Our devices and users are more distributed than ever. Cloud-based services are playing an important role in facilitating distributed productivity. However, these convenient services present unacknowledged security risks. Credential theft and exposed web services (which allow nefarious actors to exploit bugs, CVE’s and unpatched systems) are two grave examples of these risks. Cloud-based proxy architectures (like SASE) suffer from both. In many cases, the highest level of administrative access is available through an exposed web service. Furthermore, hairpinning all traffic through these proxy servers creates massive performance bottlenecks that negatively impact user experience with dropped connections and low bandwidth throughput. Cloud-based proxies (e.g., SASE) are a step forward relative to antiquated VPN technologies. But they fall short in extending Zero Trust to the real world of critical infrastructure. If identity can be spoofed to gain access, what mechanisms can limit the “Blast Radius” by containing what an unauthorized user can see and access?
Why enterprises need zero trust now
In January 2022, the United States government released a memorandum outlining an executive order to implement Zero Trust Architecture (ZTA) in its networks by the end of 2024. This is in response to increasing cyber-attacks carried out against federal infrastructure on a daily basis.
The 2022 Verizon Data Breach Investigations Report confirms the trend of rising cyber-attacks across all industries. Credential exploitation was the leading cause of cyber-attack, with human error accounting for 82 percent of network breaches. As network breaches increase, it is evident that the current enterprise cybersecurity approach is ineffective because it does not address the root causes of cyber-attack, namely weak authentication, exposed web services and security configuration complexity. Enterprise IT managers need preventative solutions that authenticate identity first, then allow the connection.
As government mandates and industry reports recognize the necessity of ZTA, industries are updating their security infrastructure with Zero Trust Network Access (ZTNA) models that implement software-defined perimeter (SDP) solutions. Security leaders are increasingly embracing zero trust for today's cloud-first world. But what does it take to achieve active ZTNA implementation?
Three considerations for Zero Trust Network Access
Enterprises need peer-to-peer ZTNA products that integrate passwordless multi-factor authentication, built-in microsegmentation and enhanced manageability with support of IT/OT functions as a single solution. These factors are essential for enterprises looking to simplify their cybersecurity management while maintaining the low-latency speed, cost and flexibility needed to stay resilient against modern cyber threats. These ZTNA tools empower enterprises with end-to-end control over network security, enabling direct user access to machines and applications while stopping attack vectors through a single programmable overlay.
Certificate management is a major pain point for IT security leaders. The best ZTNA tools encrypt communication between IP-connected devices without one-time password (OTP) tokens, digital certificates or cloud-based exchanges. Additionally, since ZTNA does not use proxies, no single point of failure impacts security or performance. ZTNA products that only address hybrid cloud endpoint security still lack the scope and flexibility needed to secure enterprise networks. Enterprises must consider the following components as they implement ZTNA.
1. Passwordless multi-factor authentication
Passwordless multi-factor authentication is ideally executed so humans don’t have a choice of actions that can lead to a mistake or an opportunity to be socially engineered. This feature eliminates credentials, session-based tokens, digital certificates and cloud-based exchanges, relying on biometrics and FIDO keys to validate network resource access attempts. This is the most secure method for mitigating credential theft – cybercriminals cannot exploit credentials that do not exist and can’t hack what they can’t see.
2. Built-in microsegmentation
Since malicious network access is typically gained through one point of entry, enterprises must consider ZTNA solutions that have built-in microsegmentation. Microsegmentation isolates specific systems and sensitive data from the larger network, ensuring that threat vectors cannot reach every part of the network through one point of access. Built-in microsegmentation is one part of an integrated ZTNA solution, saving enterprises costs and reducing complexity as they no longer must purchase standalone microsegmentation.
3. Manageability
Enterprises are most preoccupied with simplifying their cybersecurity manageability. This difficulty is exacerbated by the rise of multi-vendor cloud platforms, each with their own unique authentication needs. Optimal ZTNA tools provide added manageability across multi-vendor cloud platforms, including AWS, Azure and more. A flexible ZTNA solution allows enterprises to manage and authorize any device used by anyone from anywhere.
Simplified manageability through ZTNA
As the Verizon report affirms, “The only thing about information security is that nothing is certain.” Since every industry depends on digital infrastructure, cyber threats will only rise as data continues to be financially valuable to malicious actors. In the face of rising cyber-attacks, enterprises must replace cloud-based VPN proxy models and traditional MFA with robust ZTNA solutions that satisfy these considerations. By considering these factors, enterprises can confidently transition to active ZTNA implementation.
