Conventional security architectures today offer company data inadequate protection against unauthorised access. Zero Trust Network Access (ZTNA) shows you how your data can be kept secure in the future.
Text: Egon Steinkasserer and Patrick Strasser,
Fortifications and walls have always played an important role in protecting particular areas. Modern IT security architectures are often based on the same approaches that the Romans followed with Hadrian’s Wall and the Chinese with the Great Wall – seal off areas to control access. However, Greek mythology taught us that even the strongest walls offer no protection against a Trojan horse in the city.
In relation to computer networks, the term “perimeter” to denote the outline; i.e. the border. The architectural concept – perimeter security – is based on the principle that the perimeter is protected against attacks from the outside. All entities (computers, software, people, sensors, etc.) within the perimeter trust each other. Therefore, no special precautions are taken for mutual protection.
However, threats now increasingly come from within the perimeter. Individual clients can be infected with malware by attackers; for example, while visiting a website or opening an email attachment. The target of viruses or trojans is typically not the initially infected computer but other more valuable systems, such as database servers or fileservers on the network.
A traditional firewall protects a network only from external threats, like a wall, but cannot protect it against internal attacks. Weak security mechanisms within a perimeter allow attackers to move freely, infiltrate and take control of other computers with extended access rights, and thus penetrate to the company’s most sensitive data. In security jargon, this is referred to as a “lateral movement”.
Company data and applications are increasingly accessed via various devices from outside the company network or anywhere else (on the move or in the home office). In addition, for various reasons (profitability, scalability, etc.), it makes sense for many companies to move applications and data to the public cloud; i.e. outside the traditional perimeter. The need to digitise and simplify interactions and processes with partners and other companies is another driver. In this case, too, the users and systems are outside the company perimeter.
These aspects mean that the traditional network perimeter, and thus perimeter protection, is becoming less important. If the “boundaries" of the company can no longer be defined easily, then the perimeter can no longer be defined and protected clearly.
Changed user behaviour means that data traffic is also shifting. The past was dominated by access to servers and services on the local company network. Access to the internet was the exception. Accordingly, data traffic was divided into 80% local company network (the intranet) and 20% internet. Today, sometimes 90% or more is generated on the internet. Centralising all data traffic via the company headquarters infrastructure in order to control it now makes less sense, since users, data and applications are increasingly located outside the company network (see figure below).
The use of SaaS (Software as a Service) implies that data traffic is decentralised, making it difficult to control. In the past, bandwidth and access speed on a corporate network were almost always better than on the internet. The nationwide provision of broadband internet for all households in Switzerland (at up to 10 Gbit/s) and on the go (with 5G+ up to 2 Gbit/s) is changing this.
Change in data flows and network architecture (source: Swisscom)
In addition, connections protected with the help of a virtual private network (VPN) often meet current security requirements only to a very limited extent. The goal of end-user VPNs is to establish a secure connection from an end device via an insecure network (internet) to the (supposedly secure) company network. This is ensured on the end device side by installed software (the VPN client), which encrypts data traffic, and on the company side by a corresponding VPN gateway, which decrypts the data again.
Conventional VPNs are based on a perimeter security architecture. The “barn door” to the company network is usually opened completely with the help of an activated VPN, just as if the client were physically located within a company site. Due to the mostly unrestricted access rights of the possibly infected client, attacks can take place barrier-free on many attractive targets in the same network. Unfortunately, to avoid the associated complexity, many installations do not use all the options for restricting access that are available for end-user VPNs.
In addition, VPN solutions often allow only limited transparency on user access. Only connections via the VPN tunnel or internet access at the company location are visible. All other access to SaaS solutions or cloud applications via any internet connection usually remains invisible to the company for performance reasons.
New security concepts are thus necessary to protect the use of data and applications, enable access to company data from anywhere and to meet the current threat situation in cyberspace.
What is the solution if on one hand the perimeter no longer offers sufficient protection, and on the other access no longer occurs via the supposedly secure company network? The answer is – do not trust anyone and verify all connections permanently. This is exactly the principle on which Zero Trust Network Access (ZTNA) is based.
In a crowd of unknown people, there is no mutual (implicit) trust (source: unsplash.com)
As a comparison, imagine the network as a very busy public street in a city with many unknown people (see Figure above). In this environment, we hand over confidential information only to someone we know beyond doubt, who we expect to meet in this place and whose behaviour we classify as trustworthy. It’s also advisable for the information exchange to take place in such a way that the content is not visible to other uninvolved people. It’s also implicitly clear that only the necessary information is transferred (data minimisation).
