During the pandemic, the limitations of classic remote access solutions became apparent. The connections viaproved to be vulnerable and not very scalable in the short term in order to be able to meet the high demand with high performance. The user experience when remotely accessing data center applications or private cloud environments suffered. Digitization has also accelerated immensely, not least in the wake of the pandemic, and hardware and services exposed on the Internet have opened up new targets for hackers.
Organizations must react accordingly to completely new security challenges. Zero Trust Network Access (ZTNA) has already proven in the first phase of the pandemic that employees can access the applications they need efficiently and securely if access rights are assigned based on the Least Privileged Access model. Access to an application is no longer generated for the entire network, but only for the required application if the authorization for it has been confirmed. The Zscaler Zero Trust Exchange with enhanced functionality for ZTNA minimizes the level of exposure of enterprise applications to the Internet and de-risks enterprise-owned applications through a highly integrated platform approach.
Cloud-based Zero Trust Network Access makes the difference
Every company and organization has a responsibility for their data and the access rights of third parties and should carry out a risk assessment. Some applications need to be delivered over the Internet, while other applications do not. In the second case, it is appropriate that these applications are not only blocked from access, but even from being found on the Internet by unauthorized persons.
In addition, access by third parties or remote access for maintenance purposes in the production environment should be limited to an absolutely necessary group of people. These two scenarios no longer require opening access to the entire network. Tunneled access to the required application using Zero Trust Network Access enables maintenance access or supply chain management processes and makes the rest of the network invisible.
The following feature sets of a cloud-based security platform help minimize application exposure:
Zero Trust Network Access (ZTNA) enables granular segmentation at the individual application level, thereby generating an improved security ecosystem. Based on predefined access rights, an authorized user can only access permitted applications. Since there is no network access, no lateral movement within a network is possible. A broker in the form of a cloud security platform uses guidelines to determine access to the application based on the identity of the user and other context-based criteria.
The fact that a workload moved to the cloud must be reachable in different ways becomes the focus of a security discussion in today’s multicloud scenarios. The workload of application and data must be accessible for the IT administration and employees, be able to communicate with other applications via the Internet and have a connection to the central data center. If the necessary access rights are not mapped correctly in these directions, the attack surface and the risk for a company’s infrastructure can increase. Defined access authorizations for permitted and encapsulated communication between cloud workloads can also provide more security for such a setup.
Isolation through browser-based access
Another level of risk mitigation can be applied via browser-based access. Even if the user has access rights for access, this is not established directly to the application, but only via Remote Desktop Protocol (RDP) or SSH, where only an image of the actual application is displayed without the full connection of the client to the application to manufacture. In this way, the application is protected from malicious content of the user or their device, such as an attempt to inject malicious code into an internal app.
Secure access to OT environments by privileging remote access
With the increasing digitalization of their production environments, companies also have to think about who may have access to the machine control for maintenance purposes. In this case, it is important to establish a convergence between the two previously separate worlds of IT and OT, so that only an authorized person has access. Until now, the difficulty has been how to assign access rights to this external person if the device used for this purpose is not managed by the company. A web portal can provide privileged access here if no RDP or SSH access can be set up for the device.
Invitation to sniff as a defense mechanism
Ultimately, companies that rely on ZTNA also have to think about the risk that compromised users or their devices can pose. In this particular case, the malware actor gains access to the applications that the employee has access to via a stolen identity. If an attacker tries to access intentionally placed pots of honey with a stolen identity, such an attack can not only be exposed, but the most important data can also be protected.
With the expanded functionality of the Zscaler Tero Trust Exchange, companies can use network segmentation, isolation and deception to build additional protection mechanisms into their defense strategy, depending on their risk affinity. The new range of functions based on Zero Trust Network Access enables much more granular defense mechanisms that are required for the various modern user cases of remote access for remote employees, third parties or the maintenance of machines.