakenly believe that they have implemented ZTNA when they haven’t, leaving them vulnerable to threats.
-
ZTNA isn’t a replacement for key network security practices. All too often, different approaches, like perimeter security and ZTNA, are viewed as black-and-white, mutually exclusive methods, when in reality, ZTNA should be one part of a broader approach to maximize network security. For instance, ZTNA doesn’t necessarily mean getting rid of your VPN and firewall systems; instead, multiple approaches can be combined, like implementing a VPN with an access proxy. Additionally, ZTNA by itself doesn’t fully deal with many potential threats to network security, such as data exfiltration and insider attacks. Combining approaches (with the big caveat of “when done right”) may be the way to go depending on the context.
-
“Zero Trust” is a misnomer. In actuality, “Zero Trust” means “as little implicit trust as is feasible.” Some level of implicit trust will basically always exist within a network, and therefore some level of vulnerability is associated with that implicit trust; ZTNA just seeks to minimize implicit trust whenever possible. Even within a ZTNA framework, it’s important to recognize where implicit trust still exists within the network, and account for it accordingly. This may seem obvious, but it’s easy to overlook, especially given the potentially misleading nomenclature.
-
Identities can be compromised. For all of its advantages, a ZTNA framework still relies on uncompromised identity management and authentication. Sufficiently compromised identity credentials remain a security risk, requiring more than just ZTNA to deal with.
-
The human factor. By itself, a ZTNA framework does little to deal with the human factor behind threats to network security. To be fully effective, employees must be aware of the security practices in place, their part in them, the steps they need to take to ensure the system is effective, and the potential consequences that a breach could entail. Employees who don’t understand the system, why it’s in place, and what they need to do to make it work are employees who use insecure practices and open the door to threats, which is why a comprehensive training and employee awareness program is essential to network security, even with ZTNA. Of course, such a program can be both time-consuming and costly—but the costs of a major breach are almost certainly much higher.
-
Things change. The network security landscape is a fast-changing one, new vulnerabilities and threats emerge, as organizations and threat actors engage in an arms race of increasing sophistication. Given those circumstances, a vigilant approach is required. Even for organizations that have moved to ZTNA, resting on one’s laurels and being lulled into complacency is a dangerous approach.
The point of all this being: ZTNA is not a magic wand that will enable an organization to wave away the network security threats it faces.
Implementing ZTNA Without The Pitfalls
Given all the caveats and challenges described above, how does an organization move toward ZTNA while avoiding the possible pitfalls?
Well, one key is to take it methodically, rather than rushing, which can create vulnerabilities of its own and generally turn into a mess. Rome wasn’t built in a day, and ZTNA isn’t either. An important tool in a steady, measured implementation of ZTNA is the use of a zero trust maturity model—a roadmap for a gradual transition to a zero trust architecture.
It’s also important not to rely on vendors too much, as they have a vested interest in selling you a product. Doing due diligence on the security solutions on offer, and figuring out exactly what your organization needs—as well as what it doesn’t—may be an invaluable step in saving money and avoiding headaches on the road. Conversely, it may turn out that the lowest cost option isn’t the optimal one for your organization, and taking the hit now will be made up for in the additional protection gained over the alternatives. Regardless, these factors can only be determined if you do your homework.
Conclusion
ZTNA is a powerful approach in the modern network security landscape, providing a tailored, flexible framework for protecting organizations from threats. However, it is just that—a framework—and not a silver bullet. Implementing ZTNA effectively requires a thoughtful, measured, and deliberate approach—but when done right, the rewards are worth it. Thanks for reading!
