All that Glitters is not Gold. Turning Zero Trust into Reality

In technology, the new shiny thing is almost always more exciting than whatever you’re currently doing. In fact, in programming, there’s even an acronym for “not invented here syndrome” (NIHS), which is the tendency to assume that if you didn’t develop it, the solution can’t be any good. Close cousins are “let’s reinvent the wheel” syndrome, which involves redoing something that works fine, and shiny object syndrome, which is doing something just because it seems cool.

In cybersecurity, there’s a bit of NIHS going around among some vendors that are convinced that we all need to start over to implement zero-trust network access (ZTNA). They suggest that you throw away your existing architecture and implement their shiny new thing.

Although it’s tempting to assume that it’s the best way to approach the problem of securing access is with something new, it can be a lot less frustrating (and less expensive) to examine all your options first. With ZTNA, the problem is compounded by the fact that the words zero-trust are thrown around by vendors in different ways to mean different things. Here’s an overview from the top down.

• Zero Trust: At the highest level, zero trust refers to a philosophy for only trusting a user or device after explicitly confirming their identity and status. It focuses on users, devices, and the specific resources being accessed, utilizing segmentation and zones of control.
• Zero Trust Architectures: A zero trust architecture strategy is a systematic approach to replace implicit trust with explicit trust after verification. Setting up a zero-trust architecture requires multiple technologies to address user, device, network, and cloud resource protection.
• Zero Trust Initiatives: Initiatives are specific projects that incorporate the zero-trust philosophy, such as remote access or work from anywhere. Zero trust initiatives may also be performed for network segmentation or microsegmentation.
• Zero Trust Technologies: The specific products and features used to turn zero trust initiatives into a reality. For example, ZTNA is a zero trust technology.

Many vendors zoom into the technology instead of starting with what you want to do at the zero-trust architecture or initiative level. But to come up with a smart strategy for anything, you should look at where you are, where you want to be, and what resources you already have at your disposal.

You have firewalls in your network now, and some cloud-only ZTNA vendors would have you believe that those firewalls are a liability. But they don’t have to be. If the firewall is an integrated next-generation firewall (NGFW) with ZTNA enforcement built-in, its role can expand to control all access for everyone. Instead of just acting as an entry or exit point as it would on a traditional perimeter-based network, the NGFW becomes the control mechanism for the entire extended network, including both cloud and on-premises based applications.  Note that when I refer to a NGFW, this can be realized in a hardware appliance, a virtual machine, or even as part of a cloud-delivered FWaaS.

Firewalls Are Not the Enemy

Historically, traditional networking and security were separate. Networking included routers, switches, and access points. Security solutions included anti-virus, intrusion prevention, web and content filtering, DNS security, and sandboxing solutions. Networking and security were made up of disparate point products that couldn’t be managed and controlled from a single device because no one device had the processing power to handle the performance demands and analysis of both networking and security together.

Some cloud vendors equate today’s NGFWs with older firewalls used for the perimeter-based networking approaches of the past. But if you start with an NGFW as the basis of your networking and security, it can act as a central point for visibility and control. And if the NGFW shares an underlying connection with other integrated products, you can put your zero-trust initiatives into place.

The trick is making sure you select an NGFW that supports zero trust. Aligning to the zero-trust model means implementing a least access policy that grants a user the minimum level of network access required for their role and removing any ability to access or see other parts of the network. By establishing dynamic and granular access, organizations can continuously monitor the trust level and adapt security policies accordingly.

Granular control needs to extend to application access as well. ZTNA allows organizations to extend the zero-trust model beyond the network. Unlike a traditional VPN tunnel that provides unrestricted access to the network and applications, ZTNA connections are granted to individual applications on a per session basis. Access is granted only after both the device and user have been verified. Because location is no longer a reliable indicator for access as it is with a VPN, ZTNA policy is applied whether users are on or off the network.

ZTNA Everywhere

The problem with cloud-only ZTNA is that it doesn’t work well with hybrid networks with people working in the office, connecting to both cloud and on-premises resources. ZTNA should apply everywhere, regardless of where the applications or the users may be located. Cloud-only ZTNA doesn’t do that well. With firewall-based ZTNA that extends to every form factor (on-prem and cloud-delivered), everything can be secured with consistent policies and controls across all operating environments, including across multiple clouds. Starting with the firewall, the other ZT technologies in the ecosystem would include a client that supports ZTNA, policy control for micro-segmentation, authentication, and network access control.

With the right firewall, you may be closer to turning your ZTNA initiatives into reality than you might think. And if you have one of the more than 6 million FortiGate NGFWs out there, ZTNA is free. All you have to do is turn it on.

Discover how Fortinet’s Zero Trust Access framework allows organizations to identify, authenticate, and monitor users and devices on and off the network.