With the increased adoption of remote working practices, employees are positioned outside of the traditional security perimeter. As remote employees continue to access valuable business assets using their personal devices and private/public networks, a company’s attack surfaces widen, exposing them to critical threats emerging from implicit trust practices and unknown vulnerabilities.
For most businesses, the solution lies in Zero Trust Network Access (ZTNA), a security solution framework that provides secure remote access to an organisation’s systems, applications, data, and other assets based on clearly defined access control policies.
However, organisations often perceive ZTNA migration as a complex process, resulting in objections from business leaders and reluctance from the workforce. So, how can organisations overcome these objections and successfully implement ZTNA to build a secure and protected remote working ecosystem?
Understanding the significance of Zero Trust Network Access
Most legacy security technologies are perimeter-based. The core idea of perimeter-based security is that anyone inside the corporate network is trusted. So, if a user is connected to the corporate network, they don’t need further verification to access the assets within that network. Such technologies leave the system wide open after the initial authentication; they also often fail to secure cloud environments and prevent threats occurring from cloud access. Instances like exposed IP addresses, exposed credentials, infected devices and breached Wi-Fi networks often go undetected by legacy systems.
More specifically, in a remote working environment, the majority of the network traffic comes from outside of the corporate perimeter. Legacy solutions cannot verify or authenticate the users or devices accessing the corporate information system. This unparalleled risk of unmanaged devices and access privileges can lead to critical security incidents. Traditional solutions like virtual private networks (VPN) are inadequate because they essentially provide access to large segments of the network once the user is authenticated. This goes against the principle of least privilege, which states that a user should only be given access to the resources needed to complete their job. It also opens the door for lateral movement across the network, should an attacker somehow find a way in through a compromised device or user.
The ZTNA model addresses this problem by following a ‘never trust, always verify’ principle. Zero Trust solutions authenticate every single connection before allowing network access, whether the user or device is inside or outside the secured network perimeter.
It continuously validates every aspect of user access privilege, including the user’s identity and location, their IP address, data or service being requested, and even their endpoint security posture. This approach ensures that every user inside the organisation’s network is verified and trusted, and there are no overprivileged or unauthorised accounts accessing the organisational assets.
Implementing ZTNA ensures that users only connect directly to the apps and resources they need, instead of connecting to the entire network. So, in case devices or applications are compromised, the risk is contained within a small area, restricting it from infecting other assets. Moreover, it is different from conventional firewall solutions, as Zero Trust solutions terminate every connection as soon as any malicious traffic is detected—cutting down attack paths before they can reach the target and eliminating attack vectors. A Zero Trust model is the definitive answer to reducing critical cyber risks arriving from unknown vulnerabilities.
Objections to ZTNA migration and why they occur
Most objections and reluctance to ZTNA migration occur due to incomplete planning. Most implementation plans are often rushed and focused on overhauling changes in the current network security infrastructure. Business leaders and CISOs need to understand that legacy systems have existed for a long time and workforces are likely to resist sudden changes that require a complete modification of their work habits and business processes. Instead, a more refined and gradual approach to ZTNA implementation can help organisations slowly shift toward the new model and increase their adoption over time.
First, business leaders must communicate the importance of Zero Trust across the entire organisation. Every employee and staff member needs to be on the same page and understand the critical need for this shift. This requires increasing organisational awareness through planned training sessions and regular communication/updates. Once the importance of Zero Trust is defined and understood across the workforce, security teams can focus on the implementation phase.
Before implementation begins, organisations should incorporate a Zero Trust framework. This framework will clearly define which part of the organisation needs to have Zero Trust policies in place. What’s more, the combination of security and agility delivered by a successful Zero Trust approach can provide a powerful advantage to any organisation’s digital strategy. Indeed, the capabilities of Zero Trust can help define the scope of what digital transformation can achieve. With their expanded digital infrastructure effectively safeguarded, businesses are free to be more ambitious.
In terms of implementation, ZTNA should be rolled out gradually. Instead of completely replacing the old network structure and security policies in one go, CISOs should start with a defined protection surface. Begin by clearly identifying which assets and services should incorporate ZTNA as a priority. For example, organisations can begin by implementing a Zero Trust solution on specific applications such as Active Directory, or on certain critical assets such as the consumer or financial database.
Once a certain set of applications or assets have been migrated to the Zero Trust model, security teams should monitor its effectiveness for a certain period of time before moving on to the second phase of implementation. It is also important to monitor how the employees are adapting to the new security model. Employees should be made aware of the pre-defined Zero Trust policies and be trained on how to access different resources under the new security model.
By taking it slow and incorporating a planned and gradual implementation process, organisations can overcome the objection to ZTNA migration and help the workforce smoothly transition into the new security system.
The Zero Trust model can reduce business costs
While some business leaders might be reluctant to incorporate ZTNA because of its implementation cost, it’s important to understand that a Zero Trust approach can actually reduce significant business costs. Shifting to Zero Trust means organisations can facilitate more rapid digital transformation and make more resources available on the cloud, leveraging the ZTNA architecture that includes secure cloud network access. ZTNA allows for unified access policies for remote as well as on-premise users, which will drastically reduce the complexity and can replace or decrease quite a few security tools in the existing corporate perimeter.
ZTNA solutions can automate least privileged network access, leveraging your existing identity and access management and application metadata, allowing security teams to focus on other critical business processes. It will also significantly increase an organisation’s security efficiency and help to protect the business from potential data breaches. In 2021, the average cost of a data breach was $5.04 million. Applying ZTNA will help organisations to avoid costly data breaches and ransomware attacks.
Therefore, business leaders need to understand the wider impact of a Zero Trust approach and make ZTNA a critical part of their security infrastructure. The cost of maintaining ineffective legacy systems and rectifying potential data breaches far overshadow the cost of implementing ZTNA solutions.
By focusing on the powerful benefits around cost, agility and productivity that ZTNA can deliver, security leaders can overcome the common objections and get their projects moving. In today’s rapidly evolving digital space, threats can come from a wide array of sources and it’s an almost impossible task for security teams to monitor all aspects of secure access.
Implementing ZTNA takes some of the pressure off security teams and eliminates critical attack paths before a system is breached. It ensures that organisations can carry out their critical business processes within a secured digital ecosystem, helping them reduce their risk while empowering their teams’ productivity.
Kurt Glazemakers, CTO at Appgate