ZTNA is based on these same principles:
All devices, accounts or services, regardless of where in the network or in which subnet, are untrustworthy. Every connection between users, services and devices must be authenticated mutually (unambiguous identity) and authorised dynamically (legitimacy and risk profile of the access). Since every network or network element is assumed to be untrustworthy, every type of data traffic must be encrypted, regardless of whether it occurs via a public or a private network. Data access is authorised only for the minimum amount of resources or defined according to privileges. Each access must be checked continuously using the Kipling method for who wants access to what, when, from where, why and how.
Compared with perimeter architecture, in which authorisation takes place at the network level for an entire subnet and is based mostly only on IP addresses (and sometimes also MAC addresses), the attack area and the effects of an attack can be reduced dramatically using ZTNA.
ZTNA implies that authentication and authorisation take place constantly. However, this does not mean that users have to authenticate themselves manually all the time. In addition, as much contextual information as possible is included with each access. Examples include:
Access is granted only if all dynamically determined contextual information is within the prescribed parameters. Automatically calculated target parameters can also be compared with the current contextual information with the help of machine learning. This data-centric approach makes it significantly more difficult for attackers to achieve their malicious aims.
The limited performance or scalability of conventional end-user VPN solutions mean that employees may have to activate the VPN service selectively, but also deactivate it again (e.g. for video conferences, streaming, access to larger files stored in the cloud). This depends on whether they want to access resources in the company network or on the internet. This is far from beneficial to user-friendliness and productivity, since the establishment of the VPN tunnel is usually associated with a new login, an initialisation phase and thus an interruption to work.
With ZTNA, end-user VPNs largely become a thing of the past, as all connections are encrypted anyway and resources are accessed directly. Secure access to company resources takes place in the background, without user interaction and independent of the location. It’s therefore advisable to gradually replace end-user VPNs with ZTNA and additional technology (e.g. Cloud Access Security Broker, Threat Detection and Response, etc.).
However, ZTNA is much more than just the successor to VPN – not only can communication between users and applications be secured, but also communication between different servers or services (e.g. with identity-based segmentation to enable a Service Mesh).
Another aspect of security and simplicity concerns access control and administration of access policies. Today, users often have to contend with different logins and authentication methods for different resources (company applications, SaaS solutions, etc.). Centralisation of access control (single sign-on) using directory services, access policies and inventories can greatly enhance the user experience and security. Multifactor authentication (MFA), such as Mobile ID, further increases security and is now a minimum requirement.
Since users rarely have to authenticate themselves again with such solutions, multifactor authentication does not lead to any loss of productivity. Cryptographically secured strong authentication methods can further offer users a consistent experience, regardless of the device or service used.
ZTNA represents a paradigm shift in how access to data and applications is granted. The approach includes mutual authentication of all users, devices and services, control of individual access and behaviour monitoring for anomalies. ZTNA also allows more rapid implementation of IT landscape changes and sustainable improvements to the user experience.
Even the thickest and highest walls are useless if the enemy is already inside the castle (source: Wikipedia)
Although the foundations for zero trust were laid back in 2003 in the Jericho Forum and several companies have implemented such large-scale projects successfully since then, adoption is still shockingly low across the board. Too many companies fool themselves with a perceived sense of security while still using outdated best practices.
The dangers of cyberspace are increasing constantly, as shown for example in the current Swisscom Cybersecurity Report on the threat situation in Switzerland. Swiss companies are also increasingly affected by ransomware attacks (extortionary trojans), as you can read in the latest MELANI half-yearly report from the National Centre for Cybersecurity. The majority of attacks take place indirectly via mobile users or decentralised locations. The National Institute of Standards and Technology (USA) has also recognised the need for a new security architecture, which is why the standardisation of zero trust was started in order to simplify use of the new capability.
The security guidelines for products and services that have been in force at Swisscom for many years take into account and promote the basic principles of ZTNA. We recommend that all companies become familiar with modern security concepts, in particular the topic of zero trust. In a first step, all user access to systems or company resources, which usually represent the greatest risk, should be secured with ZTNA (and MFA). In a second step, access between systems and services should be protected according to zero trust principles. In many cases, costs can also be reduced since manual administration of often thousands of firewall rules is no longer necessary and network complexity can be reduced massively.
Let’s look back at history and specifically at Greece. The millennia-old knowledge from Homer’s Iliad (the Trojan War) can now also be implemented in network security. Even the thickest and tallest walls are useless if the enemy is already inside the castle – trust no one and check everyone!
In Technology Insights, the Swisscom B2B CTO Office regularly reports and comments on current issues from the world of technology and innovation, demonstrates their importance for Swisscom customers and highlights relevant offers.
More on the topic: