What is Zero Trust Network Access (ZTNA) and why is it important?

What is Zero Trust Network Access (ZTNA) and why is it important?

Zero Trust Network Access (ZTNA) is an approach to network access that considers security the primary concern within every interaction or process. It adopts a “never trust, always verify” mentality. This essentially means that security should never be looked as secondary. Instead, it must always be treated as a top priority to ensure that whatever a business does on that network will be secure.

Rather than a physical product, ZTNA is best described as a strategy or a concept. It takes legacy network security and then applies security at every single stage of network access. This means considering the security of every entity individually, from a business’s network to its endpoint cloud solution, application security and internet security. Rather than relying on the business’s firewall for protection, it seeks to secure every element, at every single stage. 

A ZTNA approach can be broken down into four key stages:

1. Validating the user

Which is mainly carried out through email accounts, such as your Outlook account ID.

2. Ensuring that the user matches the device

Checking that there it isn’t someone (or a bot) trying to impersonate that user. This is where practices such as two-factor authentication come in.

3. Scrutinising privileged access

This means limiting every user to the lowest grade of information so that everyone only has access to what they need to see. 

4. Monitoring the transaction

Scanning the content that is being shared on the network/device being used to identify any malicious files. 

Implementing ZTNA

Because ZTNA is a methodology that impacts every network element individually, it requires an entire system overhaul or ‘rethink’. It will change the way in which the business operates, which is why many avoid adopting it straight-away. 

A ZTNA strategy will impact many day-to-day operations because it implements checks and balances for every interaction. For example, gaining access to a certain silo of information will require going through a particular person and process. This is a big undertaking, which can be time-intensive and costly.

But the benefits of ZTNA far outweigh the investment required. It may require up-front work but in the longer term it will easily pay for itself several times over by significantly improving businesses’ security. 

Businesses who operate correctly under ZTNA are 70 per cent less likely to have a cybersecurity incident. Because it is so comprehensive and thorough, it reduces the likelihood of breaches, but also limits user access at every stage, reducing the opportunity for human error.

However, because ZTNA is a guideline to follow, rather than being fully prescriptive, there is the potential for businesses to take different interpretations and follow the framework more, or less, strictly. As a result, the effectiveness of ZTNA may fluctuate and, if it isn’t followed to the letter, more risk will be introduced into an organisation.

Roadblocks to implementing ZTNA

 Implementing ZTNA is always highly recommended for any business – and if security is a business’s priority, it’s a no brainer. However, in order to actually implement the ‘concept’, a plethora of different security products and tools need to be purchased. For example, identity and access management tools, XDR tools, next gen and cloud firewalls. There isn’t a zero-trust security product that can simply just be plugged in, so businesses will need to shop around to find the best options. 

Over time, we’re likely to see more suppliers/vendors offering all-encompassing packages, and certain players are already taking steps in this direction. One of the leading all-inclusive offerings is provided by Palo Alto, for example, which allows businesses to purchase every part of that toolkit at once. Whilst this might not be the most cost-effective choice, it all comes down to ease for businesses. 

We’ve seen this in other areas of security, like with Microsoft. The company made it very easy to purchase their package, which includes every Microsoft security tool that a business might need, and which all integrate seamlessly with one another. This is winning them much of the market share.

Covering as much of ZTNA as possible

For smaller businesses operating on reduced budgets, the costs involved with purchasing the necessary tools can be off-putting. Instead, their priority should be to identify what they need to do in order to cover as much of that ZTNA model as they can, and how many products they’ll need to secure as many areas as possible.

SMEs will be striving to cover as much ground as possible for the cheapest price, which will influence their choice of vendor. Take Fortinet as an example; Fortinet may be offering 75 per cent of the solutions that Microsoft is and may even come in at a cheaper price point, but for SMEs who are looking for a full solution, they will then need to spend time and money looking elsewhere to fill that 25 per cent gap in provision. So, for SMEs its worth spending time finding the right security vendor. 

Improving mindsets 

If ZTNA is implemented to the letter it will significantly improve security protection. However, it is a sliding scale, meaning that there are steps that smaller businesses can take towards achieving the concept that will still improve their security, but at a lower cost. Among these steps are focusing on building a security culture, increasing awareness across the entire team and hiring the correct personnel. 

Training employees to become more aware of security attacks and attackers’ methods is an effective way to reduce the number of successful cyberattacks. For instance, providing online safety knowledge and flagging the types of scenarios to which staff could fall victim; phishing, malware, ransomware, denial of service attacks and more. This will ensure that staff are aware of current practices around data infringement and, by keeping this security as a priority in the eyes of employees, internet behaviour can improve.

Like any change, it will take time for ZTNA to be fully adopted. I placed my first zero trust architect about two years ago with a major bank which was an early adopter in the space. Often large corporations are the first to implement these new approaches and it then takes time to trickle down to the wider market. However, as instances of cyberattacks increase, we are seeing businesses take a greater interest in the approach.

If you’re interested in using your skills to help businesses to improve their security, reach out to Lewis West or one of the cybersecurity team today.