The greatest threat to zero trust is not ransomware or advanced persistent threats; it is marketing. Technology marketing tends to overuse buzzwords until they lose their meaning; take the predominance of “artificial intelligence” solutions, for example. Thanks to the self-aggrandizing behavior of cybersecurity marketing, zero trust is one of the most egregious victims.
According to the National Institute of Standards and Technology (NIST), in a modern zero trust architecture (ZTA), the focus is on protecting “resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.”
Zero trust finally came to a boil in 2020, when organizations had to quickly implement remote work policies to adapt to a new normal. Unfortunately, many of these organizations chose to use VPNs or (even worse) RDP connections to facilitate remote work, which have been and continue to be easily exploited in ransomware attacks.
Consequently, zero trust network access (ZTNA) emerged as a solution to securely enable remote work. As the need for these solutions grew, so did the marketing claims made by the vendors selling them. Unfortunately, many organizations are now under the misconception that ZTNA is equivalent to ZTA, perhaps in part because of their similar acronyms. Furthering the confusion, zero trust networking, abbreviated as the similar ZTN and which may implement ZTNA, is just one pillar of an overall ZTA. The industry is drowning in alphabet soup.
There is no such thing as a “magic bullet” for realizing a ZTA, but that has not stopped cybersecurity vendors from trying to sell themselves as such. For example, take ZTNA.
ZTNA is a point solution
Consider the physical security at a casino. A bouncer at the door checks IDs, but once a guest enters, they continue to be monitored by security teams that can review surveillance footage for signs of suspicious behavior. A ZTNA solution is like a bouncer deciding who should enter but lacks continuous monitoring to maintain security.
ZTNA is often conflated with a ZTN solution, but once access has been granted to a resource, it offers no further visibility or control of the network. In fact, ZTNA implementations risk exposing the enterprise network to remote connections. If an attacker compromises a machine with ZTNA, then they could leverage that access to move around the network seemingly trustworthy.
Furthermore, ZTNA is a remote access solution that relies on installing and maintaining software agents to be effective. This requirement leads it to fall short when protecting the complex landscape of the Internet of Things (IoT) and operational technology (OT) devices.
Another critical issue related to ZTNA is its heavy reliance on decrypting endpoint traffic. This practice, although common, is facing newfound challenges in the face of complex new encryption techniques. The promise of quantum encryption has the potential to render ZTNA obsolete.
ZTNA does not equal zero trust
Education is the only way to counter the spurious marketing claims about ZTA, ZTN and ZTNA. The easiest way to understand the relationship between these terms is in their hierarchy. Zero trust networking is just one pillar of zero trust. According to the Cybersecurity and Infrastructure Security Agency’s (CISA) Zero Trust Maturity Model, the five pillars of zero trust are identity, device, network/environment, application workload and data.
Likewise, zero trust network access only addresses part of the requirements within the context of zero trust networking. The requirements of zero trust networking include:
- Authentication and authorization — Users and devices seeking network access must first prove their identity through robust authentication processes. Authorization ensures the authenticated user or device has the appropriate permissions to access specific resources.
- Least privilege access — Users or devices should only be allowed access to the specific resources deemed essential for their designated tasks, minimizing the potential attack surface and limiting unauthorized lateral movement.
- Continuous risk assessment — Access is based on real-time evaluation of the user’s identity and behavioral analytics, considering their risk and risk tolerances of the organization to dynamically enforce policy.
There are many solutions that organizations can implement to help achieve these requirements, such as multi-factor authentication (MFA) and identity and access management (IAM) solutions that enhance and enforce authentication and authorization policies. Network segmentation can isolate and control access to critical resources. Network monitoring solutions can provide behavioral analytics to detect deviations from typical patterns.
Traditional perimeter-focused security solutions that default to high trust levels within the internal network are ill-suited for an edgeless enterprise that increasingly supports remote workers and the growing number of IoT devices. The fact is, neither is ZTNA.
Just as all squares are rectangles, but not all rectangles are square, implementing ZTNA is not equivalent to implementing ZTN, and even meeting all of the requirements of ZTN is not equal to implementing a full zero trust architecture. However, by understanding and adhering to these three fundamental requirements and conducting due diligence into the solutions that satisfy them, organizations can fortify their zero trust networking within a larger zero trust framework.