Zero Trust Network Access

The zero trust security model, ZTNA, is based in providing users access and permissions to internal resources on a need-to-have basis. This dramatically reduces company´s exposure to cyber threads.

Securing your organization with ZTNA

ZTNA allows organizations to implement a zero trust security model within their network system. This can be applied to a number of use cases and improves the organization’s security standards.

 

    • Reduces remote worker´s access to the network to only sites that they require
    • Can work within SDWAN or SASE solutions to provide end-to-end coverage
    • Reduces the attack surface for organization´s cloud-based resources.
    • Each user and application can be assigned a role within the ZTNA solution
    • Minimizes the access permissions in case of a user being compromised

ZTNA Market Overview

borrar

Covid has forever changed the way workers engage with their company resources. More and more these days, workers are migrating to either full or hybrid remote work dynamics, which has introduced new problems and threads into the company resources access in a sudden and massive manner.

While a lot of companies had some VPN solutions already in place, this approach has proven to be insufficient for the current state of affairs. VPN appliances simply aren’t scalable to meet the needs of today’s digital, agile organizations and their users, who need to reliably access applications and data wherever business takes them. VPNs also suffered from security and latency issues that had to be addressed. Because a VPN provides access to an organization’s entire network, it introduces a huge security gap that can be exploited if a threat actor gains access to user credentials. If that happens, the attacker can search and traverse the network without constraints.

It is to solve this problematic that the industry is looking into ZTNA architectural solutions. ZTNA works in such a way that access to specific applications or resources are granted only after the user has been authenticated to the ZTNA service. Once authenticated, the ZTNA then grants the user access to the specific application using a secure, encrypted tunnel which offers an extra layer of security protection by shielding applications and services from IP addresses that would otherwise be visible.

In this manner, ZTNAs act very much like software defined perimeters (SDPs), relying on the same ‘dark cloud’ idea to prevent users from having visibility into any other applications and services they are not permissioned to access. This also offers protection against lateral attacks, since even if an attacker gained access they would not be able to scan to locate other services.

Overall, ZTNA seems to be within the range of solutions that the market is adopting to deal with the post-covid reality. Integrated with other security policies (SDWAN, SASE, …), it is expected to be an industry standard in the near future.

What are the important points related to Zero Trust Network Access

Granular access control

Granular visibility, user access control and detailed reporting capabilities must be key characteristics of a chosen ZTNA solution in order to demonstrate regulatory compliance as well as enable security audits.

Advanced Thread Protection (ATP)

The ease and prevalence in which malware can spread to other devices and users through downloads makes advanced threat protection (ATP) a must-have for ZTNA solutions. A behavior-based solution techniques surpasses signature-based techniques.

Scalable performance

A dynamically scalable solution, such as one hosted in the public cloud, provides additional benefits as in-office work ebbs and flows. ZTNA being hosted in the cloud provides this scalability out of the box.

Ongoing verification

Each time a user access a resources, his credentials are checked to verify session, permissions, … No company resource can be used or even discovered without going through validation and verification.

Understanding ZTNA

The lack of a true security perimeter means that neither users or companies should trust internal connections in their networks. ZTNA allows for identity and context-based access control, as ZTNA hides resources from discovery and provides access through authentication to a trust broker, which acts as a mediator between company resources and authorized users.

ZTNA decouples access to resources and access to the network, as the internet is an untrusted point of access. The trust broker provides centralized control and management to IT teams, and teams can deploy the broker in data centers as software or an appliance or provide it as a managed service in a cloud environment.

Also, ZTNA unifies access to applications, thus eliminating the bifurcation of private cloud, VPN and SaaS application methods. It provides centralized control, with the scalability and flexibility to offer users appropriate access given their devices, locations and times of day.

borrar

When talking about centralized and unified control, we are not only referring to users. ZTNA provides secure access for unsecured IoT devices, as organizations rapidly deploy more edge-based services. IoT devices and user devices are not visible directly from the internet, thus reducing the attack surface. This is becoming increasingly important for industries whos production is increasingly becoming dependant on automated devices and sensors. ZTNA can also reinforce the security both in OT and IT networks by identifying anomalous behavior, such as attempted access to restricted data, downloads for unusual amounts of data or unusual time-of-day access.

Over time, ZTNA will become a key principal of SASE services. SASE provides a framework for the convergence of network and security functionality at the edge.

borrar

Solution & Teldat ZTNA Products

The background

Traditional security in communications and IT resources consisted only of antivirus and firewall solutions just a few years ago. Based on the outdated assumption that anything within the security perimeter can be trusted, they leave organizations exposed to cyber-attacks. This prooved good enough for basic needs, but as complexity and dependency on software usage grew, new and more specific solutions had to be put in place. As evidence, 34% of cyber attacks in 2018 were perpetrated by insiders.

The problem that ZTNA came to solve is the compartimentalization and restriction of user access, both for information control and for damage containment in case of compromised credentials or infrastructure attacks. Across the industry, security professionals are shifting to a Zero Trust security paradigm to close these security gaps.The Extended Zero Trust Security model, introduced by Forrester analysts, enables the adoption of a security posture of “Default Deny” where systems are isolated until a level of trust is established.

