The working model in business has dramatically shifted over the last few years — a trend accelerated by the pandemic. The shifting to a work-from-home environment has provided proof that a remote/hybrid work setting is viable for many workforces, and that they can maintain productivity levels for workers not on-premises full-time. And the working model we see emerge beyond 2022 is a hybrid option in which workers are stationed across multiple locations, including main offices, remote branches, at home, in shared workspaces or the like.
A shift, such as this, to a hybrid working model brings forth many changes, and one in particular is the expansion of the attack surface and threat landscape available to cybercriminals. In essence, having workforces from multiple remote locations that are not often using the same network address each day introduces cybersecurity complications for those tasked with protecting an organization’s data and systems.
The traditional method of delivering security and access to central IT systems for remote staff has been to use a VPN (virtual private network) connection. These were fine when the number of connections needed was relatively low and easy to manage. But using VPN connections for mass remote staff, and for the dynamic hybrid workforce model, is now a significant management issue for IT teams.
A better approach to securing access for modern-day hybrid workforces is ZTNA, or Zero Trust Network Access. ZTNA delivers the cybersecurity, authentication and access authorizations needed on hybrid networks. In this blog, we will discuss what is ZTNA, how ZTNA secures access and simplifies network-security management and reasons to adopt ZTNA for your hybrid workforce. Let’s dive in.
What is ZTNA?
Gartner gives the definition of ZTNA as “a product or service that creates an identity — and context-based, logical access boundary around an application or set of applications. The applications are hidden from discovery, and access is restricted via a trust broker to a set of named entities.”
ZTNA is a network designed and implementation methodology that delivers on the concept of Zero Trust. And it begs to question — what is Zero Trust?
When a network implements Zero Trust, every connection is considered potentially hostile, irrespective of where it originates. A request to access an application that comes from within the network perimeter — such as from a PC in the corporate HQ — is treated the same as one that originates on the internet via a dynamic IP address. Both requests need the same level of cybersecurity challenges and must provide the correct authentication responses before access is allowed.
No connection is assumed to be safe based on where it originates. This level of cybersecurity moves beyond the traditional model of securing the perimeter, and, as a result, ZTNA is sometimes described as creating a software-defined perimeter, of SDP.
ZTNA is widely considered the best approach to deliver the business continuity and access required for on-premises and cloud-based applications and services to hybrid workforces spread over remote network locations.
ZTNA provides robust cybersecurity without imposing an onerous user application experience on workers due to complicated and tedious authentication and authorization processes. This is especially true when compared to legacy VPN access security solutions.
Delivery Modern Hybrid Workforce Security with ZTNA
The goal of ZTNA is to deliver secure access to business applications and data hosted on-premise or in the cloud from client endpoints, irrespective of where the user happens to be at a particular time. Delivering this flexible access presents a technical and security challenge — one that is hard to deliver and manage using VPN, but one that ZTNA can easily enable.
How ZTNA secures access to business resources
The Zero Trust principles that make up the foundation of ZTNA solutions are the following precepts:
- Least-privileged access gets used for everything on the network — users, devices, software systems, other processes. Nothing is given privileged access beyond the minimum needed for the task at hand, and the authorization they have is limited to that session. Access in the future is set from scratch and must be requested again.
- Applications need to be micro-segmented so that each gets authenticated separately, and authorizations need to be application specific.
- Network micro-segmentation has to be in place with micro-tunnels used over the internet and on private networks to facilitate secure and separate connections to each application.
- The network needs to be dark with applications and servers not advertising their services or presence. Any user or device that needs to access them should be configured to know their existence in advance. Not advertising means that any unauthorized users on the network can’t see what is available and can’t try to gain unauthorized access.
How ZTNA simplifies IT network-security management
ZTNA solutions work differently from edge-based security solutions such as VPN gateways and firewalls. The architecture of ZTNA provides access to applications using the following principles that implement the Zero-Trust philosophy:
- Application access provision gets abstracted from network access and authentication. The underlying network is invisible to users and devices. They get connections specific to applications. This means that any compromised connection cannot access any other applications or servers.
- The IP addresses of resources on ZTNA-based infrastructure are never advertised on the internet. This means that the applications are on a private darknet and are invisible to cybercriminals browsing for vulnerabilities.
- Application micro-segmentation means access is granted for each application separately. There is no cross-application authorization. Users must make separate connections if more than one application needs to be used. Note that this doesn’t stop application servers from communicating with each other. Just that such communication needs to request and use individual access requests and authentication just like users and devices do.
