In the wake of the COVID pandemic, CIOs and CISOs around the world now find remote workforce security becoming a top priority. Expanding their businesses’ existing VPN (virtual private network) or RDP (remote desktop protocol) infrastructure - necessary in the immediate crisis - has made their security systems potential vectors for cybercriminals and other bad actors. The challenge of providing secure access for remote users while protecting sensitive data has not been easy to solve for most organizations.
Zero Trust Network Access (ZTNA) is an alternative approach for securing remote network access first introduced in 2009. Unfortunately, misperceptions and marketing hype have made Zero Trust Network Access seem more like a buzzword than a realistic solution. Yet, the truth beneath the hype is that a Zero Trust security model can, in fact, make resources more secure while simplifying your network infrastructure.
How Does Zero Trust Network Access Work?
First implemented by Google in 2009, the zero trust model is based on a simple premise: never trust, always verify. ZTNA solutions create secure perimeters around each individual resource, rather than around each network, and deny access by default. Authenticated and authorized users only get access to the resources they need - and only from devices that meet access control requirements. This approach better reflects the fact that company resources are no longer all contained in a trusted company network, but may be distributed in the cloud, and that workers commonly connect to those resources from non-office environments.
Under zero trust, the network that users connect through does not confer additional trust. Someone connecting through an on-premise ethernet port is no more trusted than someone connecting over the internet from their home office. Even resources on the same network aren’t trusted. They must pass through the ZTNA authorization process to communicate with each other.
Zero trust makes resources more secure by closing security gaps, making attacks less effective, and preventing a breach from spreading beyond a single resource.
Why Isn’t ZTNA Widely Adopted?
As the first company to implement zero trust access policies, Google is often held up as a model example of zero trust architecture done right. However, even with all of the resources at its disposal and with consistent C-level commitment, Google took almost a decade to fully implement and refine its zero trust approach. Such a large-scale IT transformation project is not what most companies are looking for, especially given tight budgets and limited resources.
Another factor hindering ZTNA adoption is that zero trust is a set of principles rather than a specific implementation or industry standard. As a result, companies face two choices when they consider any ZTNA solution. Enterprise vendors offer ZTNA options, but they are often expensive, complicated to deploy, and work best only when integrated with an infrastructure based on that vendor’s products. The other choice is to stitch together solutions from multiple vendors with custom middleware, patches, and workarounds, creating a system that is often brittle and difficult to maintain.
The actual and perceived complexity and expense of replacing entire security frameworks with existing ZTNA solutions have kept zero trust security off many companies’ IT roadmaps. Traditional VPNs and other existing approaches to remote access security are known quantities so companies assume they are less risky and require less effort.
2020, Remote Work, and Unsecure Networks
Unfortunately, the traditional network security approach to remote access has become increasingly outdated and, in this COVID age, is subject to cybersecurity weaknesses that create more risks for companies everywhere. First created at the dawn of the internet when people generally all worked in the office and network security was simpler, VPNs grant a user or device privileged access to everything within those networks. This conflicts with the security principle of “least privileged,” where individual users should not have access to more than they need, and provides attackers with the ability to move laterally within an internal network once the VPN is breached.
Moreover, VPN gateways are exposed to the public internet, making them a prime attack surface for cyber criminals. As a result, the most sophisticated attackers target VPNs to penetrate networks, deploy ransomware, and exfiltrate data. Over the past year, companies that failed to patch vulnerabilities in VPN servers offered by major vendors have fallen victim to ransomware and other attacks.
Beyond the security risks, VPNs make network infrastructure more brittle. Using subnets to control the risk of network breaches adds more complexity to network maintenance and increases the risk of misconfiguration. VPNs struggle with the fact that the corporate network perimeter is no longer a neatly defined boundary.
Twingate Eases ZTNA Adoption
Providing the benefits of a Zero Trust solution while making deployment and management of that solution as simple as possible has always been Twingate’s priority. We originally designed Twingate for developers and DevOps teams who needed secure remote access but may not have had network security experts in-house. With today’s work-from-home mandates, Twingate has become a simple, effective way for organizations to accelerate their zero trust journey.
Deployable in 15 minutes, a Twingate implementation does not require changes to your network infrastructure or any of your resources. In fact, a single Docker command is all it takes to deploy Twingate in a network. Provisioning users’ devices, whether managed or BYOD, is just as easy. Users can self-provision by downloading a client from an app store, and they do not need to change their devices’ operating system settings.
Once deployed, Twingate handles access control and device posture management rules seamlessly in conjunction with the authentication provided by your SSO or identity provider. Your administrators can on-board and off-board users automatically, and apply multi-factor authentication to any individual resource on the protected network, making it easier to manage least-privilege access policies across all resources. With extensive logging and analytics, Twingate also provides network visibility across the entire network through a single view, regardless of how many subnets you have.
Forget the hype and misperceptions. Contact Twingate to learn more about the reality of how easy and cost effective implementing a modern zero trust framework can be.