The zero trust model has been developed because the distinction between “external” and “internal” areas of information systems has begun to blur. Private applications stand alongside their SaaS-based brethren, while the infrastructure transitions from virtualised servers in the data centre to services and apps residing on public clouds.
Users are also changing. Not only are they quite often mobile, but they are also no longer strictly human beings. The number of APIs is exploding, and machines now speak to each other just as much as employees do. In these circumstances, it becomes difficult to determine who is “trusted” and who is not.
When a public web server can be hosted internally in a DMZ and a critical business application is running on a public cloud service connected to a database in the data centre, what then can be deemed truly internal?
Under such conditions, matching access control lists (ACLs) and access permissions to various clouds with Active Directory services becomes complex, and keeping perfect visibility on the rights of users across all these models is an unenviable task.
It is not surprising that the concept of VPN, created at a time when network topologies were very different, is no longer able to keep up. It’s no coincidence that many organisations are realising the increasing difficulty of adapting and maintaining their VPN configurations. The strategy of granting access permission at the outset followed by virtual internal freedom (even within well-segmented VLANs) no longer actually meets organisations’ needs. The advent of 5G, by increasing the opportunities for remote connections and possibly even replacing corporate Wi-Fi connections, will certainly not simplify things.
This is where the zero trust model comes into play. If the perimeter disappears, then the notion of trust granted by default must also disappear. It needs to be replaced by a more agile model in which each resource, wherever it is, only accepts authenticated users no matter where they are connecting. This poses serious system and network architecture challenges. Will organisations have to put a VPN termination point in front of each application? Will organizations have to go back to multiple VPN clients on a workstation? And how can enterprises centralise the different rights and permissions of a mobile user?
The centralization is where zero trust network access (ZTNA) technologies can help. ZTNA offers a modern alternative to network segmentation and VPNs and delivers microsegmentation instead. ZTNA services treat each connection to each application as a separate environment with individual security requirements. And, most importantly, this is completely transparent to the user. Without launching a VPN client and using a simple local client that automatically becomes active at the start of the session, it is possible to seamlessly access various company resources, wherever they are and always with the same level of security—whether you're in the office connected via Ethernet or moving over a 4G connection.
The ZTNA service is able to identify each private application (even shadow IT private apps) and applies a specific security policy defined by the company. It is, therefore, able to selectively encrypt, apply predefined policies, or demand additional authentication depending on the risk profile. And it works on any TCP or UDP connection, whether for native application flows (SAP, for example) or network protocols (SSH, RDP, etc.).
It then becomes possible to manage remote access to any type of application with precision, wherever it is hosted and regardless of the origin of the connection. This creates a secure segment of one between a specific authorized user and private application via a dynamic TLS-encrypted microtunnel. There is no longer any distinction between hosting options or connection modes (corporate network or 4G)—everyone, whether they're employees or third-party users, must be properly authenticated before accessing a resource.
For this reason, organisations that choose to migrate gradually to a zero trust model should start implementing microsegmentation for some of their users now and start to build up an experience that will be valuable in the future when zero trust becomes unavoidable.
That day will be here sooner than you think.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Yogi Chandiramani is Technical Director for Zscaler EMEA