- Access granted to a resource is valid only for the duration of that connection. Once a session is disconnected, it cannot be used again. A new access request needs to be made and authenticated each time access is required.
How ZTNA Creates a Seamless Experience for End-Users
ZTNA solutions work the same irrespective of where users connect. The authentication and security challenges a user must provide are the same if they are at their PC in the main office, or on a mobile network connection at a local coffee shop.
Why ZTNA is Critical to Maintaining Business Continuity in the Modern Workforce
Stated above, connections via ZTNA are made to specific resources that are located on-premises or in the cloud. The routing to these resources occurs via ZTNA brokers. This means that the end-users do not — and indeed cannot — know where the applications they are using are hosted. This means the organization can move the hosting location of an application server or service anytime without impacting end users. When they next connect, the ZTNA broker will connect them to wherever the resource they need is currently hosted.
How ZTNA Differs from VPN
One frequently asked question is why use ZTNA when we already have a VPN infrastructure that works in our organization, and that is certainly a fair question to ask.
But the main reason is the depth of cybersecurity offered. Traditional VPNs deliver network-wide access. Once a user is authenticated via VPN, they have access to anything that their overall permissions grant. For all intents and purposes, they may as well be in the office connected to the corporate network.
While with ZTNA, users are connected only to a specific application via micro-segmented tunnels that require separate and recurring authentication. Additional layers of security can be added to VPN solutions to make them more secure, but if you are going to do that, then looking to ZTNA instead makes more sense.
Additional ways in which VPNs compare poorly to ZTNA:
- Connection Latency — The latency on VPNS can degrade rapidly as the number of remote users connected via VPN grows. This can require additional VPN gateway hardware or virtual machines to be added to handle the user load, and this adds to the management overhead.
- Increased Attack Surface — Expanding VPN connections increases the surface area available to hackers. Cybercriminals can use a single set of compromised credentials to gain access to significant sections of the network — access that they can use to scan and further compromise in-place defenses.
Why To Adopt ZTNA In Your Workforce Environment
Restating some of the aforementioned reasons, including that by use of a VPN, a single user’s compromised credentials can result in significant access to key parts of the network, whereas ZTNA limits the attack surface area should there be a breach. But reasons span beyond just the above mentioned to why organizations should adopt ZTNA. The list includes the following:
- More secure and flexible remote access — ZTNA delivers a modern and more secure alternative to VPN. Gartner predicts that by 2023, approximately 60% of enterprises will have switched from VPN to ZTNA to provide remote access to applications for users and clients.
- Seamless multi-cloud access — As multi-cloud and hybrid deployments across the cloud and on-premises infrastructure becomes the norm, the use of ZTNA abstracts application and service location from end-users. Meaning that organizations can optimize backend delivery for cost and other factors without disrupting users with changes to their endpoint devices. The ZTNA brokers services between resources and users take care of the connections.
- Reduce third-party access risk — Most organizations need to give suppliers and business partners access for specific tasks. Using ZTNA to provide only access to what is required for each third-party task significantly reduces the risks associated with access given.
- Business flexibility — Using ZTNA provides business flexibility and the ability to move backend services and provide secure access to third parties. But another common process in business is mergers and acquisitions. Should your organization buy another company, or if another company buys yours, it’s vital to link the IT systems quickly and securely — and with ZTNA, this is achievable. ZTNA enables this by allowing the two merging parties to treat each other as third parties and provide secure access to the systems needed without exposing different parts of the internal networks.
- Remote access security — Device and user access can be checked to enhance security with ZTNA. For example, if a connection from a user who tends to connect from specific locations tries to make a connection from a network never seen before, they can be blocked and isolated until the new activity is verified. Also, new technologies like IoT devices can be segmented to only allow access to and from required networks, making them more secure and less vulnerable to hijacking for DDoS attacks or similar.
ZTNA — A Practical Solution For the Modern Hybrid Workforce
ZTNA, or Zero Trust Network Access, provides a modern and secure solution to providing access controls to users operating in the hybrid working landscape. ZTNA enables access to applications in the new multi-cloud world seamlessly for end-users, while simultaneously delivering the security IT teams need, alongside the flexibility to change backend services, as required.
Progress Kemp LoadMaster load balancers provide integral services when delivering ZTNA in your organization. You can learn more about Zero Trust Network Access and integrations using the LoadMaster by speaking to one of our product solutions experts. Click the contact us button here to be connected to one of our technical product specialists.