Zero Trust – A necessity of “new normal”
A pandemic took over the world by storm and busiest markets, government and corporate offices went empty in days. The world has drastically changed in 2020 with remote working becoming the “new normal” by force, not by choice. COVID-19 has enforced digital disruption and most of the organizations have transitioned to cloud in a hurry resulting in a larger and more vulnerable attack surface.
Sensitive business resources that had, up to that point, only been accessed by workers at the office now had to be available to employees working from home. Access to Hybrid IT resources, which was done securely from office, now requires direct connectivity available from home. Corporate devices are replaced by BYOD which aggravates the situation.
Traditional security approaches like VPNs assume any network segment behind the security perimeter and its attached devices, are safe and trusted. However, during this pandemic whom can you trust – Users, Devices, Passwords? Safe bet is “No One”.
This implies the necessity to adapt the Zero trust approach – Trust no device, Trust no user. One of the most advanced implementations of Zero Trust is for Network Access Solutions.
Zero Trust Access Solutions
Gartner defines zero-trust network access (ZTNA) as products and services that provide controlled identity and context-aware access to resources, reducing the surface area for attack. The isolation afforded by ZTNA improves connectivity, removing the need to directly expose applications to the internet.
If we decipher the definition, key features of any Zero Trust Access solution are:
- Zero Trust – Device and identity are authenticated every time a connection is established
- One window – Single window to applications irrespective of their location – Private DC, Public Clouds, SaaS
- Contextual access – Based on User, Device and the application; one of the fundamental differentiators from traditional VPN and DMZs where complete network access is provided
- Least privilege access – Access of named applications to named users, only after the context is established; Just in time access provisioning
- End to End encryption – From device to the application: No visibility to communication/service provider
- Continuous monitoring: Enabling monitoring of the session for indications of unusual behaviors, such as user behavior, location, session duration, Endpoint compliance…
As more and more organizations move to cloud and adopt the remote working culture, there is a spike in the Zero trust demand and organizations look for flexible VPN alternatives. This has resulted in a crowded Startup market for ZTNA products and big companies going in for M&A activities to launch ZTA/SDP capable offerings.
Also, there is a lot of consolidation on the charts with most vendors moving in the SASE direction. COVID-19 has made it apparent that moving to the cloud is not a choice, it’s a mandatory step in the near future. Thus, a lot of vendors are coming up with SASE offerings and ZTA is a core offering in all of these products.
The market is moving rapidly to adopt Zero Trust and the real question is – Are we ready for it?
Watch out this space for more interesting discussions on Zero Trust Access and Software Defined Perimeter.