ZTNA hasn’t delivered on the full promise of zero trust
Zero Trust has been all the rage for several years; it states, “never trust, always verify” and assumes every attempt to access the network or an application could be a threat. For the last several years, zero trust network access (ZTNA) has become the common term to describe this type of approach for securing remote users as they access private applications. While I applaud the progress that has been made, major challenges remain in the way vendors have addressed the problem and organizations have implemented solutions. To start with, the name itself is fundamentally flawed. Zero trust network access is based on the logical security philosophy of least privilege. Thus, the objective is to verify a set of identity, posture, and context related elements and then provide the appropriate access to the specific application or resource required…not network level access.
Most classic ZTNA solutions on the market today can’t gracefully provide this level of granular control across the full spectrum of private applications. As a result, organizations have to maintain multiple remote access solutions and, in most scenarios, they still grant access at a much broader network or network segment level. I believe it’s time to drop the “network” from ZTNA and focus on the original goal of least-privilege, zero trust access (ZTA).
Classic ZTNA drawbacks
With much in life, things are easier said than done and that concept applies to ZTNA and secure remote access. When I talk to IT executives about their current ZTNA deployments or planned initiatives there are a set of concerns and limitations that come up on a regular basis. As a group, they are looking for a cloud or hybrid solution that provides a better user experience, is easier for the IT team to deploy and maintain, and provides a flexible and granular level of security…but many are falling short.
With that in mind, I pulled together a list of considerations to help people assess where they are and where they want to be in this technology space. If you have deployed some form of ZTNA or are evaluating solutions in this area, ask yourself these questions to see if you can, or will be able to, meet the true promise of a true zero trust remote access environment.
- Is there a method to keep multiple, individual user to app sessions from piggybacking onto one tunnel and thus increasing the potential of a significant security breach?
- Does the reverse proxy utilize next-generation protocols with the ability to support per-connection, per-application, and per-device traffic streams to ensure no direct resource access?
- How do you completely obfuscate your internal resources so only those allowed to see them can do so?
- When do posture and authentication checks take place? Only at initial connection or continuously on a per session basis with credentials specific to a particular user without risk of sharing?
- Can you obtain awareness into user activity by fully auditing sessions from the user device to the applications without being hindered by proprietary infrastructure methods?
- If you use Certificate Authorities that issue certs and hardware-bound private keys with multi-year validity, what can be done to shrink this timescale and minimize risk exposure?
While the security and architecture elements mentioned above are important, they don’t represent the complete picture when developing a holistic strategy for remote, private application access. There are many examples of strong security processes that failed because they were too cumbersome for users or a nightmare for the IT team to deploy and maintain. Any viable ZTA solution must streamline the user experience and simplify the configuration and enforcement process for the IT team. Security is ‘Job #1’, but overworked employees with a high volume of complex security tools are more likely to make provisioning and configuration mistakes, get overwhelmed with disconnected alerts, and miss legitimate threats. Remote employees frustrated with slow multi-step access processes will look for short cuts and create additional risk for the organization.
To ensure success, it’s important to assess whether your planned or existing private access process meets the usability, manageability and flexibility requirements listed below.
- The solution has a unified console enabling configuration, visibility and management from one central dashboard.
- Remote and hybrid workers can securely access every type of application, regardless of port or protocol, including those that are session-initiated, peer-to-peer or multichannel in design.
- A single agent enables all private and internet access functions including digital experience monitoring functions.
- The solution eliminates the need for on-premises VPN infrastructure and management while delivering secure access to all private applications.
- The login process is user friendly with a frictionless, transparent method across multiple application types.
- The ability to handle both traditional HTTP2 traffic and newer, faster, and more secure HTTP3 methods with MASQUE and QUIC
Cisco Secure Access: A modern approach to zero trust access
Secure Access is Cisco’s full-function Security Service Edge (SSE) solution and it goes far beyond traditional methods in multiple ways. With respect to resource access, our cloud-delivered platform overcomes the limitations of legacy ZTNA. Secure Access supports every factor listed in the above checklists and much more, to provide a unique level of Zero Trust Access (ZTA). Secure Access makes online activity better for users, easier for IT, and safer for everyone.
Here are just a few examples:
- To protect your hybrid workforce, our ZTA architectural design has what we call ‘proxy connections’ that connect one user to one application: no more. If the user has access to several apps as once, each app connection has its own separate traffic stream. The result is true network isolation as they are completely independent. This eliminates resource discovery and potential lateral movement by rogue users.
- We implement per session user ID verification, authentication and rich device compliance posture checks with contextual insights considered.
- Cisco Secure Access delivers a broad set of converged, cloud-based security services. Unlike alternatives, our approach overcomes IT complexity through a unified console with every function, including ZTA, managed from one interface. A single agent simplifies deployment with reduced device overhead. One policy engine further eases implementation as once a policy is written, it can be efficiently used across all appropriate security modules.
- Hybrid workers get a frictionless process: once authenticated, they go straight to any desired application-with just one click. This capability will transparently and automatically connect them with least privileged concepts, preconfigured security policies and adaptable enforcement measures that the administrator controls.
- Connections are quicker and provide high throughput. Highly repetitive authentication steps are significantly reduced.
With this type of comprehensive approach IT and security practitioners can truly modernize their remote access. Security is greatly enhanced, IT operations work is dramatically simplified, and hybrid worker satisfaction and productivity maximized.
To obtain deeper insights into the technical requirements for true zero trust private access and to see how Cisco Secure Access with ZTA overcomes the limitations of ZTNA, view the Deep dive into a modern Zero Trust Access (ZTA) architecture webinar. Also, visit the Cisco SSE Institute site for more information on ZTA and SSE.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Security on social!
Cisco Security Social Channels
Instagram
Facebook
Twitter
LinkedIn
Like this acknowledgement of the reality of Zero Trust. I just wish you hand’t re-used another acronym already commonly in use in the same technology area, and that ZTA is Zero Trust Architecture in NIST SP – 800-207. It will lead to quite a bit of confusion.