The Fast Mode spoke to Chris Cap, System and Architecture Engineer at QuSecure on the impact of traffic visibility on ZTNA networks. Chris joins us in a series of discussions with leading cybersecurity and networking vendors, assessing the evolution of ZTNA technologies, the roadmap for ZTNA deployments, the benefits of ZTNA for enterprise and telco networks, and the need for real-time traffic visibility technologies such as DPI for ZTNA.
Ariana: What do you consider are the core features (must have) of ZTNA?
Chris: A ZTNA is any architecture based on zero trust principles. Following these tenets, a ZTNA allows an enterprise to grant access to a resource only if access is strictly required for proper functionality of the network or for an employee to fulfill their role. Furthermore, it is critical that the identity and security posture of each access request be authenticated and authorized. For an access request to be approved, the subject (a combination of the user, application, and device) making the request must be authorized to do so. Although ZTNAs are broadly defined, most solutions will share common architectural components. The entity responsible for approving or denying requests is known as the policy decision point (PDP). The PDP typically consists of a policy engine (PE) and policy administrator, which can be implemented separately or as a single service. The PE contains a trust algorithm which ultimately determines whether a request is approved or denied. Meanwhile, the entity responsible for enabling, monitoring, and eventually terminating connections between a subject and an enterprise resource is known as the policy enforcement point.
ZTNAs should also include dynamic policy; continuous diagnostics and mitigation (CDM); identity, credential, and access management (ICAM); a threat intelligence feed; and security information and event management (SIEM) among other components. Dynamic policy considers factors such as the subject’s location, usage patterns, and the time of request to inform policy decisions. CDM provides the system with the ability to monitor the state of devices and applications, push fixes, and deny a compromised subject access to all enterprise resources. ICAM allows an enterprise to be certain that the correct individuals with the necessary privileges access the expected resources at an acceptable time. Moreover, SIEM enables the ingestion of security data from information system components and presents that data as actionable information via a single interface.
Ariana: Why is cloud a key component of ZTNA?
Chris:Since the advent of perimeter-based security, many organizations (private enterprises, government agencies, etc.) have grown more complex and geographically distributed. As a result, perimeter-based security supported by on-premises servers is becoming obsolete. It is now imperative to have high availability across several geographical zones to fulfill organizational needs. A ZTNA which supports cloud deployments allows organizations to address two problems simultaneously – the need for better network security practices, and the need to support the modern employment model. In addition to the policy improvements that accompany a transition to a ZTNA, a cloud deployment can lead to improvements in the security of a PE’s underlying infrastructure. Cloud deployments allow for centralized management of infrastructure in which routine maintenance is performed automatically. Cloud deployments also enable a network administrator to easily scale dedicated resources to a level that satisfies the organization's needs, whether that be quickly providing relief to strained servers or cutting down on unnecessary resource expenditure.
Ariana: How important is traffic visibility for ZTNA vendors?
Chris: To properly operate a ZTNA, a record of all network traffic must be maintained. Furthermore, all network traffic must be examined at time of receipt. This allows for real-time monitoring of possible threats, and in some cases, a response to those threats. Deep packet inspection may be implemented to address these concerns. However, some network segments will be resistant to this type of packet inspection, possibly due to encryption or other obfuscation. In that case organizations must employ alternative methods, typically reliant on packet metadata. More sophisticated methods, such as those reliant on machine learning, may also be implemented to gain as much visibility and knowledge as possible about transmitted packets. The end goal of all forms of packet inspection is to identify and discard or reroute malicious packets before they have the chance to negatively impact the network’s integrity, and for that visibility of traffic is a necessity.
Chris Cap is a System and Architecture Engineer at QuSecure.
This interview is a part of The Fast Mode's Next-Gen DPI Traffic Visibility for ZTNA segment, featuring over 40 leading cybersecurity and networking solution providers and their views on the importance of traffic visibility for ZTNA. A research report on this topic will be published in January 2024 - for more information, visit here.
