Zero trust network access (ZTNA) solutions provide a new way to connect users, applications, and devices securely. By integrating with existing security tools, organizations can achieve holistic visibility and control, reduce risks, and strengthen compliance. Service-based ZTNA uses a connector in the provider’s cloud to authenticate and validate users. This enables a secure, direct connection to applications while keeping infrastructure invisible to attackers.
Zero Trust Access Control
With the rise of remote and hybrid work, enterprises require a solution that securely connects users, applications and services across disparate environments. Zero trust access control delivers a better way to secure these new, highly-connected workflows while reducing the attack surface and eliminating lateral threat movement.
The first 1.0 iteration of ZTNA solutions leveraged VPN architecture to backhaul traffic and provide network or LAN access. However, this model only works for today’s workforce and the security landscape. Specifically, these initial, or 1.0, ZTNA solutions were limited in handling endpoints and could not protect against malware and other threats that could exploit unmanaged devices.
With its ability to handle LAN and internet-facing connections, the second generation of ZTNA solutions is more robust in taking endpoints and the security landscape. ZTNA solutions authenticate and validate users and their devices through a secure channel like an encrypted tunnel. Then, using a software-defined perimeter or SDP, they grant a connection to the application on behalf of the user – all while hiding the organization’s private IP addresses on the public Internet.
To further reduce the attack surface, these next-generation ZTNA solutions can also offer native app segmentation. With this capability, a connection to an application is made from the device directly to the cloud service, not through the enterprise network. The result is a more streamlined, efficient and agile solution that eliminates the need for complex network configurations and support for third-party or BYOD devices.
Zero Trust Mobility
With more employees working remotely, Zero Trust can eliminate the risk of compromising sensitive data by ensuring that only authorized workers gain access to the information they need to do their jobs. This approach is critical as companies move to a hybrid work model, where employees work simultaneously on-premises and remotely.
While many vendors describe Zero Trust as a single product, it is an architecture and a set of principles encompassing a full security ecosystem. This includes unified identity and access management (IAM), continuous authentication, micro-segmentation and visibility into network activity to detect threats and anomalies. It can even have password-free biometric MFA to ensure continuous verification without requiring users to provide credentials constantly.
The goal of Zero Trust is to make it impossible for attackers to move laterally into your internal network or cloud instance to steal or compromise data. By following the principle of least privilege, each user and device is assumed hostile until they are authenticated, and access to resources is only granted after a thorough check that they require it. This protects regulated data while shielding all users and infrastructure from public exposure.
Organizations transitioning to Zero Trust must take a phased approach to implementing this new cybersecurity architecture. Changing everything at once can disrupt business as usual and complicate daily operations. By combining the power of Akamai’s industry-leading distributed ZTNA solution with its phish-proof MFA, proactive secure web gateway and granular micro-segmentation, organizations can easily transition to a Zero Trust environment while protecting their existing infrastructure.
Zero Trust Access Management
ZTNA solutions provide a means to connect users, applications and data without being exposed directly to the public Internet. Instead, they provide a secure path from the user’s device or the remote network to private applications and resources on a corporate cloud or private DMZ.
These access pathways are governed by security policies that vary according to time of day, geographical location and other real-time user or device attributes. For example, policies can ensure that devices are patched and up-to-date with the latest antivirus software before granting access to the corporate network. In addition, granular, contextual access can be provided to applications depending on the requirements of the business.
Other advantages of a Zero Trust approach include:
Mitigating insider threats–ZTNA helps organizations limit the damage caused by malicious insiders by restricting their ability to move across the network and perform sensitive tasks like privilege escalation. It also provides visibility to help identify and track rogue users.
Replacement of VPNs for remote access–ZTNA is an ideal way to provide secure, granular and context-aware access to business-critical apps for users from their remote locations. This is especially critical given the increasing number of businesses that require a collaborative ecosystem of contractors, partners and suppliers for business-to-business interactions. This is possible with a service-based zero-trust solution.
Zero Trust Security
The Zero Trust security model is a fundamental shift in how organizations protect themselves from threats. It closes down vulnerabilities that bad actors could exploit, making it much harder for them to move around your network unnoticed. Zero Trust solutions are typically identity-centric and provide a default deny response, and are context-aware to prevent overly permissive access based on previous trustworthiness. They also implement least-privileged controlled access and verify all connections on a need-to-know basis. They also hide internal applications from the Internet and allow users to access them through a trusted broker, which authenticates and authorizes access on a user-to-application basis. The broker may be deployed as software in the data center or delivered as a cloud service. Finally, they can incorporate end-to-end encrypted TLS micro-tunnels that encrypt all traffic across the broker. This protects against DDoS attacks and other network-based attacks and reduces the attack surface for malicious actors who may have compromised the user’s device.
ZTNA solutions can be standalone or bundled into a secure access service edge (SASE) solution that includes network services, such as NGFW and SWG, and security services, such as CASB, NGDM, MDR and anti-malware. In addition to addressing the challenges of traditional VPNs, SASE provides a single, simple-to-deploy, optimized and scalable architecture.