One thing that has been going around the Cyber world a lot in the last couple of years is the ZTNA hype. Every large security company is implementing their flavor of the ZTNA framework. Is it worth it? Or is this all just hype? Let’s talk about it!
What is ZTNA?
ZTNA or Zero Trust Network Access is a framework on how we secure our network. In legacy VPN systems, if you were on the network you were considered good to go. As long as you logged into the VPN and connected you had the access you needed and that was it. Sometimes until you decide to disconnect the VPN because some VPNs did not have an automatic disconnect.
This is less than ideal. Especially if you don’t have an automatic disconnect. What happens if someone else gets on that machine and they are still connected to the network? They just have access to everything? This is the legacy concept of “Trust but verify” where we trust you to be on the network but we have to verify a little bit about who you are before we trust you. But, once you are on the network you are trusted.
What emerged was how to protect more of our network at the time that you want to access it. This is where ZTNA comes into play, Zero Trust. We don’t trust you at all!
How ZTNA Works
Instead of Trust but verify, it’s a simple never trust. We want to verify you at every moment we can. Are going to a file server? Verify you are you and you have permissions to access that file server. Are you going to that network device? VERIFY!
The goal is to take every network flow and ensure that the person is authorized to access it. Verify every step of the way.
ZTNA enables administrators to configure policies based on the person asking for access and the system they are trying to access it. It is a very granular way to determine how users can move through the system. Where in legacy systems, especially in the non layer 7 firewall days, we basically had to configure the VPN ip addresses as allows to everything that any user needed anywhere, because a lot of time it is hard to give static IPs and everything. We just had to open up the network to these users because we didn’t want to block someone from doing something that they needed to do… ZTNA breaks us away from that.
Benefits of ZTNA
By verifying the user and where they are going, we can stop users from getting places where they don’t need to go. If some bad actor is able to steal credentials from someone, that doesn’t mean that they can just do a ping sweep on the entire network because they would only be allowed to access the systems that those credentials have access to. This minimizes the attack surface and minimizes the lateral movement that could happen with compromised credentials.
There are also some ZTNA solutions that can detect anomalies of users. Which means that if a user is always working from 7 am to 3 pm, and then all of a sudden that user is seen logging in and accessing systems at 3 am, that is a red flag that can be alerted on and possibly stopped right away. This is because of the anomaly detection learns users behaviors which can help stop attacks before they even happen.
A lot of the ZTNA solutions are also SaaS solutions, so all traffic goes out to the vendors Cloud and from there, there are tunnels that can transmit that traffic back to the on prem systems. Also alleviating some network stress on the users because they can connect directly to the cloud nearest to them instead of possibly connecting across the entire country.
Conclusion
Do I think that ZTNA is going to fully replace VPNs? Not totally, at least not yet. There are some advantages to using a VPN that ZTNA hasn’t exactly covered yet. One example, whitelisting IP addresses for certain applications. While you could probably purchase specific IPs from the vendor, VPNs give you that by default. You own that IP at your office and there isn’t a huge concern about that IP changing.
But, there are a lot of benefits from using a ZTNA framework solution. Providing the best user experience for all on prem apps or external apps is a huge plus. Most solutions also can monitor links, so for us admins we can show the users, “hey your internet is sucking right now” and not have to waste our time trying to prove it isn’t us. That info is right there.
From a security perspective ZTNA has it pretty worked out. It is a good solution to use, It is a lot of work to get all of the policies configured for user groups, but once you have it set, there are very little tweaks that you need to be doing. Pairing it with a great SSO solution like OKTA that can perform additional security functionality for users and user groups and pass that on to the solution, makes use even more secure.
ZTNA isn’t all hype, it is a solution that can help secure our systems and workers.
Stay Curious. Stay Strong
Joe
Remember to follow us on the following socials:
Leave a Reply