Zero Trust Should Apply Everywhere

An old saying in sales is that “a confused mind does nothing.” That truism certainly applies in the case of the zero-trust security model. Although a lot of people talk about zero trust, a far smaller percentage are actually doing anything about it. Because of the growing number of attacks, a philosophical shift from trusting everything on the network to not trusting anything (zero trust) makes sense.  Zero-trust access (ZTA) operates on the assumption that threats both outside and inside the network are an ever-present reality and that potentially every user and device has already been compromised. It also treats every attempt to access the network or an application as a threat.

Part of the reason for the disparity between thought and action on zero-trust is because it is so often associated with cloud applications and people working remotely. The increase in cloud-based operations for everything from infrastructure to software offers flexibility and agility. The problem is that many organizations aren’t operating solely in the cloud. Users need access not only to cloud applications but to applications located at a data center or branch location. And the zero-trust philosophy shouldn’t just be relegated to people working off-site; it should provide protection for people on-campus too.

In a work from anywhere world, users need access to all of their applications, no matter where the application or the user is located. And everything should be secured with consistent policies and controls across all of the operating environments, especially across multiple clouds.

Today’s networks are distributed with many edges and trying to meld yet another point solution into an already complex networking situation is confusing at best. This confusion is exactly why so many organizations are moving slowly on their zero trust initiatives or even ignoring it entirely. Unfortunately, ignoring security problems never makes them go away.

The zero-trust model should apply everywhere. Instead of taking a piecemeal approach, it’s more secure and inherently easier to implement zero trust everywhere with a platform that includes products that are designed to be integrated and automated together. Even better if that platform converges networking and security functions to create a security-driven networking solution, such as Secure SD-WAN. And better yet if it is a part of a cybersecurity mesh architecture that provides the unified visibility, automated control, and coordinated protection that’s needed for a consistent and secure experience at any network edge.

Supporting Work from Anywhere

Securely supporting the ability to work any time and from virtually any place means Zero Trust Network Access (ZTNA) is now much more important. ZTNA extends traditional zero trust access to per-application usage, so systems administrators not only know who is on the network, but even which applications they are currently using. ZTNA is the evolution of VPN remote access. It simplifies secure connectivity, providing seamless access to applications no matter where the user or the application may be located.

Unlike a VPN, which assumes that anything that passes the network perimeter controls using an encrypted connection can be trusted, ZTNA takes the opposite approach: no user or device can be trusted to access anything until proven otherwise. The ZTNA application access policy and verification process are the same whether a user is on or off the network. By default, users on the network are assumed to be no more trustworthy than users that are off the network.

All of the transactions and usage are constantly being monitored and inspected. The other difference from a traditional VPN is that ZTNA extends the zero-trust model beyond the network. It further reduces the attack surface by hiding applications from the internet behind a proxy point, which eliminates them as a potential target.

With ZTNA in place, once a user has provided appropriate access credentials such as multi-factor authentication and endpoint validation and is connected, they can then be given what is known as least privileged access. The user can access only those applications that they need to efficiently perform their jobs and nothing else.

Access control doesn’t end at the access point. ZTNA operates in terms of identity rather than securing a place in the network, which allows policies to follow applications and other transactions end to end. By establishing greater levels of access control, ZTNA is a more efficient solution for end users and provides policy enforcement wherever needed.

Setting Up ZTNA

There are two primary approaches to implementing ZTNA: client-initiated and service-initiated. Sometimes called endpoint-initiated ZTNA, the client-initiated ZTNA model uses an agent on a device to create a secure tunnel.  The service-initiated or “clientless” ZTNA model uses a reverse-proxy architecture. The biggest difference from client-initiated ZTNA is that it doesn’t require an endpoint agent. Clientless ZTNA uses a browser plug-in to create a secure tunnel and perform the device assessment and posture check.

The reason ZTNA is so often thought of as a “cloud-only” solution is because many vendors only implement clientless ZTNA, which is limited to cloud-based applications. Because the application’s protocols must be based on HTTP/HTTPS, it limits the approach to web applications and protocols, such as Secure Shell (SSH) or Remote Desktop Protocol (RDP) over HTTP. Although a few newer vendors are offering additional protocol support, the model is not suited to companies that have a combination of hybrid cloud and on-premises applications.

From an IT standpoint, setting up client-based ZTNA offers better visibility and control of devices and you can do application firewalling within the agent. Additionally, if a security issue is detected, a file can be sent to the sandbox or quarantine can be requested.

Everywhere Means Everywhere

Zero trust isn’t going away and it should be part of any complete security offering both on-premises and in the cloud. A comprehensive zero-trust implementation needs to cover everything and everyone, no matter where they’re located. Once it’s successfully implemented, the zero-trust security model offers better control, improved user experiences, and more robust security everywhere.

Discover how Fortinet’s Zero-Trust Access framework allows organizations to identify, authenticate, and monitor users and devices on and off the network.