Zero-Trust Network Access: Why so Many Teams Get it Wrong
With ransomware attacks doubling over the past two years, security teams are hyper-focused on identifying and addressing vulnerabilities in their environment. For many, this means implementing zero-trust strategies that control access while minimizing friction for authorized users. But are they doing enough to protect their networks?
For some industry observers, the answer is a clear no. Gartner has predicted that just 10% of large enterprises will have a mature, measurable zero-trust program by 2026. While many organizations have bought into the concept and “checked the zero-trust box,” their implementation of those principles leaves much to be desired.
Zero-trust encompasses a variety of technologies, from strong identity systems to microsegmentation. But one of these pillars — zero-trust network access (ZTNA) — is the easiest to implement and the one most organizations are getting wrong.
Falling Short of ZTNA’s Potential
To understand what they’re missing, remember that ZTNA is designed to address the vulnerabilities common to virtual private networks (VPNs). Generally speaking, VPNs provide a single “gate” that allows access to the entire network when a user passes through. ZTNA, on the other hand, is designed to give users access only to those network resources they are authorized to access based on their functional needs. A user in the finance department shouldn’t be able to access critical DevOps or legal systems. This is key to achieving the zero-trust goal of minimizing the cyberthreat surface.
But that’s often not what happens. Instead, many organizations set up ZTNA systems and proxies but then give authenticated users complete access to the network. Without tailoring access controls based on user functions, the “zero-trust” implementation is just replacing like with like, offering no measurable advantage over a VPN.
Lackluster Identity Management
This is perhaps understandable. The InfoSec or network ops teams implementing zero-trust controls are not the application owners and so have little insight into who needs access to what. A lot of cross-functional conversations may be needed to figure that out. Another factor hampering effective access permission-setting is poor group hygiene and identity management, especially in large, mature enterprises. Over decades, user groups may have evolved to address a variety of reasons — such as what floor they reside on in a building — that have no relation to their functions or which applications they use.
Given these complexities, it’s unsurprising that many organizations skip the granular policy-setting necessary to achieve ZTNA’s security potential. Getting those access permissions wrong can create problems, with users unable to access what they need to do their work. No network ops manager wants to get that call!
So what can organizations do to improve their security posture in the real world? How can they implement ZTNA at scale in realistic and achievable ways?
Fixing the Problem
First, it’s important to give InfoSec teams the time and breathing room to get permissions right. It might take months or a year, doing a little every week. This will move the needle in the right direction over time.
To limit risk throughout this process, alert network management teams when group members access a non-permissioned resource instead of blocking access. Examining these alert patterns over time enables network managers to identify if a particular group needs permitted access to that resource.
Another effective strategy is to democratize the process of identity control instead of relying on InfoSec to make these determinations at scale. Using identity governance administration (IGA) principles, organizations can distribute responsibility for defining access permissions to the business leaders with knowledge of who needs access to which resources. Distributing control of identity enables rapid, wide-scale fixing of this otherwise complex task.
Because change is a constant in enterprises, regular auditing of which groups have access to certain resources also makes sense. Perhaps twice a year, InfoSec teams can select a sampling of groups and analyze what they access, comparing these patterns to all the resources they are permitted to access. If they access a portion of things they are permitted to access, this may reveal a large threat surface. Right-sizing those access permissions to match the group’s work requirements is a key step to eliminating that potential vulnerability.
Stay Focused on the Goal
A larger point is that ZTNA is not a “one-and-done” proposition. It requires ongoing attention to ensure the correct permissions are in place as the environment and user groups evolve. This is one of the ways ZTNA is very different than a VPN. It requires a modest amount of work on an ongoing basis. However, the potential security benefit of a properly configured and managed ZTNA strategy is immense. After all, what’s the cost of a breach to your business and its reputation?
It’s also important to view ZTNA in the context of a comprehensive zero-trust strategy. ZTNA complements things like micro-segmentation, which is focused on managing device-to-device interactions rather than human access interactions. Covering both bases is critical.
Cybercriminals continue to develop new attack strategies for a simple reason: They effectively overcome the access control measures many organizations have in place. Given the growing threat, devoting the time and attention to getting ZTNA right should be a priority for any enterprise serious about protecting its data, customers and reputation.
