Zero Trust and Beyond : A Journey For Everyone

Zero Trust and ZTNA are two of the most important concepts in enterprise security. But any business can benefit from them.

Zero Trust and Beyond

Back to top Get a Demo Contact us

01 - A Brief History of Zero Trust:

2007: The Defence Industry Security Association (DISA) introduced Black Cloud, a forebear of Zero Trust. It removed visible DNS information from application infrastructure so it could not be detected. This made applications impervious to many forms of network-based attack, including scans, vulnerability exploits, Dos and DDoS attacks.

2011: The Cloud Security Alliance unveils Software Defined Perimeter (SDP). Connectivity in SDP is based on a need-to-know model in which device posture and identity are verified before access is granted.

2010: John Kindervag, principal analyst with Forrester, coins the term Zero Trust.

02 - A Crisis of Trust?

The death of traditional perimeters has been greatly exaggerated – until now

During the pandemic, the perimeter finally perished as companies around the world sent their staff home to work outside the protection of corporate networks Staff now login on from outside the corporate network using 4G and 5G as well as their home network. The applications used every day are in the cloud.

In this new normal, firewalls, VPNs and other traditional defence systems are no longer sufficient to protect a newly distributed workforce. Neither are passwords or other traditional identifiers. Now, the only place to deliver effective security is in the cloud.

Censornet research found that only 34% of security professionals feel ‘very prepared’ to support employees working from home securely.

Work is no longer a place but an activity, which means security should be designed around an entirely new perimeter built on identity and context – which is where Zero Trust and ZTNA come in.

03 - What is Zero Trust and Who Is It For? Answer: Everyone

Zero Trust is a security model that turns the old idea of “connect then authenticate” on its head when it comes to providing secure access to network resources. It’s a paradigm in which no-one is trusted.

Rather than inviting users to log into apps using a risky online portal, Zero Trust places an intermediary layer between users and the corporate network, resources and applications.

With Zero Trust, users must prove their identity before being granted access. This security posture is designed to stop hackers from gaining easy access to networks through the web applications used by an organization’s users or workers.

Zero Trust is crucial in the age of remote working. The Zero Trust approach involves trusting no-one and assuming no entitlement until trust is earned. Importantly, this trust must be continually assessed and re-evaluated.

In addition to verifying the identity of the individual and the device gaining access to the corporate network via the ZTNA layer, Zero Trust rules and policies can adapt based on the observed behavior of a user or device.

The new rule is: Authenticate before you connect

There are products that work well in Zero Trust environments, but if a vendor comes in to sell you their ‘Zero Trust’ product, that’s a pretty good indication that they don’t understand the concept” John Kindervag

04 - Understanding Zero Trust Network Access

If Zero Trust is the idea, Zero Trust Network Access (ZTNA) is the technology which turns the philosophy into a reality

Before ZTNA, organizations relied on inherently weak identifiers when granting access to the corporate network.

"We’ve used ownership and control of physical assets and location as an implicit proxy for trust... This is a flawed security paradigm.” Gartner

Zero Trust has two main predecessors: Black Cloud and Software Defined Perimeter (SDP). However, it differs from them because it incorporates a level of dynamic trust, where access is modified based on behavior. This adaptability differentiates ZTNA from SDP and Black Cloud.

ZTNA hides assets from prying eyes. It’s focused around giving organizations the ability to implement a need-to-know approach when it comes to data or apps, rather than leaving them open to any individual or device that has passed through authentication.

For many organizations, ZTNA is likely to be the first step on a road to the next great evolution in security: Secure Access Service Edge (SASE).

Authenticate then connect

With Zero Trust, authentication comes first via a middle or intermediary ZTNA layer that confirms an individual’s identity but also the context in which they are attempting access. Only when the individual has been authenticated are they granted an onward connection to applications and data.

The ZTNA layer, or ZTNA controller, becomes the gateway to an organization’s assets – whether SaaS or legacy data center apps – isolating systems from potential trespassers and hiding applications from the internet.

This layer makes applications impervious to many forms of network-based attack including scans, vulnerability exploits, DoS and DDoS attacks.

As cloud adoption has risen, cyber attacks have grown by a staggering 50%

05 - Trust no one…

Context and identity are the new perimeter

To earn the trust of a ZNTA controller, someone who logs on from a remote location may undergo the usual password test and Multi-Factor Authentication (MFA) process.

Behind the scenes, a ZTNA layer analyses the identity of the person trying to log on as well as their behavior, to provide context.

