Zero-trust network access (ZTNA): An essential part of SASE
By Chandraduth Bullywon, Senior Technical Product Manager, Cloud and SDWAN Security
As more companies move to the cloud and embrace the hybrid work model, it’s critical that employees have fast, reliable access to internal applications and data, no matter where they are working from. However, this remote access also needs to be extremely secure – especially in today’s hybrid world.
Historically, remote-access solutions were not designed for continuous, large-scale adoption by teams working from locations across the country or around the world. To protect the security of your remote users, as well as the applications and data they rely on every single day, you need to take a more modern approach. At Bell, we believe that approach should involve zero-trust network access (ZTNA) as part of a secure access service edge (SASE).
What is ZTNA?
When we break it down, there are two main elements to the ZTNA concept. First, “zero trust” is a high-level security strategy based on the principal of “never trust, always verify.” It assumes an attacker is always present in your network, so your network is always at risk. It also assumes that nothing from inside your organization – including your users and your assets – should be automatically trusted based solely on their physical or network location.
The second element of ZTNA is about “network access” – and it’s the framework for actually putting the principles of zero trust into action. With ZTNA, your users are provided with access only to specific internal applications – not the entire network, as can be the case with VPNs – and only for authenticated and authorized users. The access is granted on a least-privileged basis, defined by granular control policies. That means your employees can access only the applications needed to perform their job, nothing more. Micro-segmentation further helps to ensure they can’t move laterally across the network.
However, there is more to ZTNA than just checking login credentials. The correct context – the user’s identity, the device they’re using, their location, the applications they want to access – must all match if the user is to be authorized. Also, ZTNA continuously validates that the user is authorized, with authentication taking place every day or even every hour, as defined by corporate policies.
How can businesses benefit from ZTNA?
ZTNA offers many benefits to Canadian businesses, including:
-
Reduced attack surface: ZTNA enables direct, outbound-only connections as well as application segmentation. This helps reduce the risk of threats to your network by making it invisible to unauthorized users and preventing lateral movement.
-
Improved efficiency and productivity: ZTNA can be deployed quickly across multiple locations for thousands of users. Additionally, low-latency, direct connections often result in faster access and better performance than VPNs.
-
Potential lower costs: There’s no need for legacy network appliances (such as firewalls) and less need for in-house IT resources to manage and secure your network.
-
Greater visibility: Logs provide detailed information on when access policies are activated, as well as how much data your users upload or download when accessing their applications. You can then feed these cloud-based logs into a SIEM/SOAR platform for deeper analysis, revealing potentially abnormal or malicious behaviour.
ZTNA is a foundational element of SASE
So how does ZTNA tie into SASE? If you recall from our second blog in this series, the secure service edge (SSE) is the subset of SASE that focuses specifically on cloud security. It’s made up of elements such as secure web gateway (SWG), firewall as a service (FWaaS) and ZTNA.
The inspection and authentication of traffic associated with ZTNA happens within the SSE. The SSE is what allows your users to access applications, based on your established rules and controls. ZTNA also uses the SSE to apply specific security policies to applications. You can’t have one without the other – in part because the ZTNA is baked into the SASE offering.
How a managed service provider can help
One of the biggest challenges of ZTNA is that businesses often lack the in-house skills or resources to implement it effectively. This includes ensuring the right security protocols and policies are considered and implemented consistently every step of the way during the move to the cloud. A managed service provider like Bell can bring the experience and skill set needed to facilitate the adoption of ZTNA and SASE. Our team brings the latest threat intelligence to help develop the most appropriate and up-to-date access policies for your company.
Visit our Managed Cloud Security Gateway page to find out more about Bell’s SASE solution. Remember, you are not alone on your cloud transformation journey. Book a meeting with me to discuss your security posture.