The chances are that you view your company as a fortress. You’ve built a wall, dug a canal around it, and raised your drawbridge. You had a firewall to protect you from outside threats and no one was coming in. Your employees, data, and devices were all safe and sound within the company walls. If you needed to move outside the company, you secured the route with a VPN or you set up a forward post using a DMZ.
Inside is safe, outside is not
However secure that sounds, it no longer meets the demands of the present day. Your workforce works largely from home or on the road and you use cloud solutions, making you increasingly vulnerable to attacks. Even more so because in the traditional situation, once a hacker is in, they can access everything within the network. Because ‘inside’ means safe and ‘outside’ means unsafe.
Zero Trust Network Access’s approach is completely different: no one is to be trusted until proven otherwise. It works by setting up a micro tunnel between an application – or a set of applications – and an end-user device, with a broker in between who decides who can come in and who can’t be based on identity and context. The tunnel, which is set up between one user and one application at a time, also prevents that user from moving laterally in a network.
The invisible network and application infrastructure
Since users are checked based on identity and context and don’t have access to the entire network, even after they are verified for one application, the surface area for attack is significantly reduced. Another benefit is that ZTNA only allows outbound-only connections, which makes the application infrastructure and the entire network invisible to unauthorized users – reducing the surface area for an attack even further.
ZTNA also provides users with a better user experience: it no longer matters if a user is inside or outside the castle, they will have the same experience. However, it doesn’t mean that once a user is in, they will always be in. User and device behavior (part of the context) is continuously monitored for abnormal activity, which ensures that when a device is hacked, for example, it is not automatically granted access based on a previous log-in.
The unreliable broker risk
Of course, as with any technology, you should always consider possible risks. Even though ZTNA is a lot safer than the older setup with VPN and DMZ, access depends on the health of the broker. If the broker is down, users can’t access the application they need. Therefore, be picky when choosing or setting up a broker. Also, pay attention to where your trust broker is located and make sure your broker can use multiple points of presence.
Summing up, ZTNA reduces the surface area of attack and therefore is an ideal addition to SD-WAN. Where SD-WAN ensures that traffic is routed via the most optimal route, ZTNA guarantees that those routes are only accessed by trustworthy users and devices. The internet is made for connections and we no longer need to be locked up in our castles. We might trust no one, but ZTNA makes sure we can still let the right people in.
ZTNA as a Service
Are you convinced of ZTNA’s benefits, but aren’t sure you need to manage the broker yourself? Then ZTNA as a Service may be the option for you. At Expereo, we offer ZTNA as part of our SASE proposition, but also as an addition to our SD-WAN portfolio. We not only make sure you have the right set of solutions set up, but we also monitor your network 24/7, ensuring your security while you focus on your core business.
Are you ready to take your security to the next level? Talk to one of our experts about your challenges and how we can help you.