It works to prove the identity of a person trying to log in as well as establish if they are behaving in a way that’s considered “normal”.What Is Normal?

Here are some of the context information a ZTNA could look for:

 

Location: Has the person logged on from a known location?

Time: Is the logon happening at an expected time?

IP Address: Has the user moved to a different address?

Device Integrity: Is the device compromised or behaving strangely?

Unusual Behaviour = Suspicious Behaviour

Is a trusted employee downloading a large volume of customer data that wouldn’t usually be required in their role? Have they logged on from one location and then attempted to gain access from a city on the other side of the world?

If a ZTNA finds the answer to these questions is yes, it could respond by blocking access to the user or device that’s behaving strangely. It could also restrain their activity in some way, perhaps by limiting them to read-only access or restricting access to sensitive data.

It’s not just user behaviour that can be monitored, but entity behaviour as well. There could be anomalous activity that suggests the device is infected with malware – another trigger point for blocking or limiting access.

To avoid impacting productivity, flexibility is paramount. The system must be adaptable and dynamic, monitoring the behaviour of an individual and device to constantly ask:
“What’s been going on? Why is that user accessing that data?
What are they doing with the data and does that make sense from a business-as-usual perspective?”

Currently, few ZTNAs on the market are this advanced. Even if the ZTNA solution does support UEBA (user and entity behaviour analytics), the overheads of management and administration are often considered too high, as well as the risk of impacting legitimate business processes.

But as ZTNA becomes the industry norm, behavioural components are likely to be adopted by an increasing number of organizations.

06 - How To Implement Zero Trust

These guidelines are based on the sage words of John Kindervag himself, who warned that the attack surface is massive and always growing.

1.

Define your Protect Surface(s): Start small by locking down applications which are not mission critical. Don’t start with the financial back-end system or ERP application running in the data center. Zero Trust is not binary. It can be implemented one protect surface at a time. By taking an interactive approach Zero Trust does not have to be disruptive.

2.

Map the Transaction Flows: Map flows and map users to applications, actions within those applications and associated data.

3.

Architect the Environment: When architecting the Zero Trust environment start from the inside out, not the outside in. Move controls closer to the user or device. Reduce services delivered from DMZs and segment users from the data center network. Log all user and applications layer activity.

4.

Formulate the Zero Trust policy: Be sure to focus on contect and conditional policies. Leverage existing technologies such as IDaaS (or Cloud IAM) and adaptive or context-aware MFA. Apply least privilege everywhere.

5.

Monitor and maintain the environment: Logging identity edge cases before changing business processes to fix or accommodate them as necessary.

Key benefits of ZTNA:

  • Greater visibility reduces risk
  • Improved control of cloud environments and SaaS applications
  • Reduced likelihood of breaches and lower impact in the event of one
  • Supports compliance audits through improved user activity monitoring and logging
  • Better business agility (adopting new processes, workflows and applications)
  • Reduced organizational friction (removing the sub-optimal VPN experience)

Censornet – Join Us on the Journey

Most large organizations are already adopting ZTNA. However, for companies with a few hundred to several thousand users, the challenge can seem difficult if not impossible.

It needn’t be.

Censornet’s solution already allows companies to handle access requests 24/7 or endlessly reconfigure their context-based rules to reap the many benefits of Zero Trust security enjoyed by large enterprise organizations.

At Censornet, we have a proven track record for delivering apparently complex, innovative technology in a simpler way that’s easy and affordable, with very rapid “time to value”.

We’re already capturing typical patterns of behavior relating to users, devices and other entities – such as mailboxes or specific cloud applications.

We already understand identity – fully integrating with AD or Azure AD, or both.

We already have the Autonomous Security Engine built to assess trust and risk continuously.

Soon, ZTNA will be the norm. We can make it easy for you to keep pace with acknowledged security standards and let you make the next logical step towards a safer future.

Featured insights

Zero Trust MFA

When it comes to security, it pays to have Zero Trust

Following a rapid shift towards remote working and accelerated cloud adoption, businesses are dealing with numerous challenges to support suddenly ...

Read More_
foot in door

Account Takeover: A foothold into your company for an attacker

Account Takeover (ATO) is a thorn in the side of enterprise security teams which Juniper Research has estimated will cost ...

Read More_
Cloud working laptop at desk

What are the greatest security concerns with Office 365?

With many employees working remotely, businesses everywhere have turned to cloud-based suites such as Microsoft Office 365 to keep the ...

Read More_

Insights & Events