Views, News & more
In a world with widespread remote working, business partners at separate firms requiring access to each other’s networks, the Internet of Things connecting more devices everyday and, most pressingly, increasingly sophisticated cyberattacks, protecting a network correctly has arguably never been more vital.
This is all leading to increasing interest in “zero trust” solutions of network protection, as organisations look to take every measure possible to protect their networks, systems and data from attack, compromise and garden variety human error.
Broadly speaking, zero trust refers to a new, evolving method of designing a network, in which the old system of inherent, excessive trust is replaced. Under such older, increasingly outdated systems, once a user was connected to a network, they were implicitly trusted, such as in perimeter-based systems like Virtual Private Networks (VPN).
Despite the weaknesses of perimeter-based systems, however, the majority of firms are yet to embrace a zero trust model, with just 15 per cent of organisations reported to have transitioned to zero trust by 2019 (although this is likely to have increased with the rise in homeworking during COVID-19).
With zero trust, trust is no longer implied based on factors such as location or IP address, and is instead evaluated on a case-by-case basis, with the starting assumption being one of hostility, or “zero trust”.
However, the process of applying a zero trust approach to a network is not as simple as that and owners looking at adopting zero trust might hear other terms such as Zero Trust Access (ZTA) and Zero Trust Network Access (ZTNA) being banded around. Here, we’ll look at what these three terms mean and the key differences between them.
As mentioned above, zero trust is a relatively new mode of security in which the old models of implied trust are abandoned and the default position is one of inherently no trust. Each time a user or device seeks to gain access to a network or resource, their identity must first be verified based on identity and potentially other context-related factors such as time, date or location.
Once access has been granted, trust is still only applied on a “least privilege” principle, with only the appropriate access and trust granted. That means the user will only have access to that resource and no others. Furthermore, the access that the user has been granted must be continually re-evaluated and can be revoked or removed if certain attributes relating to them or their device change.
ZTA more specifically refers to a solution in which close attention is paid to which people and devices are on a network. ZTA involves role-based access control, through which a user is only granted a level of access appropriate to their role, with no ability to view or access other parts of the network.
Under ZTA, management have control and visibility over user endpoints in order to gain definitive knowledge regarding users and grant the appropriate level of access.
ZTA also covers devices that may require some level of access to a network. In the growing economy of the Internet of Things (IoT), numerous devices such as printers and even door or lift access systems operate on a network connection. However, as these devices do not gain access via a username or password, they can be granted access through network access control (NAC) solutions.
Under a ZTA model, such devices will again be governed by the principle of zero trust, with sufficient access granted only to fulfil their function.
ZTNA governs access to networks for applications and, naturally, has been receiving increasing interest over the past 18 months due to its ability to control access whether a user or application is located on a corporate network or remotely. ZTNA is seen as a natural step up from VPN, offering both improved security, granular control of access and better user experience, which is valuable given the growing complexity of modern networks.
Whereas VPN trusts anything that passes its perimeter control, ZTNA takes the counter approach of not trusting any user or device to access anything unless their trustworthiness can be improved. No matter where they are located, applications are hidden from the internet and, in this way, ZTNA serves to minimise a network’s attack surface.
When looking at different zero trust solutions for a business, it can be easy to get lost in the jargon, but there are simple identifiers that sum up what each solution does and differentiate them from each other:
Zero-trust – Typically a generic term referring to security solutions in which no user or device is automatically trusted, limited access is given to verified users/devices and re-verification or re-evaluation of permissions is frequent.
ZTA – Solutions that focus on identifying and having oversight regarding which users and devices are accessing a network.
ZTNA – A solution referring to application access in which no user or device is trusted to access an application unless they prove their credentials. Often cited as a natural evolution from VPN, under ZTNA, applications are hidden from the internet.