Network security has become an increasingly hot topic during the COVID-19 pandemic. It is hard to remember a comparable time when zero-trust network security, Software-as-a-Service (Saas), and Data-as-a-Service (DaaS) have received such widespread media coverage. The unprecedented and sudden growth in remote working has accelerated many organizations’ adoption of secure access strategies for out-of-office employees. Meanwhile, new threats to network security are emerging constantly, such as the costly and concerning SonicWall zero-day vulnerabilities reported just last month. So what is the “right” approach to network security?
Zero-trust, secure access explained
Traditionally, network security models have employed a “castle and moat” approach of authenticating user access. In this model, after a single authentication (or penetration) at the network gateway, a user or device is presumed to be “trusted,” allowing them to navigate laterally through the network without any additional authentication. The obvious blindspot to network security enabled by this “trusted-by-default” approach has led directly to a more modern and emergent security architecture known as “zero-trust network access,” or ZTNA.
In a zero trust network, each user is authenticated at entry and constantly re-authenticated when navigating to segmented areas of the network, or when accessing DaaS and SaaS applications. Leveraging this emphasis on re-authentication, zero-trust networks can identify intrusions to secure segmented areas much sooner, and minimize the impact of any such intrusion. Although this may all sound complicated, it doesn’t have to be. But, that is why there are so many misconceptions about zero-trust network access.
Myth: Zero-trust is hard to implement
Fact: Moving toward zero-trust network access can be achieved in incremental steps
Embracing zero-trust access as part of a secure access service edge (SASE) architecture can be simpler than expected. Zero-trust network security practices expand upon existing network infrastructure and can be implemented in stages for different users and network resources, without requiring any forklift upgrades.
Did you know?
While some security companies and analysts refer to zero-trust network architecture using different terms, the underlying principles of zero-trust have become increasingly standardized across the network security industry.
- Cloudflare refers to zero-trust as part of its cloud-hosted approach to Identity-as-a-Service, or IDaaS, for identity and access management (IAM).
- Forrester uses the term Zero Trust Edge (ZTE) to encompass a SASE-based approach to zero-trust network security
- Gartner previously referred to this area of network security using the acronym CARTA, representing Continuous Adaptive Risk and Trust Assessment.
Expecting to migrate an entire organization to a zero-trust network architecture in one fell swoop is unrealistic. Instead, security professionals within the organization should assess the state of network security as a part of longer-term security goals. They can then select a limited group, such as a single department or a particular set of resources, and from this starting point leverage the policy engine of the secure access solution to enforce identity-focused authentication for these specific groups or resources.
Myth: Zero-trust is only for large organizations
Fact: 61% of data breaches happen at small companies
While large organizations may garner more headlines and seem like a more lucrative target to attackers, the truth is that smaller organizations are often unable to maintain dedicated network security practices. Unfortunately, this means that small organizations are frequent targets of malicious activity. Furthermore, with a limited network security presence or IT resources, many of these breaches go undiscovered for weeks or months.
This highlights another key component of a zero-trust network architecture. The additional layer of authentication needed to reach sensitive or privileged parts of a network requires additional monitoring and analysis of traffic, which in turn helps IT professionals detect and understand intrusions much sooner. The concerning SonicWall exploits reported on earlier this month included the abuse of network credentials to access related systems and resources – the precise attack vector that can be mitigated by device and user re-authentication. Even small companies should select a secure access platform that provides increased insight and analysis so that the IT department has the ability to investigate unexpected network activity. Network security is a concern for organizations of all sizes.
Myth: zero-trust is detrimental to the user experience
Fact: zero-trust architecture improves operational efficiency and can reduce complexity
One of the main misconceptions slowing the wider adoption of identity-based network security measures is the perception that these approaches will bog down the network, negatively impacting the agility and productivity of users. This does not need to be the case, and several zero-trust solutions include some form of risk-based authentication to reduce or eliminate authentication requests for low-risk network areas or resources. In this way, zero-trust solutions can be scaled up to increase security and require re-authentication for sensitive resources when the perceived network risk is higher.
Those who cite fears about zero-trust network solutions negatively impacting user experience often point to the same concerns expressed about multi-factor authentication (MFA). MFA implementations, however, do not leverage machine learning and real-time risk assessment to minimize impact to user experience in the way that zero-trust solutions can. Quite the opposite of negatively impacting user experience, Forrester’s research suggests that nearly 1/3 of organizations reported increased productivity and reduced complexity when using zero-trust solutions.
Myth: zero-trust cannot exist in the cloud
Fact: zero-trust is NOT limited to on-site deployments.
Many organizations wrongly believe that zero-trust solutions can only work on-premise and cannot secure resources in the public cloud. This has become an increasing security concern as organizations seek to migrate mission critical applications and sensitive data to cloud delivery services. The truth is that zero-trust network security is not limited to on-site deployments and can be extended to include cloud or hybrid environments. A fundamental aspect of zero-trust architecture involves first identifying a ‘protect surface,’ however there is no need for this to be on premise or behind a traditional network perimeter.
Myth: You can buy a single product to achieve zero-trust
Fact: Unfortunately, you cannot ‘buy’ zero-trust
Network security professionals must work to develop a zero-trust implementation framework that suits their organization, identifying unique security concerns and tailoring policy enforcement to mitigate possible negative impacts to the user experience. What a successful implementation looks like will vary from organization to organization – and there is no one-size-fits-all approach that will work for every organization. Zero-trust, as a part of the larger SASE framework, is more about how the pieces of the network security work together.
Many security vendors that claim to provide a zero-trust solution do not include necessary analytics and visibility into the network that would allow informed security and access-based decisions. Furthermore, a customizable policy engine is required to actually implement and push an effective, tailored security policy to users and devices.
Conclusions
Zero-trust network security models deliver enhanced security and network analytics for organizations of all sizes. Improving the operational security needs to be a priority for every organization in 2021. Zero-trust network architecture should be a part of this strategy to help these organizations manage data flows and network access, as part of a larger ecosystem of technologies to deliver and manage data securely.
The SASE and zero-trust solutions that stand out across the industry are those that focus on an improved experience while helping to reduce organizational complexity. For example, the NetMotion platform provides improved analytical insights and user experience while simultaneously integrating a zero-trust approach. Leveraging the robust policy engine of the NetMotion platform allows organizations to focus on the most critical protect surfaces, balancing network security and operational efficiency on an ongoing basis.
