Minimizing Credential-based Attacks – How ZTNA Can Reduce your Organization’s Risks
When it comes to data center security, humans are a problem. Our users often pick obvious, easy passwords and can become the weakest link in the data center’s security chain. And what, exactly, is the fallout from choosing such common and easy passwords? On average, they take less than a second to figure out. Which means hackers don’t need to hack in anymore. They log in–using stolen or weak credentials. And that is exactly what is happening. In a recent study by Identity Defined Security Alliance, 94% of survey respondents experienced a credential-based data breach. That same study found that 99% of data breaches are completely preventable.
An added wrinkle and a primary reason for this increasing trend has been the pandemic-induced shift to remote work. In 2020, all-of-a-sudden, everyone needed remote access. And VPN was what we had. But the reality is that VPN was never intended for that kind of security and simply isn’t up to the task. Let’s stop trying to stretch a tech solution beyond its intended purpose and, really, beyond its means. Yesterday’s tech shouldn’t be building tomorrow’s architecture.
So we’ve got increased risks and major increases in organizations’ attack surfaces–from all of this remote work. Fortunately, we also have a solution: Zero Trust Network Access (ZTNA). While it is a newer, emerging technology, its popularity is on the rise, with many organizations looking to implement it within the next year. It is a key component to minimizing your network’s attack surface, password dependency and overall risk.
Benefits Of ZTNA
With ZTNA, each user and device is handled individually, on a case-by-case basis. For each user, access is granted to a limited number of resources–only the apps they need. This is key. With VPN, once you’re in, you’re in–with access to a broad range of resources and complete freedom of movement on the network. This is fine if that user is a trusted employee. Significantly less fine if that user is a nefarious device operated by a hacker.
With device compliance and health already integrated, ZTNA can detect infected or compromised devices and subsequently prevent those devices from accessing an organization’s applications and data. This simply isn’t possible with VPN, since it cannot determine the status of a connecting device.
Another added perk of many ZTNA solutions is speed and ease of use. Turns out, many users really don’t like VPN–it’s slow, clunky, and frustrating. After ZTNA implementation in some organizations, user satisfaction shot up thanks to easier and more efficient access to their applications.
Trust nothing, verify everything. This is a common catchphrase associated with ZTNA and with good reason. It gets to a fundamental difference between ZTNA and VPN. ZTNA is built upon a framework of deny. Denying access is the default position which, from a security standpoint, is ideal. With VPN, on the other hand, the default position is access. Granted. Across your entire LAN. Hello, hackers, welcome, can I take your coat as you browse around? Yikes!
Key Factors for Success with ZTNA
Since ZTNA is still emerging tech, it needs a little bit of a ‘work in progress’ approach. Not every question has been answered. Not every every T has been crossed or I dotted. If you are considering ZTNA deployment, here are some tips for ZTNA deployment:
- Assess First – Since the whole point of ZTNA is to create customized access pathways for different users, you need to know your organization’s usage before you start. Map out a thorough understanding of all the relationships between users and applications. You’re gonna need that map when you are crafting policies and making access decisions during implementation.
- Get Buy-in – Remember, it’s the humans you need to get on board here–both leadership and users. Starting with a user focus group as part of your planning and implementation process will lead to more buy-in and higher adoption rates.
- Get Granular – Define user-specific guidelines. Unlike VPNs, you don’t have to give users access to everything (or anything!). So, take time to develop and define specific-use cases.
- Eliminate Entitlements – Once you’ve got a solid handle on how different applications are being used, systematically review, remove and clean up any residual application access privileges. Again, the advantage of ZTNA is that you can get super granular with everything. Best to start with the cleanest, clearest guidelines that you can.
- Go Best-of-Breed – Your ZTNA solution must be resilient, able to function across disruptions, unintentional decay, and malicious actions. Look for solutions that gather deep visibility across all parts of your network, data, and applications. Choose a solution that conforms with the National Institute of Standards and Technology (NIST) Zero Trust Architecture, which will ensure that policies are being enforced directly at the endpoint.
- Continuously Refine – This process is going to be more like a journey, so tweak things as needed. After initial implementation, do regularly scheduled audits (quarterly, for example). Incorporate feedback and refine access policies on an ongoing basis.
ZTNA Planning Questions to Consider
With ZTNA, it is entirely possible to get into the weeds, the more and more refined and specific you get with your policies. Customization requires time, effort, and management so, you need to balance the risks that you are taking with the effort needed to keep up with the system. It’s important to think carefully and consider the following questions:
- How much access is sufficient?
- What does each department need to access?
- How much risk can you tolerate?
- How much overhead can you manage to achieve that level of risk?
Ultimately, you need to protect your data across your organization’s entire network, regardless of where your users are. ZTNA is one tool in the toolbox that helps you minimize your organization’s attack surface. It’s not a perfect solution but it gets a little closer to successfully wrangling those human errors–or at the very least corralling them into a tiny corner where they can’t do much (or any) damage. And the next step, naturally, is to look beyond ZTNA. To take that zero trust mindset beyond your network to your organization’s next vulnerable puzzle pieces… like the data center. For more questions on ZTNA or Zero Trust, contact us.
Written by Matt Burch, Vice President of ComportSecure