Protect your data with zero-trust networks
Threats lurk everywhere. Most organizations, understandably, are focused on external attacks. But that may mean internal attack vectors exist that don’t get the attention they deserve.
After all, it only takes one successful phishing email for a bad actor to gain access and start causing mischief inside your company’s network. And let’s remember that there are also disgruntled, departing and former employees who retain access to organizational networks and may choose to engage in malicious or money-motivated actions.
A study by Beyond Identity discovered that 83% of former employees maintain access to one or more proprietary accounts after leaving a company.
Harmful actions committed by former employees included:
- 56% harmed their former employer in some way
- 25% took client information
- 24% took financial information
Then there is the potential security weakness accompanying the work-from-home movement and the complexity of modern supply chains and customer relationships. Who is to say a child, a spouse or a neighbor won’t be able to access the home Wi-Fi networks of employees? And who can guarantee that the access rights granted to customers and partners won’t be abused, mismanaged or misconfigured?
What is the answer to secure access?
It very well could be zero-trust network access (ZTNA). ZTNA encompasses technologies that enable secure access to internal applications. It involves using granular policy management to grant access — on a least-privileged basis — so that verified users can connect securely to private applications while protecting the network and avoiding exposing apps to the internet.
“Workloads, applications, services and storage continue to shift to the cloud, making it more difficult for IT organizations to secure and control information, which is increasing the risk of security threats,” said Michael Wood, CMO of Versa Networks.
“A solution to mitigating security exposures in this multi-cloud environment is to shift ingress protection to the firewall as a service and combine this with services such as ZTNA.”
A closer look at the ZTNA framework
Zero trust is all about securing IT infrastructure and data via a framework that can safeguard remote workers, hybrid cloud environments and IT in general. It works on the assumption that any network is always at risk of either internal or external attacks.
“The theme of 2022 is to secure your users and your infrastructure secrets with zero-trust network access,” said Darren Guccione, CEO and co-founder at Keeper Security.
Zero trust means an individual is not given trust just because they are on the network. Those users must prove who they are and are given only limited access to the systems needed to perform their specific tasks.
Beyond safeguarding and vetting individual human identities, the next frontier of ZTNAs is now verifying machine identities, such as the specific device and browser used to gain network access.
The four most impactful ways ZTNAs are changing security now
1. More secure VPN alternatives
Traditional VPNs for remote users rely upon complex network-to-network approaches that are difficult to secure. The solution is to build a secure software-defined perimeter based on zero trust.
For example, Network Address Translation (NAT) maps IP addresses from one group to another to prevent the network’s internal IP address from being exposed.
As DH2 co-founder and CEO Don Boxley explained, “You can use ZTNA tunnels to seamlessly connect all your applications, servers, IoT devices and users behind any symmetric Network Address Translation (NAT) to any full cone NAT without having to reconfigure networks or set up complicated VPNs.”
2. Improved identity and access management
Password management is broken in many organizations.
Users are rebelling more and more against all the rules, complexities and pains inherent in password management — and they are getting sloppier. According to research from Bitwarden:
- 84% of Americans reuse passwords across multiple sites
- 55% rely simply on memory to manage passwords
- 21% reset passwords either daily or multiple times a week
Improved identity and access management (IAM) also go beyond people.
“Initiatives like zero trust also require machines to have strong identities that need to be managed,” said Chris Hickman, CSO of Keyfactor. “This continues to drive the adoption of certificates across the enterprise, and as with identity for people, machine identities also need consistent management to mitigate risks.”
3. Better data protection
In addition, ZTNA has a positive impact on overall data protection. It helps prevent data exfiltration and better manages organizational IP and confidential information.
With the move away from on-premise computing to multi-cloud and hybrid-cloud environments — and away from monolithic applications to modern microservices — many more devices and applications are connecting to organizational networks than ever. This has necessitated a surge in IT infrastructure secrets, such as certificates, API keys and Remote Desktop Protocol (RDP) credentials. All must be protected.
“Securing human users with zero trust network access is critically important, but so is securing infrastructure secrets that unlock access to highly privileged systems and data — and enabling devices and apps to leverage cloud resources and execute sensitive business processes,” said Guccione.
For example, threat actors stole many code-signing certificates during a recent Nvidia breach. These certifications are now being used to spread malware in the wild.
Zero trust contains tools designed to lock down assets using the same console used to manage IAM.
4. Enhanced multifactor authentication
In addition to securing network connectivity for their distributed workforces, organizations must ensure that third-party vendors and business partners can securely connect to needed network resources.
A zero-trust approach includes strong user and device authentication, role-based access control (RBAC) with least-privilege access and comprehensive password security, including strong passwords for every user account and multi-factor authentication (MFA), added Guccione.
Once you clearly understand data across your organization, the next step is to leverage this data to reduce attack surfaces as much as possible.
One way to do so is to implement identity-based zero-trust architecture and MFA. This approach requires all users, whether in or outside the organization’s network, to be authenticated, authorized and continuously validated for security configuration and posture before being granted or retaining access to applications and data.
This includes real-time prevention of identity-based attacks by leveraging conditional access policies.