Garrett BekkerAugust 17, 2022
Zero Trust and its Products in Use
Part two of a two-part guest blog series from Garrett, Principal Research Analyst in the Information Security Channel at 451 Research, a part of S&P Global Market Intelligence
ZT is not a new concept – but it can still be difficult to understand
As previously discussed, varied definitions of zero trust can create difficulties in understanding ZT as a whole, as well as how and where to start implementing it. In our first blog, we noted that zero trust, the concept, is the philosophical foundation on which the product, zero trust network access (ZTNA), is built. Understanding the difference is critical, as complexity is the enemy of security professionals.
ZTNA, the workforce and unity in security
Organizations must often deal with different sets of users, each with their own access technologies. Remote users typically have access to a VPN and a set of corresponding rules. On-premises users may have network access controls, and corporate networks have switches and routers. So security personnel have at least three things to manage when configuring rules and privileges. From an administrative perspective, if there's one policy engine that can handle all of that, it reduces both the complexity and the burden on security personnel. However, user experience is also a critical piece of security. If the user experience is consistent and access is granted for any resources needed to complete a job regardless of location, then user friction is reduced, and security measures are less counterproductive.
Many traditional IAM technologies are siloed, and only deal with a specific set of user personas. Single sign-on (SSO) and identity as a service (IDaaS) capabilities were initially used for internal employees. Privileged access management (PAM) is not surprisingly used for privileged employees and the higher-value resources they can access, such as databases, Unix and Linux servers, network infrastructure, etc. Customer identity and access management (CIAM) is used for customer-oriented access in B2B2C scenarios, and IDaaS can be expanded from internal workers to support third parties, consultants and contractors. Having a product that can unify all these user variations and access scenarios would be ideal – and the right ZTNA solution can help pull it together.
Paradigm shift beyond remote access
Organizations must begin rethinking access control and consider whether implementing existing ZTNA solutions is a solid alternative to prior approaches – especially if the ZTNA solution is built to handle hybrid workforces and hybrid workloads from a single policy engine.
Most successful breaches today have a few common elements: lateral movement to gather more credentials and privileges, followed by use of those credentials to escalate privileges. The extent to which ZTNA can help with both lateral movement and privilege escalation is critical for security overall. Thus, increasing the use of identity inside corporate networks, implementing least privilege more broadly and segmenting networks is an important starting point to help protect against breaches.
Many organizations have either considered or already implemented a hybrid work model, where employees spend some days each week in the office and some days remote. Although this may be great for overall balance, it is not ideal from a security perspective. Remote work demands access for almost all users all the time, no matter where employees or devices are located. Resources can be anywhere, creating the need for a solution to handle this complexity, tie it all together and be flexible enough to address each situation. Organizations also need to consider how to protect legacy infrastructure, remote employees and employees who are on-premises, as well as their growing cloud estate.
Wrapping it all up
It is critical to recognize the distinction between zero trust and ZTNA, and to understand how organizations can implement both to improve their overall security posture. Furthermore, zero trust is about more than just remote access. A unified policy engine that can span campuses, branch offices, headquarters and large corporate facilities – as well as remote locations, devices and users – is a critical piece of an overall security strategy. Organizations must also address multiple user personas to provide a holistic look at access.
Listen to Garrett Bekker on the Zero Trust Thirty Podcast discussing Zero Trust Access for the Corporate Network
- Copyright © 2022 S&P Global Market Intelligence.
- The content of this artifact is for educational purposes only. 451 Research, S&P Global Market Intelligence does not endorse any companies, technologies, products, services, or solutions. Permission to reprint or distribute any content from this artifact requires the prior written approval of S&P Global Market Intelligence.