Why businesses should embrace the zero trust networking trend
Cyber attacks are on the rise and VPNs no longer constitute robust network security - zero trust network access (ZTNA) offers a modern, achievable security solution for businesses of all sizes
Zero trust is fast becoming the new core principle of secure networking. Amongst a backdrop of increasingly sophisticated and widespread cyber attacks, businesses of all sizes are looking to embrace zero trust as their new security mindset to boost resilience and ward off potential attackers.
The concept of zero trust can be as daunting as it is smart, however, and many organizations don’t know where to start.
The underlying principle sounds simple enough: Never trust anything or anyone by default, not even internal network devices. Only ever give users access to the data and services they really need. Putting this into practice, however, is less
For instance, zero trust requires a range of different capabilities, including continuous monitoring and validation across the entire IT infrastructure, proactive threat hunting, an ‘assume breach’ mentality, and maintaining strict access controls. Many small businesses lack the necessary resources or skills to cover all of these.
Zero trust Network Access, meanwhile, has emerged as an important subset of zero trust. Thanks to the adoption of hybrid working and hybrid infrastructures, data and users are no longer sitting behind secure firewalls.
In fact, they can be almost anywhere – and they need protecting. In a Kaseya survey conducted during the pandemic, 59% of managed service providers (MSPs) said that remote working had increased the number of ransomware attacks on their clients.
Similarly, the FBI reported a 300% increase in cybercrime during COVID-19, partly driven by employees working from home. For criminals seeking to steal the credentials of remote users, virtual private network (VPN) connections are a welcome target.
Channel Pro Newsletter
Stay up to date with the latest Channel industry news and analysis with our twice-weekly newsletter
Just one single set of compromised login details can be enough to give them the access they need to carry out a data breach.
This is because VPN technology was not designed for how it is mostly used today: as a remote working solution. Not only do VPNs create performance bottlenecks, they also dramatically increase the attack surface of an organization’s infrastructure by allowing intruders to access further network resources based on implicit trust.
To put it simply, once an attacker is inside the network, they are automatically assumed to be a trusted user and can move laterally to compromise further resources.
ZTNA is achievable
The zero trust approach is much stricter in how it enforces access controls. To start with, it treats every user or device as inherently untrusted until their identity and security posture have been reliably verified.
This includes users attempting to access resources from inside the network. Continuous identification and authentication, alongside a ‘least privileged access’ principle, are the core building blocks of a zero trust strategy.
Although implementing zero trust in its entirety remains an aspirational goal for many businesses, zero trust, Zero Trust Network Access (ZTNA) – the same principles applied to an organization’s network – is actually very achievable.
ZTNA has five key elements. They revolve around verifying users and their context, validating devices and their status, authorizing the applications used, files and data, restricting access to cloud and SaaS resources, and enforcing an organization’s security policies and controls.
All of those help ensure that only trusted entities working on secure devices are able to access the network and what’s more, that they only use the data and applications they have explicit permission to access.
The role of SASE
When it comes to implementing zero trust networking, Secure Access Service Edge (SASE) solutions can help deliver ZTNA as they blend the necessary networking and security as a service capabilities. ZTNA functionality is already an integral part of their built-in security features.
SASE’s main use case until now has been to replace VPNs in remote access scenarios, but it can do much more than that. For example, whereas VPNs expose a lot of information on the internet that could be useful for attackers, with a SASE solution, networks and resources are hidden from sight, greatly improving security.
A SASE solution only connects identified users and devices to specific resources, whether cloud or on-premise. Following the ‘least privilege’ philosophy, access is based on verifying the identity of the user, device or entity, combined with real-time context such as the device’s security posture – fulfilling the zero trust principle.
SASE also delivers next-gen firewall protection with policy enforcement and content filtering across branch offices, remote users and on-premises workers, so it allows organizations to implement those fundamental ZTNA security controls. In addition, it allows for efficient routing with traffic prioritization, which removes data bottlenecks and latency for remote traffic.
Finally, the cloud-based management of a SASE solution means fast and easy deployment, unlimited scalability and easy maintenance. This makes the ZTNA security model very achievable even for small and medium-sized businesses (SMBs).
Two-step implementation process
For organizations looking to embrace ZTNA, the first step is to put their chosen cyber security framework in place – making sure it works for their needs and achieves the right goals. Then, the principle of zero trust can be added in as an overlay. Breaking it down to the infrastructure components, the next step is to implement a ZTNA approach with the necessary policies and controls, not just for remote workers via a SASE solution, but also encompassing internal users and devices inside the network boundaries.
Ultimately, for SMBs, ZTNA is just as important as it is for enterprises. In fact, the consequences of an attack on an SMB can be even greater. In the Datto 2022 SMB Cybersecurity Report, around 70% of SMBs admitted the impact of a ransomware attack would be ‘extreme’ or ‘significant’, with nearly a fifth (17%) stating that it would be difficult for them to recover.
The same report showed that the average cost of downtime amounts to $126,000 for an SMB, including lost revenue. The key is to limit damage from any potential attack: With ZTNA, organizations benefit from greater controls, better visibility, and reduced risk.
ZTNA may initially sound confusing, but it is not complicated. Many SMBs will want to engage an MSP partner to help them implement it, however. The MSP can help define a least-privilege access strategy with suitable controls, take responsibility for 24/7 monitoring via a remote monitoring and management system (RMM) and finally, supply and manage the right verification and identification solutions.
The market is only in the early stages of adoption and awareness is growing, so ZTNA represents a huge opportunity for the channel. With the increasing number of cyber threats and breaches, businesses are prioritizing security measures, and ZTNA provides a modern and robust approach to network security.
Due to the perceived complexity of zero trust, however, many SMBs will shy away from deploying a solution by themselves. With SASE, MSPs can offer scalable, easy-to-manage solutions that will deliver ZTNA and cater to the specific requirements and budget constraints of their different clients.
For MSPs, now is a good time to start educating themselves and their clients on zero trust – and how they can make the strategy work for greater security and resiliency.
Wtih more than 15 years of experience in cybersecurity, McKie leads the security and networking solutions product marketing teams at Datto and Kaseya. Prior to joining Datto, he managed global market strategy and product marketing for FireEye’s network security product portfolio. His additional experience includes having worked at Cisco, Fortinet, MetricStream, and WatchGuard. McKie has authored numerous articles regarding compliance, cybersecurity frameworks, email security, ransomware and lateral threat detection.