Sergey Nivens - Stock.Adobe.com
The X-Files maxim of “Trust no one” has been encapsulated in the identity authentication model of zero-trust network access (ZTNA), where identity has to be proven and users are subject to specific constraints. However, it is debatable whether ZTNA currently goes far enough.
The Covid-19 pandemic witnessed a fundamental shift in working culture, with millions of previously office-based roles migrating to remote working positions. Although most Covid restrictions have lifted, many organisations are continuing with remote and/or hybrid working. With the increase in remote working, there has been greater demand on network access. As such, a multitude of threat actors have sought to take advantage of the increased online activities, from cyber criminals to state-sponsored hackers.
ZTNA, as the name implies, is a network access identity authentication model. Rather than relying on trusted devices based on previously authenticated network access, ZTNA makes no assumptions – this methodology differentiates between a device that a user connects with and the user of the device. ZTNA therefore demands that the user confirm their identity each time they connect to the network.
However, not all ZTNA methodologies are the same. Some versions assume that once a user has confirmed their identity, their access privileges can remain, regardless of how long they are connected to the network. In this case, ZTNA merely becomes a gatekeeping tool, which confirms identity on arrival. But this does not take into account any changes that may occur at the endpoint and how these could impinge upon the security of the network.
“We had a eureka moment for what we call ZTNA 2.0, where we realised that actually not all ZTNA is the same,” says Simon Crocker, senior director of systems engineering at Palo Alto Networks. “A lot of ZTNA is not implementing true zero trust, and definitely not least privileged access. People are not implementing what they think they might be implementing.”
For example, if a network connection has been established and the identity of the user confirmed, but during this network session the antivirus tool at the endpoint is switched off, this could allow malicious applications access to the network through a trusted connection, due to insufficient network oversight.
“If you look at some of the implementations that are in the market today, they do a one-off check on the individual who is connected, the remote user, and then that’s pretty much it,” says Crocker. “The session can be for minutes, hours or days, but there is no further check on that trust level. We believe in continued trust verification.”
What ZTNA needs to be is zero trust all the time, not just during initial network access. By constantly monitoring identity and data throughout the network for any suspicious activity, such as changes to network connections, any unconventional network behaviour or suspected loss of data integrity can be identified.
A suitable analogy to how ZTNA should operate is going to an airport. When arriving at an airport, a person is given a boarding pass, allowing them to pass through security to a certain lounge, essentially giving that person specific access privileges for a limited duration. Any attempted deviations, such as going to a different lounge or to employee areas, are immediately blocked.
“We have been professing zero trust as an overall methodology for a number of years now,” says Crocker. “We were looking at ZTNA, which has been implemented by many vendors in the market today, and we felt that it was lacking some of the ZT part.”
ZTNA needs to become a pervasive security monitoring tool that assumes security is not immutably defined, but that the credibility of a user and a connection needs to be continually challenged and assessed in case of any deviance or malicious intent.
Endpoint: the weakest link in security
One of the main points to focus on is the endpoints, namely the users and their access devices. When users and devices are able to remain connected for any length of time, it is risky to assume that a user remains authenticated from their point of connection.
For example, should the endpoint connection be compromised, such as the antivirus protection software being disabled while connected to the network, then potential bad actors will be able to take advantage of the authenticated connection and “piggyback” into the network. As such, ZTNA 2.0 constantly monitors for any changes at the endpoints and adapts the access permissions accordingly.
“If you are not continually checking for trust verification and malicious content, then you are compromising the security of the organisation,” says Crocker. “We believe in that continued trust verification. You need to challenge users occasionally, but you also need to look at their security posture on that endpoint and make sure it is consistent with the original established connection.”
Of course, it is not just people that connect to a network, but also devices, such as the internet of things (IoT), as well as data-generating applications. All of these will need to be monitored to ensure they are behaving properly. There have been instances of hacks through IoT devices, such as in 2017 when a smart fish tank was compromised, which allowed criminals to hack a casino.
Read more Security Interviews
- The war in Ukraine and subsequent boycott of Russia resulted in a swathe of digital infrastructure being abandoned, becoming a potential vulnerability for many organisations, says Cyberpion’s Ran Nahmias.
- We speak to Jack Stockdale, CTO of Darktrace, about Cambridge’s strong data analytics and artificial intelligence links and the role of AI in cyber security.
- Computer Weekly speaks to Craig Terron of Recorded Future about delving deep inside the Russian disinformation machine, and how the Kremlin’s strategy is set to evolve.
When non-standard devices such as specialist industrial tools are connected, custom device identifications can be created. These generate a behavioural profile of the device’s operations on the network, so that any deviations from established patterns can be assessed, reported and responded to appropriately.
With these identity management systems in place, security teams can interrogate suspicious behaviour. “Not everything on the network today is a person and doesn’t have a human sitting behind it,” says Crocker. “There are many devices, whether it be virtual devices in the cloud or industrial IoT-type devices, that are pushing traffic around the network. You’ve got to be able to identify them all.”
Along with monitoring network users and devices, ZTNA also needs to monitor the movement of data through a network for any suspicious behaviour, such as unexpected destinations or bandwidth, which may indicate information is being siphoned from a network by malicious actors.
Some data that is transmitted across, as well as to and from, the network will also be encrypted. This could be challenging, because there may be some encrypted traffic that needs to remain secure, such as financial transactions. However, policies can be put in place to preserve the integrity of certain encrypted traffic.
“There is no point in having a security posture where you inspect some of the traffic some of the time – that’s just completely pointless,” says Crocker. “No matter where the traffic may be heading, whether you are heading to a SaaS [software as a service] application in the cloud or heading back into a datacentre on-premise, you need to be inspecting that traffic now.”
Data loss prevention (DLP), as the name implies, mitigates data loss throughout a network by tracking the passage of files. Each file is given a security rating by the creator and any files identified as potentially sensitive can be blocked from leaving the organisation’s network. However, in some cases, it will be necessary to allow the transfer of such files to trusted external organisations, such as partnering organisations.
“DLP is another component that we believe is important around the security of data,” says Crocker. “Identification is absolute and visibility is critical. If you can’t look at everything, then you can’t see everything and you are potentially already open.”
Despite the level of network oversight in ZTNA 2.0, there is negligible impact on the network speeds within the system, thereby allowing organisations to continue taking full advantage of data transfer capabilities.
Implementation is comparatively simple, regardless of whether it is for a new or existing network, provided that time and care is taken to plan the upgrade and installation. Existing networks could be rebuilt from the ground up using ZTNA 2.0, but this would complicate the process, as data migration would also need to be factored in.
“Providing you plan out the implementation and structure it, then you’re going to be fine,” says Crocker. “If you try to implement without planning and thought, or do it overnight, then you’re probably going to have some problems, but it’s relatively straightforward with an appropriate level of planning.”
ZTNA 2.0 transforms ZTNA from being purely gatekeeping into a continuous security monitoring tool that allows organisations to easily control data accessibility and information flow across their networks, while also monitoring potential endpoint vulnerabilities.
“We are moving away from ZTNA being a gatekeeper technology, which is its current position,” says Crocker. “Zero trust needs to be pervasive. Organisations need to have visibility all the time and to be inspecting data all the time.”