Adopting Zero Trust Network Access (ZTNA) in a hybrid working world
In today’s hybrid-working world, many employees often work remotely from the branch – at home, hotels, conferences, coffee shops and the like. This effectively moves the network perimeter from the traditional branch and office boundary right into the heart of the endpoint laptop device itself, increasing the possible attack surface for organisational network WANs. Zero Trust is one approach that can help to overcome some of the cybersecurity challenges that hybrid working can create.
Key considerations to successfully implement Zero Trust Network Access (ZTNA)
Not trusting anything is the goal
Zero Trust is a cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated. It assumes that no one and nothing on a network can be trusted until it’s proven not to be a threat to organisational security. This means that all users, whether in or outside the organisation’s WAN, must be authenticated, authorised and continuously monitored.
One of the main benefits of Zero Trust is its ability to improve risk management. By assuming that all users and devices are potential threats, Zero Trust forces organisations to take a more proactive approach to security. This includes:
- Implementing strong authentication mechanisms
- Monitoring user behaviour for signs of suspicious activity
- Segmenting networks to limit the impact of any potential breaches.
Moving beyond the tuple
Where traditional firewall and security approaches focused largely on the “tuple” – source IP address, destination IP address and TCP/UDP destination port – Zero Trust Network Architectures (ZTNA) move beyond these three dimensions and allow for additional dimensions of trust verification, such as:
- Time of Day
- i.e. John in HR works 9-5, so if he’s logging into a system at 9 p.m., is something suspect?
- Access Location
- i.e. Sandra on the reception desk is normally desk-based at front of house. If she suddenly logs in from the third-floor payroll desks, is something amiss?
- Host Posture
- i.e. Paul may be logged in with the correct username and password, but if his antivirus isn’t up to date and his laptop last logged into the domain four months ago, do you really want him on the network?
Other dimensions are available depending on organisational need, but you can quickly see how the dynamic of implicit trust moves instead to explicit verification – moving the notion of trust further down the network stack towards the Network Edge rather than notionally dealing with arbitrary concepts such as trusted networks, trusted VLANs or trusted segments.
When Split Tunnel becomes No Tunnel
Zero Trust requires consideration of encryption of data, securing email, verifying the hygiene of assets and endpoints before they connect to applications. It also involves automating patches to ensure good network hygiene while preventing potential malicious actions. A successful implementation of Zero Trust can help bring context and insight into a rapidly evolving attack surface to the security team while improving users’ experience.
This moves beyond the nascent “Split Tunnel” approach which an SD-WAN might take – where, for instance, Office365 traffic may bypass (or “split”) from the IPsec or SSL VPN tunnel back to the corporate network WAN and use the native internet connection instead towards a “No Tunnel” approach.
In traditional Split Tunnel, the notion runs:
- The default route (0.0.0.0/0) – or the implicit – is sent via the VPN tunnel back to the corporate WAN
- The “Split” (i.e. Office365 FQDNs and IP ranges) – or the explicit – is bypassed from the VPN tunnel and bypasses the VPN tunnel to the internet direct
In Zero Trust remote access, this paradigm changes to a notion of:
- The default route (0.0.0.0/0) – or the implicit – is not sent via the VPN tunnel back to the corporate WAN
- Every corporate application – or the explicit – is sent on a case-by-case basis down the VPN tunnel towards the corporate WAN
Adding to this, such VPN tunnels are often temporal in nature and instantiated per-application-request rather than running akin to a singular, long-running IPsec or SSL VPN tunnel session.
How an organisation can drive the adoption journey
An organisation’s Zero Trust journey begins with understanding what Zero Trust offers. Conceptually, Zero Trust accomplishes this by removing implied trust from any device or user attempting to access resources on a network. Instead of trusting devices based on their location or IP address range as in traditional perimeter-based security models, Zero Trust verifies each request as though it originates from an untrusted network. This verification process includes authentication checks such as multi-factor authentication (MFA), authorisation checks such as role-based access control (RBAC), endpoint health checks such as patch level compliance monitoring or antivirus signature status monitoring.
How CACI can support your Zero Trust Network Access adoption
Just as no two organisations look the same, neither do any two Zero Trust Network Architectures or approaches. The entire point of Zero Trust is to wrap in your specific business context and nuances into your technology estate. At CACI Network Services , we have deep heritage and expertise with organisations and networks all the way from SME up to enterprise and public sector. We are well placed to help you get to grips with ZTNA and associated microsegmentation cybersecurity technologies.
Get in touch with us today and let us help you on your Zero Trust journey.