Zero Trust Network Access Eliminates Wide Network Access Perimeters 

Axiomatics   ·   Wednesday, April 1st, 2020

Network access security is quickly evolving as the amount of data produced by an organization increases. Combine this with the rapid increase of remote working around the world and employees needing that secure data quickly to stay productive. Traditionally, network security was about protecting the perimeter with a virtual private network (VPN). Today, network security is about protecting individual resources.

A VPN protects the edge of a system by relying on cryptographic credentials to authenticate a user attempting to access the VPN and granting them access to system files and data. With a VPN, remote users connect as part of the internal network. If a perpetrator gains access to a VPN server, they have access to businesses critical internal resources.

With so much information stored on-premise, and in the cloud, a single point of protection is no longer adequate. Instead, organizations require technologies that protect small groups of information resources. 

Expanding Beyond Single-Point Network Security 

With cloud data located outside an enterprise-owned network boundary, and an increase in remote users, organizations are departing from wide network access perimeters. Instead, companies are shifting toward more narrow defenses that protect individual or small groups of data resources, like zero-trust network access (ZTNA).

ZTNA is a software-defined perimeter that governs strict identity verification for every person and device attempting to access information on a private network by implementing controls over individual users inside the network. Governing ZTNA are three principles: least privilege access, multi-factor authentication and micro-segmentation. 

A zero trust approach assumes that everyone inside and outside the network is a threat (e.g., trust no one), and requires verification at each access point. With ZTNA, enterprises establish more precise techniques for permitting access, rather than relying on a static technology like a VPN.

As ZTNA continues to evolve, organizations must plan for how ZTNA impacts user experiences to minimize access disruptions. It not only takes time to change security processes and habits but the automatic denial of access to critical information will require user training. 

However, once privileges are implemented and accepted, businesses can quickly take advantage of zero trust principles. 

Benefiting from Zero-Trust Network Access

ZTNA enables precise data access anywhere, anytime, from any device over the internet by utilizing context-aware, adaptable authentication. ZTNA technologies rely on far more factors to validate an incoming user than a typical VPN. 

A ZTNA system will validate the user, device, location and other factors before allowing access to precise business resources or data. On the other hand, a VPN allows access to all enterprise  data assets. With zero trust principles, an intruder can no longer penetrate the internal network to gain excessive access to the enterprise’s critical internal resources.

ZTNA systems also go hand in hand with other context-based technologies like dynamic authorization delivered with Attribute Based Access Control (ABAC). 

Combining Context-Aware Technologies

In support of ZTNA protocols, ABAC systems follow the principle of least privilege by leveraging additional context attributes like risk score, device information, location and more to make sure only authorized users have access to precise sets of information. The approach uses data and user characteristics to build powerful, fine-grained policies to ensure the right access control is administered dynamically at run time. This authorization model complies with both discretionary access control (defined by the subject) and mandatory access control (defined by the data controller).

Policies are built on any number of unique attributes to achieve micro-segmentation, allowing security policies to be assigned at the workload level, all the way up to data center applications. Policies are a direct reflection of business requirements and outline which users are allowed access to what resources. Companies can model simple and complex data access policies that eliminate the “all or nothing” approach of VPNs. Policies are managed independently and administered consistently across both on-premise and cloud-based resources. 

When handling sensitive and regulated data across sprawling data storage on-premise and in the cloud, it is crucial to go beyond a single point of protection. 

Together, ZTNA and ABAC technologies solve complex access control scenarios to ensure only authorized users have access to the right information under the appropriate circumstances.