Zero Trust Network Access (ZTNA) is a raising architectural model for company networks that brings answers to the challenges of our time (cloud access, secure hybrid cloud, edge & personal devices, mergers & acquisitions, widescale supply chain & ransomware attacks). And while a transformation was already on its way the pandemic put additional pressure on IT departments around the globe, enforcing a new openness, that otherwise might have been delayed for a few additional years.
This is part one of a small series of ZTNA related pieces that will shine a spotlight on ZTNA fundamentals and their impact on network architecture. For further reading I recommend a recent whitepaper published by Worldline, about “Zero Trust connectivity in industrial environments”. If you are interested in zero trust in general or specifically in its applicability to OT get your free copy here.
In a nutshell: zero IMPLICIT trust is given to users and assets that access resources. But there is more to ZTNA than just that, it is a fundamental shift of paradigms, that blends existing practices with new ideas, to create better security and business agility.
Not a (single) vendor solution
A company network is a complex beast that interconnects users with applications and storage to perform a business purpose. Early on this was as simple, as a terminal for user input, connected to an isolated server. Nowadays there are laptops, tablets, mobiles, edge devices, autonomous robots, on premise servers, datacenters and cloud services scattered across offices, organizations and countries - the company network is what bolts this all together.
Unsurprisingly there is no off-the-shelf solution to build and maintain such a network and with mergers and acquisitions most IT departments have a zoo of products and solutions in place to provide connectivity and security. And that zoo will remain, ZTNA is not a new type of product that if deployed replaces all your MPLS connections, routers, firewalls, network sensors and vulnerability scanners. Instead it is an architectural model, that if manifested, replaces a few technologies, adjusts the responsibilities of others and adds some novel ideas and yes novel products, to help you achieve security in alignment with today’s business requirements.
An architectural style of risk management
For a long time, the unifying architectural idea behind network design has been the castle and moat - elimination of risk inside a controlled perimeter. In a world where you can no longer close the gates and stay in business: ZTNA suggests an update to this model - manageable risk for a given purpose.
(trust islands, bridged together on demand based on manageable risk)
Let’s embark on a brief journey through ZTNA fundamentals, inspired by the Tenets of Zero Trust NIST - Zero Trust Architecture, that defines what ZTNA is/should be rather than focusing on what it is not:
Protect data sources and services, not network segments: Identify all resources of your business, regardless of their location. Be it inside your offices, in the cloud, at partners or elsewhere. Resources can take many forms from data collecting edge devices to software defined storage, from cloud applications to SCADA systems. Propper asset and inventory management are a pre-condition to security, you cannot protect what you don’t know.
Measure, monitor and secure all company associated assets: Identify and monitor all assets that can connect to your resources. Track their security level and apply corrective measures where necessary. Concretely add certificates or smart cards to company owned devices, invest in vulnerability and patch management and rely on scanners and sensors that map the IS situation, not on excel sheets that represent the SHOULD. Finally, there are none company owned assets. For BYOD and contractors you might be able to enforce your security posture, in other cases your options are tracking and adhoc actions - take a conscious decision, don’t ignore them.
All communication is secured: In a hostile environment, communication must protect confidentiality and integrity and should confirm the identity of the other side. If this sounds like good old TLS that is not a coincidence. Much can be gained by enabling (mutual) TLS for all communication.
Access is granted on a per-session basis: Each access to data or services is subject to individual authorization. Authentication may stick around for a while (for instance you might get a JWT token) but access is not transferable to other resources or actions, it must be individually requested and granted. This is an implementation of the least privilege principle and a necessity to fully leverage the benefits of strong identities and comprehensive asset management.
Access policies are dynamic: Authorization is not a one shot binary function. Instead the input may contain environmental factors like behaviour, geography, security stance or alertness and the output can be conditional and affect the environment. Think of the finance industry where many of these ideas are in place today. Your banking session expires, transactions can require various degrees of authentication, withdrawl limits secure your account and the analysis of past behaviour and environmental factors are in common use.
Manageable risk for a given purpose: Pulling it all together: Secure communication, active monitoring, smart access decisions and the least privilege principle reduce likelihood and impact of breaches and allow businesses to manage risk as part of their mission.
Given all that, what gap do ZTNA solutions fill?
A micro segmentation engine
Zero Trust solutions are micro segmentation engines, that allow you to efficiently segment your network into many small islands that are only bridged on demand and ideally in accordance with (all of) the above fundamentals. Authorized, tunneled connectivity between walled of perimeters has been classically achieved with VPNs, the swiss army knifes of networking. However, metaphorically speaking, if my small son needs a bottle opener, for his lemonade, I would not want to hand him one with a knife attached.
(bottle opener with attached knife - too much power to wield easily)
VPNs are just to powerful and wild to use them as the scalable security building blocks envisioned in the Jericho Forum Commandments. Their atoms are devices and networks and not applications and sessions, they do not address micro perimeters and can in general not easily support the outlined fundamentals. There is a need for simple, user friendly, integrative and scalable solutions to form the new backbone of company communication.
Ideally such solutions are built around a powerful authorization metaphor, that allows to localize control and align security with the business context. For instance, it is much easier to create and maintain appropriate access rules for one server than to manage THE company firewall. The beauty is, if the aforementioned fundamentals are properly implemented, it is possible to entrust people to manage their respective scope, protected by a design philosophy that minimizes collateral damage, lateral movement and exploitation of trust.
While the journey to zero trust might be forced upon us by a fast changing world, I belief there is an opportunity hidden in this shift of paradigms. With zero implicit trust, classification and active risk management power can be shifted to the branches. Scalable security building blocks and localization of control can deliver both: better security and enhanced business agility.