This blog is part of “ZTNA Partners,” a series where we take a closer look at how our partnerships protect today's hybrid workforces and environments with ZTNA 2.0.
Before the pandemic caused massive shifts to remote and hybrid work, virtual private networks (VPNs) provided adequate security for the handful of remote workers, such as the road warrior sales representatives or executives. Now that more workers than ever are working remotely, and digital transformation has linked more people to more data through cloud-connected systems and networks, it is time to rethink how to securely connect those workers to both the company network and the applications they need to conduct business.
Cybersecurity risks rise exponentially when an organization adds dozens, hundreds or even thousands of employees to a hybrid or fully remote work structure. Simple VPNs are no longer sufficient in this environment because they have a limited number of entry points and give access to entire networks, causing potential slowdowns, limited scalability and possibly deterring use altogether.
Another VPN vulnerability is that they are not designed to restrict access once someone has connected to the corporate network. According to Verizon’s 2022 Data Breach Investigations Report, 80% of basic web application attacks can be attributed to stolen credentials. Therefore, it is foolhardy to assume that a user attached to the network is safe. The report also notes that since 2017, there has been an almost 30% increase in stolen credentials.
These new and growing risks signal a need for a new paradigm shift in network security — Zero Trust. Zero Trust Network Access (ZTNA) 2.0 combines fine-grained, least-privileged access with continuous trust verification and deep, ongoing security inspection. This is needed to protect all users, devices, apps and data everywhere, all from one simple, unified product.
The Zero Trust framework is a cybersecurity model that assumes any person or device accessing a network is a potential threat. It uses the latest networking and authentication tools. It applies thorough security policies and governance to minimize system vulnerabilities by applying the principles of extreme separation and control to every aspect of users’ access to both company networks and applications.
Unlike a VPN or other traditional authentication measures, Zero Trust does not allow for immediate access to a device or application connecting to a network. Instead, users can only access the applications they need to perform their jobs, a concept known as “least privilege.” This is accomplished by isolating certain access points (including devices, applications and systems) to specific parts of the network.
The ultimate goal of a ZTNA solution is to enforce the concept of least privilege to contain any potential cyber-attack. The least privilege approach is a principle that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has followed for many years. It assumes that any time someone gains access to applications that are not relevant to their jobs, the threat level increases. Least privilege also applies to closing off network ports to a particular system, such as a web server, to prevent unwanted access.
Verizon has also implemented certain safeguards to support its ZTNA approach. Some of these include using role-based access control (RBAC) to ensure users are only accessing the applications they need to do their jobs. And they require that workers only use company-issued devices to connect to the Verizon private network.
Approaches prior to ZTNA 2.0 haven’t addressed several common vulnerabilities, which pose an increased risk in the modern, digital IT infrastructure, such as weak password security, use of unsecured home Wi-Fi networks, use of personal devices for work, the sharing of unencrypted files, unintentionally clicking on phishing links, and downloading unauthorized applications, to name just a few.
They also grant far too much access to users, especially for apps that use dynamic ports or IP addresses. It also follows the “allow and ignore” method of trusting users forever once they verify their login credentials, assuming the user or application will continue acting in good faith. But, in today’s cloud-based digital environment, an organization’s cybersecurity approach instead needs to account for SaaS apps and offer greater visibility and control over network data.
ZTNA 2.0 addresses these gaps on several fronts. For one, it ensures least privilege access, which organizations achieve by first identifying the applications in use and mapping that use to specific roles. With ZTNA 2.0, the system can dynamically identify the application and the specific function within the app across any and all protocols and ports using App-ID, regardless of what IPs and ports the app might be using. For IT and security administrators, this eliminates the need to think about network constructs and enables fine-grained access control to implement true, least privilege access.
Traditionally, application security has been separate from network security, adding an additional layer of unnecessary complexity and potential for vulnerabilities. With ZTNA 2.0, both are combined. Verification doesn’t end after a user has accessed an app. In a ZTNA 2.0 configuration, it’s continuous. It includes ongoing assessment of user and app behavior, as well as inspections of all traffic coming through the network. If any suspicious behavior is detected, access can be revoked in real time. This is the next generation of Zero Trust.
Training is also an essential part of any ZTNA 2.0 implementation. Organizations must educate their staff on recognizing threats, such as phishing scams. Automated safeguards that flag external emails or prevent users from clicking suspicious links are also valuable protections as criminals become more sophisticated in their attempts to trick users to allow them access to networks and valuable information.
When it comes to IT security, the safest course is to always assume the worst. That’s how Verizon approaches cybersecurity. As a network provider, Verizon's security teams know that they cannot control who is accessing customers' equipment and how they use their devices. One of the most significant weaknesses in cybersecurity, especially in distributed workforces, is physical access to hardware. That’s why it’s important to protect all networks, all data and all apps using ZTNA 2.0 safeguards and implementing an approach of “least privilege” in all aspects of a company’s cybersecurity strategy.
Verizon and Palo Alto Networks enable ZTNA 2.0 in a single solution for companies, wherever their employees are located. That combines encrypted application access, authentication, policy management and threat detection. It provides the visibility organizations need to monitor network devices and endpoints, address security breaches promptly, and automatedly record incident responses using machine learning technology.
To learn more about the latest developments in cybersecurity and ZTNA 2.0, watch SASE Converge 2022 on-demand. It is the industry’s first conference on SASE where you will hear from the brightest minds as they define the future of SD-WAN, Zero Trust Network Access and SASE.