Zero Trust Networks
Cybercrime is on the rise, driven by dramatic increases in random and targeted attacks. Damages are predicted to cost up to $10.5 trillion annually by 2025. Threats continue to rise in complexity and scale, impacting businesses, essential services, and individuals. Criminals exploit vulnerabilities to steal passwords, data, or money. Common cyber threats include: hacking, phishing, malware, and DDOS attacks. The effects include financial loss, business continuity, reduced productivity, damage to reputation, and legal liability issues. In response, Zero Trust Networking Access is emerging as a powerful mechanism to bolster organizational security.
Zero Trust Networking Access (ZTNA) uses clearly defined access control policies to enable secure remote access to an organization’s applications, data, and services. It contrasts sharply with the traditional VPN model of assuming that everything in a corporate network can be trusted. Instead, its mantra is “never trust, always verify.” ZTNA does not grant immediate or ongoing trust to any user. It only grants access to specific services or applications, unlike the way VPNs grant access to an entire network. By default, no one is trusted inside or outside the network.
With zero trust, networks are built around “microperimeters,” with each perimeter having its own authentication requirements, greatly reducing an organization’s attack surface. This segmentation reduces performance bottlenecks and simplifies management. In an era of BYOD, zero trust helps prevent unpatched or vulnerable devices from connecting to corporate services. Organizations can manage dispersed infrastructure and grant approved users specific privileges to address specific needs for a limited time. In addition to securing apps & data, organizations can gain more visibility into user activity.
Helpful Hints for Zero Trust Networking
Putting Zero Trust into practical use is sometimes seen as a daunting task. Like most technology projects, you need to plan ahead, then you can implement over time to reach a total solution. Here are some helpful hints…
- Instead of thinking in terms of network-level access, think of application-level access.
- Rather than having one global perimeter that controls access, give each service & application its own dedicated perimeter in your network. Move security as close as possible to your data.
- Access can be either endpoint initiated or service-initiated — segmentation secures machine-to-machine or process-to-process interactions at a granular level.
- Grant the least amount of privilege and access possible without hampering a user’s ability to complete tasks. Grant access to resources on a case-by-case basis to support only what is necessary.
- Enable device access control to support Bring Your Own Device (BYOD) policies on your own terms. You can whitelist devices you have already identified & verified and imit access based on user roles and tasks.
- Use continuous trust verification throughout the session to ensure security in a limited manner to avoid burdening the user. Re-authentication may become necessary when a malicious or anomalous event occurs.
- Multi-factor authentication (MFA) requires additional form of verification to reduce the ability for intruders to access your organization’s resources using stolen credentials (sign-in name/password). The most common form of MFA is Two-Factor Authentication (2FA), which requires providing additional factor of authentication (e.g., hardware tokens, codes, biometrics, time, or location).
How to Build Your Zero Trust Network
Identify Users & Devices
Users and devices need to be verified. You’ll use your list to set up multi-factor authentication for users, and ensure only compliant devices can access corporate resources.
Identify Your Assets
Inventory your assets to determine their vulnerability. Identify environments of proprietary data and intellectual property.
Map User Workflows
Catalog who accesses organization assets, what access should be granted, and when they need access.
Based on the above assessments, set up authentication policies for your perimeters, such as users, devices, locations, times, and MFA. If possible, automate your verification processes.
Implementing Zero Trust Networks
Organizations today have numerous, diverse endpoints accessing data, which opens a massive attack surface. Traditionally, perimeters have been secured by verifying user identity the first time a user or device connects. Unfortunately, once an intruder gains access, they have ample opportunity to find the jewels. Zero Trust offers a more secure way to connect users, applications, and data, even in complex multi-cloud environments using microservices and modern application architecture can reside on multiple clouds as well as on-premises. ZTNA relies on authenticating identity, verifying trusted devices, and strictly limiting endpoint access to protect sensitive data. As an AWS partner, we understand that implementing ZTNA is no simple task, but the upside is significant. Securing your sensitive data as your cloud footprint expands is not optional — it is essential.