Be.Safe premium – Security and networking

Be.Safe premium is Teldat´s security solution for our SMB and corporate clients. Both for cloud or on-premises approaches, be.safe premium can provide out-of-the-box ZTNA capabilities through a comprehensive and intuitive user-experience, reducing the learning curve for new users and providing the best security on the market in an scalable manner.

Be.Safe premium is also managed centrally. With one console, security teams can manage all aspects of security from access policy to threat prevention – across the entire organization – on both physical and virtual environments. To ensure the highest security standards, we use 64 different security engines to protect against known and unknown threats across all networks, endpoints, cloud, mobile, and IoT. It leverages globally shared threat intelligence to provide threat prevention technologies with the industry’s best catch rate.

Protection on all fronts

Be.safe premium not only covers user´s devices, but it can extend the securitization to every corner of the organization.

1- Networks

Be.Safe premium allows you to create granualr network segmentation across cloud and LAN environments. With detailed visibility into the users, groups, applications, machines and connections on your infrastructure, you can set and enforce different level access polices, so only the right users and devices can access your protected assets.

2- Workloads

Be.Safe Premium has the capacity to secure workloads, both local and cloud ones. Its integration with any cloud infrastructure or provider grants you full visibility and control over these ever-changing environments. 

3- Data

Be.Safe premium delivers multi-layered data protection that protects data from theft, corruption, and unintentional loss, wherever it is. 

4- People

Be.Safe premium ensures that access to your data is granted only to authorized users, and only after their identities have been strictly authenticated; using Single Sign-On, Multi-Factor Authentication, context-aware policies and anomaly detection. 

5- Devices

Be.Safe Premium enables you to block infected devices from accessing corporate data and assets, including mobile devices, workstations, IoT devices, and Industrial Control Systems.

ZTNA Use Cases

SMB evolving to cloud environments

Small and midsized businesses migrating their applications and servers to the cloud

Bank increases control and visibility over applications

A bank employs MPLS or VPN connections to access corporate servers and wants to increase access control and obtain more information on how applications are being used.

Segmenting access to internal networks

Compartmentalize networks by granting permissions according to role and device type

SMB evolving to cloud environments

Small and midsized businesses migrating their applications and servers to the cloud.

Challenge

Small and medium-sized companies usually use internal applications with servers hosted at a single site or in a shared physical data center, thereby allowing little flexibility of movement in an ever-changing environment where mobility is becoming increasingly important. Cloud environments provide an opportunity to locate applications anywhere in the world, which gives a lot of flexibility but also widens the security perimeter as all connections from public Wi-Fi environments or Internet access from non-business locations (for instance from home or from hotels and business fairs) need to be secured.

Solution

Teldat’s security solutions make it possible to remotely connect users from both offices and locations outside the client’s network, applying customized access policies for each user or group of users.

In this way, access confidentiality is ensured, and only necessary permissions are granted, complying with the premise of “Zero-trust” instead of any logged-in user having all possible privileges.

Why Teldat?

Teldat offers various robust and versatile security solutions, with intuitive interfaces to allow any user to easily manage their own policies and connections. Furthermore, the HW-agnostic technology supports connections from all devices complying with tunneling standards, irrespective of manufacturer.

Bank increases control and visibility over applications

A bank employs MPLS or VPN connections to access corporate servers and wants to increase access control and obtain more information on how applications are being used.

Challenge

By using MPLS connections from branch offices and VPN clients for remote workers, the bank is unable to grant granular access permissions to applications according to user or device type. It also lacks a visualization tool to show how each user is using the network and resources, or how these are being accessed, thus the sizing of network access and server capacity is a difficult task for the IT team.

Solution

With Teldat’s security solutions, it is possible to control access to all corporate applications and access to the Internet and SaaS platforms in a personalized and granular way thanks to their integration with active directory and SSO tools. Both access from branch offices and access from remote connections can be controlled.

In addition, Teldat’s visibility solutions provide all the information necessary to understand how resources are accessed and by whom, so that the bank can obtain information on possible attempts to violate rules by devices that may have been hacked.

 

Why Teldat?

Teldat’s be.Safe and be.Analyzer solutions offer secure and reliable access with intuitive interfaces to allow users to easily manage their own policies and connections, and customizable dashboards to display information graphically. They are also HW agnostic, so any device complying with tunneling and flow information sending standards, irrespective of manufacturer, can connect.

Segmenting access to internal networks

Compartmentalize networks by granting permissions according to role and device type.

Challenge

Legacy network configuration greatly complicates the task of segmenting internal networks for controlling user and device access to company resources. On the one hand, there may be certain departments that shouldn’t have access to other departments’ resources, only to those assigned to them. On the other hand, a security breach in a device on a specific network could end up infecting the rest of the departments through the sideways movement of information – imagine a laptop that has been infected via a USB device or a tablet that has downloaded a malicious file.

Solution

Thanks to SW-defined networking solutions and security platforms, each network can be completely isolated from the others and the access to each controlled according the user or specific device.

Graphical interfaces are used to apply independent policies for both traffic to the datacenter and SaaS applications, and to deny access to unauthorized resources. Likewise, as the networks are compartmentalized, when a virus is detected in a device, it can be contained within the environment where the device is located instead of jeopardizing the rest of the company’s networks or central servers.

Why Teldat?

Teldat’s be.SDWAN and be.Safe solutions offer segmented and compartmentalized access with intuitive interfaces so users can easily manage their own networks and security policies.

Read our latest Blog Posts