What Is Zero Trust Network Access?
Zero Trust Network Access describes a security solution where no access can be granted to any user or application, unless they’ve been verified.
**Disclaimer** In the absence of a clearly defined “industry standard,” any introduction to the principles of Zero Trust Network Access (ZTNA) should be read with the understanding that products and services may differ, depending on the vendor who provides them. Some vendors use a fair amount of artistic license – so read the small print (or use Lightyear to procure the perfect solution).
Zero Trust Network Access (ZTNA) describes a network security solution and policies based on one simple, clear principle: in zero-trust architectures, no access can be granted to any user or application, unless they’ve been verified. And even when they’ve passed the security checks, access and movement through the network is strictly controlled and monitored. User permissions are granted only for the network areas relevant to the role of the user.
So, how did we get here? When did we lose our trust? Let’s chart the evolution of enterprise network security to see how the need for zero-trust architectures arose.
The Road to Zero Trust
Originally, enterprise network design assumed that users would be physically routed into the network, working at the same location that housed all the company’s applications and servers.
In these scenarios, the employee comes to work, and logs into their machine. They’ll need a password to access the network, and further passwords to access certain applications on the network. But once they’ve logged onto the network domain, they can reach the individual application or server, viewing the login page before being challenged.
Traffic across the network isn’t inspected – which means if a device, server, or application was compromised, the infection could move laterally through the network with ease.
Enterprise networks evolved to include multiple locations. This was achieved in a few ways, one of the most common being Virtual Private Networks or VPNs. This kind of topology is still in use today and forms the basis of many sophisticated solutions such as SD-WAN.
In the classic VPN set up, a firewall is used at each site, creating a secure connection through which users can log into the corporate network. This is considered sufficient to authenticate the user, along with their IP address.
As in phase 1, once the user is logged onto the network, they can reach all the applications on the network (even if a password is required to access and use those applications).
As hybrid working became more entrenched, users working from home needed to be securely folded into the corporate network architecture.
This resulted in “Phase 3” (not really a period, per se – these phases represent progressively complicated topologies). Phase 3 introduced VPN architecture at the user device end.
Users take a “work computer” home with a VPN client installed on it. The VPN client terminates to a firewall or a VPN concentrator (or a device serving both functions).
This adds an additional layer of security to the phase 2 design. The VPN typically uses IP space from the corporate network, often pushed out to a subnet dedicated to VPN clients.
But crucially, once the user has accessed the corporate network using their VPN client from a trusted IP, they can access and log into any of the applications and corporate resources.
So, still not exactly zero trust, more of a “who goes there?”
Further network security complications were added with the rise of cloud services.
Cloud services are valuable to organizations looking to reduce their Capex. They’re also a flexible way to ensure your applications and resources continue to meet your growing needs, scaling with the business.
The initial model for cloud service-dependent network design involves back hauling the cloud traffic through the corporate servers. Users at other locations join the network domain via the firewall, and then access the cloud services in the same way they access other applications and resources on the network.
The changes brought by distributed workforces and cloud services in Phases 3 and 4 reach maturity. For many, work is no longer considered a physical place – for an increasing number of workers, work is now a set of activities to complete in the location of your choosing.
Teams are distributed across continents. Applications are still accessed via corporate servers but are now largely cloud-based and obtained as Software-as-a-Service (SaaS) products.
Corporate IT teams working in a Phase 5 model face some hefty cybersecurity challenges, due to the fluid requirements of the distributed network.
Choosing the right cybersecurity provision is a bit of a headache – there’s often a difficult choice to be made, between the convenience and simplicity of a vendor-provided “all-in-one” security suite, or the high performance and additional features of a market-leading, “best in breed” solution.
Both choices come with a downside – an “all-in-one” may not provide the level of performance of a premium product, resulting in a lower standard of security across the whole network.
And conversely, the “best in breed” is likely to be narrowly focused on one or two aspects of your network or may not integrate perfectly with other security solutions being used – leaving gaps and vulnerabilities.
This is the landscape, and these are the challenges that zero-trust architecture seeks to address.
Saddled with the task of protecting a nomadic workforce accessing a variety of cloud services in an increasingly hostile digital environment, cybersecurity professionals and IT teams need to find ways of simplifying and reducing the number of possible threat vectors they face. They’re also looking for ways to provide consistent security policies that can be applied throughout the network.
Enter zero trust. ZTNA works by creating security checks at every single endpoint – that’s every user, every device, every server, every cloud app… you get the idea. Client software installed at each endpoint interacts with a distributed security tool called a Trust Broker.
How A Trust Broker Works
The Trust Broker assesses traffic against three distinct characteristics – identity, context, and security.
Identity is assessed using multi-factor authentication – as well as entering password information, users are required to validate their access request via a separate channel (such as an SMS message, email, or dedicated verification app). Even after the user has been verified, the Trust Broker will continue to verify the user against available data, while granting them access.
Context is provided by a set of “least privilege” rules, which treat all network elements as being off-limits unless the user is given explicit authorization, element by element. Without that authorization, a user won’t even be able to access a login page – on the version of the network they can see, those applications and elements just don’t exist. This reduces the attack surface and minimizes the risk of lateral movement of infection.
Security assessment focuses on the user’s device. The Trust Broker runs checks on the endpoint, making sure that the firewall is up to date, and that any patch updates or IP addresses are valid.
Once the device has been deemed safe, access is granted, but the Trust Broker continues to dynamically assess the device security in real time. If the device status alters – for example, if the user turned off their firewall mid-session – then the Trust Broker will boot them out of the network.
The zero-trust principle (and the technology that makes it possible) will put you well on your way to an impregnable enterprise network.
If you’re looking for the best way to meet cybersecurity challenges across your distributed network, Lightyear can help. Our platform allows you to navigate your options with ease and find the solution that exactly matches your need. If you want zero trust, put your faith in us.
Want to learn more about how Lightyear can help you?
Let us show you the product and discuss specifics on how it might be helpful.
Not ready to buy?
Stay up to date on our product, straight to your inbox every month.