In the smart-everything era—when billions of devices, from cars to medical implants to factory motors, connect to a network—the perimeter security model is no longer secure. Zero Trust Network Access (ZTNA) is a radical shift in how we think about enterprise network security.
It starts by calling into question our most basic assumption: that trusting anyone inside the network is a good idea. Perhaps in the past this approach was sound. But the sheer volume of recent cyber attacks demonstrate that something is deeply wrong with the assumptions of traditional enterprise network security architecture.
Ultimately, the principle of ZTNA comes down to “trust nothing, verify everything.”
ZTNA has gained tremendous popularity with the onset and widespread use of cloud services, particularly as organisations and users have shifted to more remote work or hybrid office models. It addresses security concerns that arise when traditional or perimeter-based models are applied in the cloud.
Zero Trust is a game-changing security paradigm that is designed to usher in a new era in securing your business’s data.
The way businesses secure their data is broken
It has long been believed that the most effective way to protect an organisation's data is to create a perimeter of defence around it that blocks all threats from entering.
This traditional approach to data security is based on a perimeter defence model which involves identifying all the entry points to a network, and then deploying technology to monitor and protect those entry points. The assumption is that if you secure your network perimeters, you can keep out any threats.
But as threats no longer respect perimeters, this approach is broken.
This old, out-dated approach fails to take into account that modern attacks come from inside the network, from compromised employee credentials or from malicious insiders.
Verizon recently reported that 60% of breaches occur due to compromised credentials rather than misconfigurations, malware or other attacks on access points, and hackers could access critical systems or data in 85% of breaches caused by stolen credentials.
It stands to reason, then, that if compromised credentials are such an out-sized threat to corporate networks today, taking away administrator access to corporate resources would be an effective way to protect them.
Traditional security strategies also fail to protect against new types of threats, such as:
- Advanced persistent threats (APT)
- Data exfiltration through mobile devices and shadow IT
- Zero-day attacks
There needs to be a new approach to securing the enterprise, one that will defend against both known and unknown threats.
Given the growing number of data breaches, one question must be asked: how secure is your data?
The answer lies not in protecting your perimeter but by protecting your organisation's data wherever it lives. Your network has to be safe from hackers and malware, whether that's on your desktop or mobile device, email server or cloud server. This requires a new solution that goes beyond traditional perimeter protection and enables you to create a secure, always-on network − no matter where the data is.
Protecting data where it lives
To improve security, organisations must look beyond their networks and think about protecting their entire digital environment – including their employees, partners and customers. They need a way to secure data wherever it lives: on-premises, in the cloud and on mobile devices.
The new approach is based on a paradigm shift in understanding security threats. Threats come from all directions at once and can occur anywhere within an organisation's boundaries. The best way to defend against them is with a new type of network security that provides constant protection at every point throughout an enterprise – online or offline – with no need for perimeters or traditional firewalls.
A secure, always-on network means all of your company's information is protected from cyber attacks − no matter where it lives or who accesses it. It will enable you to:
- Protect data at rest − stop ransomware attacks and other forms of cyber crime like insider threats and phishing attempts designed to steal confidential information;
- Protect data in motion − defend against sophisticated cyber attacks designed to funnel confidential data out of your organisation; and
- Protect your employees − prevent malware infection and keep corporate laptops and other devices safe.
Stop managing risk - mitigate it
These days, we're all accustomed to accessing business networks from our laptops, tablets and smartphones – but this convenience comes at a cost.
The traditional network security model that most organisations use today is focused on detecting and responding to threats after they've already occurred—a "trust and verify" approach that assumes users are trustworthy or that identifying malicious behaviour is easy. This approach is no longer adequate as cyber criminals are increasingly sophisticated at evading detection.
A new model called Zero Trust Network Access (ZTNA) flips this thinking on its head by assuming every user is malicious until their identity has been verified. ZTNA provides protection by design, preventing threats from ever occurring in the first place.
The Zero Trust approach was initially developed for Google and has become the basis of the security model that Google, Alphabet, and many other global corporations now use.
The reason behind this approach is simple: it's impossible to trust anyone with direct access to your network infrastructure. Instead, the model gives network users full access to all applications and data without the need for any authentication or authorisation to the network itself.
With Zero Trust principles, you can trust your users but not their devices or apps. You must monitor their activities at all times, only trusting the applications they're accessing through various protection layers.
A new security architecture mindset
Zero Trust Network Access is fundamentally changing the way businesses think about network security by adopting a new paradigm for access control. While traditional network security systems focus on managing risk by identifying bad actors, ZTNA focuses on eliminating risk altogether by protecting the data, not the users.
This new approach is forcing enterprise network security teams to re-think their security strategy and implement new capabilities that enable them to take advantage of behavioural analytics, machine learning, advanced threat protection, and automation to proactively mitigate security risks.
Zero Trust network access requires three specific components:
- External and internal detection and enforcement capabilities
- Identity and context awareness of users and devices
- An encrypted network with strong authentication, authorisation, and auditing capabilities.
Taking this approach employs a methodology for establishing trust by verifying the identity of every user and device in the enterprise network every time network access is attempted. ZTNA is more than just a product; it's a mindset that must be integrated into your existing security architecture to be fully effective.
How Zero Trust Network Access fits into a SASE solution
Deploying a Zero Trust security model as part of a wider SASE solution ensures that there are no backdoors for cyber criminals to leverage. It removes administrator access from standard user accounts and requires applications and cloud services to only communicate with the network through virtual private networks (VPNs).
Implemented correctly, this strategy makes it nearly impossible for attackers to use stolen credentials or misconfigured endpoints to gain unrestricted access to enterprise systems.
Zero Trust Network Access gives you a robust security model that allows you to detect anomalies before they have any impact on the business.
ZTNA principles underpin a Secure Access Service Edge (SASE) cloud security solution to provide the foundational capabilities for next-generation authentication, authorisation, and access control capabilities in:
- Cloud services
- Mobile application services
- SaaS services
- IoT devices
- Microservices-based applications
- Any other type of application platform where security is paramount.
The future is open
The way you are protecting your business data is broken. You’re secure… until you’re not. The traditional approach to protecting an organisation's data is irrelevant now as threats no longer respect the network perimeters.
The status quo in data security has not worked. But it’s time to ask an even bigger question—is protecting the perimeter really the best way to protect your most sensitive information? We think not.
A new way forward with Zero Trust Network Access as part of an integrated SASE security solution provides protection by design while steering clear of threats before they even come near your business.