The Practical Side of ZTNA: How it Helps Harden Defenses
By Timothy Liu, CTO and co-founder, Hillstone Networks
In the cybersecurity world, buzzwords seem proliferate with the changing of the wind. Currently zero-trust network access, or ZTNA, is getting its own share of buzz, with literally scores of articles, blogs and other documents exploring the concept and technology. However, too often the discourse tends to focus on the “how” – ZTNA’s place in the network architecture, the theoretical frameworks, etc. – instead of the “why” ZTNA can make sense in the overall cybersecurity schema and strategy.
It’s understandable. ZTNA is still a relatively nascent technology, with a somewhat radically different approach to securing network access. We’ve written on this topic frequently ourselves, such as in our recent blog post. Yet it’s equally important to view ZTNA from the viewpoint of how it can strengthen defenses across the board – even against some of the most pernicious and sophisticated attacks.
Access is Everything
For decades, the network edge (the point at which the public internet meets the private network) has been the gold standard for cybersecurity. Network architects merely divide the network into two zones of trust in which outside entities are considered untrusted, while users and devices inside the network edge are inherently trusted.
Hackers have long since figured out that if they can burrow their way inside the network edge, they’re golden; thereafter the malware is likely to be considered trusted and thereby attain access to highly sensitive and valuable data and other assets. The dual-zone model tends to generalize rules for access, thus rendering them broad and non-specific.
Any organization’s critical data will be best protected through strict limits on access. If access controls are more relaxed, hackers have a far greater the opportunity to achieve access for their dirty work. In a dual-zone model, smartly crafted access rules and mini-zones can help limit access, thus boosting data security. However, these rules and zones still tend to be relatively generic and thus fundamentally less secure.
In addition, recent changes in work dynamics have blurred or eliminated the network edge as we’ve known it. The distributed workforce, the growing use of public/hybrid cloud and SaaS and other elements have expanded the edge far beyond its traditional physical definition, and in the process introduced new attack surfaces for attackers to exploit.
It’s clear that a new definition of the network edge is required that doesn’t rely upon a physical location in the network like a NGFW. Instead, the new edge has become the access – wherever users and their devices gain entry into corporate resources, be it in-house, cloud-based, or elsewhere. Essentially, the access is the new edge and the new first line of defense.
In comparison, ZTNA’s mantra is ‘never trust, always verify.’ Authentication, authorization, and verification are continuously enforced, thus ensuring both identity and integrity of users and their devices throughout their sessions. This hypervigilance in turn secures the access and protects vital network resources.
How ZTNA Defends Against Attacks
With its zero-trust model, context awareness and application-layer operation, ZTNA improves security across multiple potential vectors of attack, thereby protecting against even highly complex exploits. A few examples include:
- Ransomware, botnets and related hacks. Typically, these attacks will use phishing or other tactics to gain entry into the network, then extend their tentacles laterally across whatever assets they can reach. They usually communicate back to a command-and-control server (CnC) for update and direction. Micro-segmentation through ZTNA can restrict unauthorized access and lateral moves to limit damage from such attacks, as well as cutting off communication to the CnC server – essentially defanging the threat.
- Phishing, vishing, smishing, etc. A recent report by Verizon found that human factors, including social engineering exploits, were responsible for nearly 80 percent of initial tactics that then led to later attacks. Because ZTNA constantly authenticates, validates and verifies users and their connected devices, the odds of such an attack succeeding are greatly reduced. For example, if user credentials are stolen but request authentication without the associated device, the disparity will be quickly detected and barred.
- DoS/DDoS attacks. Denial of service exploits can barrage ports, servers, applications and other company assets with a constant stream of traffic. This in turn ties up these resources and often renders them incapable of processing genuine access demands. DoS and DDoS attacks usually originate in discovery such as port scanning to identify potential victims. Through its structure, ZTNA conceals enterprise access points from port scans and illicit users, preventing detection by hackers in the process.
- Man-in-the-Middle exploits. In the new remote work model, staff might work in a variety of locations that very often utilize public WiFi networks that are poorly secured. This creates an open season for MitM attacks where a hacker intercepts and hijacks communications between the user and other corporate assets, steals sensitive information, and potentially much more. Because ZTNA continuously verifies both the user and the device, along with the context of traffic flows, it greatly reduces the possibility of a MitM attack and can defend critical enterprise assets if an attack occurs.
- Insider-caused breaches. Although hacker-led data breaches and ransomware attacks are frequently splashed across the media, in reality company insiders such as staff members and partner companies are responsible for more than 20 percent of all breaches. These incidents may be caused by simple negligence or carelessness, or by malicious insiders acting with purpose. ZTNA operates on the principle of the least-possible privileges, which reduces the odds fan insider breach. When paired with ZTNA’s context awareness and micro-segmentation of network assets, this further limits the possibilities for insider-caused breaches.
With its mantra of ‘never trust, always verify,’ ZTNA can help defend and protect the principal attack vectors of today, including against sophisticated multi-level, multi-phase attacks.
Building a Robust ZTNA Architecture
Given the broad-ranging impacts of a ZTNA architecture, migration can be both complex and costly. However, keep in mind that ZTNA lends itself to incremental upgrades; for example, it can happily coexist with existing SSL VPN architectures while augmenting them and supporting new users and infrastructures as they are deployed. Hillstone’s ZTNA solution is one such example; it leverages the Hillstone Security Management platform (HSM) with the company’s NGFW products to deliver ZTNA capabilities.
Further, pairing such a solution with other cloud-based products like Hillstone’s CloudHive cloud infrastructure protection platform, and CloudArmour cloud workload protection platform (CWPP) can further extend protections and control wherever company resources might physically reside.
Ultimately, it’s important to keep in mind that access is everything. Control the access, and you can better defend against intrusion, attack, breach and malware. ZTNA holds great promise as a solution that can do just that. It’s a cybersecurity solution that’s waiting to be implemented.
About the Author
Timothy Liu is co-founder and chief technology officer of Hillstone Networks. In his role, Mr. Liu is responsible for the company’s product strategy and technology direction, as well as global marketing and sales. Mr. Liu is a veteran of the technology and security industry with over 25 years of experience. Prior to founding Hillstone, he managed the development of VPN subsystems for ScreenOS at NetScreen Technologies, and Juniper Networks following its NetScreen acquisition. Mr. Liu is also a co-architect of the patented Juniper Universal Access Control and holds an additional patent on Risk Scoring and Risk-Based Access Control for NGFW. In his career, Mr. Liu has served in key R&D positions at Intel, Silvan Networks, Enfashion and Convex Computer. He Liu holds a Bachelor of Science from the University of Science and Technology of China and a Ph.D. from the University of Texas at Austin.
Tim can be reached online at @thetimliu and at our company website https://www.hillstonenet.com/