Part 2 :Zero Trust Network Access (ZTNA)

Achieve Zero Trust Network Access (ZTNA) in an Enterprise network

How to achieve zero trust network access in Internal network

The security devices should have the below capabilities to achieve the ZTNA in inside networks.

1. Ensure the network access and user access policies are restricted based on the business needs and only the intended users can access the resources based on the user, network, device or location from where they are accessing the resources.
2. Strict user control through identity and access management (IDaas) and Privileged access management (PAM)
3. Enable log inspection on each segment points to understand the flow and verify if the traffic flow is as per the business needs.
4. 2FA or MFA can apply for every access to ensure that the permitted users are accessing the resources.
5. Do periodic audit and add new context make sure the network infra is up to date.
6. Application specific access – the next generation firewalls like PA, Forigate and cloud firewall module Zscaler provide the feature to access the specific application not the whole page.
7. The content based restriction ensure the malicious contents are blocked before it reaches the endpoint.

How to achieve ZTNA while access internal applications from outside (internet)

According to Gartner by 2022, 80% of new digital business applications opened up to ecosystem partners will be accessed through zero trust network access (ZTNA), and by 2023 60% of enterprises will phase out their remote access virtual private networks (VPN) in favor of ZTNA.  Gartner’s latest market guide illustrates how digital business transformation is affecting enterprises worldwide.

“Gartner believes the time has come to isolate services and applications from the dangers of the public internet, and to provide compartmentalized access only to required applications in any given context.” *

This new model uses a trust broker to mediate connections between a specific private application and an authorized user. Also known as a software-defined perimeter, it centralizes security mechanisms that broker trust between the application and both the user and their individual devices.  Once trust is established, centrally distributed granular policies govern all transactions.

This architecture effectively hides applications and resources from public view, significantly reducing the attack surface. The result is only the intended user will know the application and can access the application with access policies and user control policies (identity and MFA access).

The Security devices should have below capabilities to achieve the ZTNA when accessing intermetal applications from Internet. (VPN replacement)

1. The applications will be invisible for all and only the intended users can access the applications.
2. The identity will be verified, the 3^rd parties can use their own IDP to confirm the identity.
3. MFA ensure only the actual users accessing the applications. MFA ensures the authorization even if the username and password is hacked.
4. The application will come close to the user wherever he is and the there is no different for the user when he accesses the application from wherever he accesses the application.
5. The cooperate should use their own certificates for SSL interception and trust enablement. So no worry about the provider to intercept the applications.