Zero Trust Network Access: Implementation Tips for Security Soundness
Article by Manish Alshi, Head of Channels and Growth Technologies - India & SAARC, Check Point Software Technologies
In 2020, organizations experienced a massive shift to remote and hybrid work environments, which dramatically increased their attack surfaces and risk. Here in India, our Check Point Threat Intelligence Report states that an organization in India is being attacked on average 1783 times per week in the last 6 months, compared to 1645 attacks per organization in APAC, with 89% of the malicious files in India delivered via email in the last 30 days.
Many companies accelerated cloud initiatives to provide access to data and resources. BYOD policies allowed employees to access company assets from home and personal devices. Supply-chain partners also now needed remote access to information.
Until now, companies relied on Virtual Private Networks (VPNs) and premises-based security methods for secure remote access. Since 2020, the limitations of these methods have become painfully clear:
- They can’t scale easily
- IT lacks visibility into users and activity
- It’s not practical to install and maintain VPN clients on BYOD and partner devices
- Performance suffers
- They’re complex to use with cloud environments
- They lack Privileged Access Management (PAM) capabilities for DevOps and engineering users
- They’re costly
Securing Access with Zero Trust
For these reasons, Zero Trust Network Access (ZTNA) is becoming a critical element of standardized security architecture. A ZTNA model “never trusts and always verifies.” When implemented, ZTNA:
- Limits access on an application-by-application basis
- Authenticates every device and user, no matter where they are located
- Acknowledges today’s complex networks and makes zero assumptions
Gartner® defines ZTNA as “products and services that create an identity- and context-based, logical-access boundary that encompasses an enterprise user and an internally hosted application or set of applications. The applications are hidden from discovery, and access is restricted via a trust broker to a collection of named entities. The broker verifies the identity, context and policy adherence of the specified participants before allowing access and minimizes lateral movement elsewhere in the network.”
Gartner’s definition separates the control plane from the data plane, as shown below.
More than simply a VPN replacement, ZTNA ensures all users and devices—whether inside or outside the organization’s network—are authenticated, authorized, and continuously validated for security configuration and posture before being granted or maintaining access to applications and data.
Choose the Best ZTNA Solution
When evaluating ZTNA solutions for your environment, here are seven things to keep in mind.
Ensure Support for All Users
The solution must secure access for everyone—employees with managed devices, BYOD devices, mobile devices, third-party partners, engineering teams, and DevOps users. Look for client-based access to secure employees using managed devices and a clientless architecture for secure access to web applications, databases, remote desktops, and secure shell (SSH) servers. Be sure to also consider basic PAM requirements for teams who need access to multi-cloud environments and single sign-on (SSO) into private resources, such as servers, terminals, and databases.
Ensure Support for All Target Resources
Ensure the ZTNA solution supports all high-priority private applications and resources, not just Web apps. This includes access to SSH terminals, SQL databases, remote desktops (RDP) and servers. DevOps and engineering teams need ZT access to Infrastructure-as-a-Service (IaaS) offerings, cloud production environments, microservices, and virtual private clouds.
Ensure Simple Deployment and Rapid Time to Value
Look for out-of-the-box identity provider (IdP) integration through a standard like SAML 2.0, as well as intuitive, granular policy configuration. See how to deploy clientless ZTNA in 15 minutes for fast time to value.
Ensure Easy Operation
Look for a ZTNA solution offering maximum value with minimum maintenance and no need to hire additional staff. Cloud-based solutions with a unified console are easy to use and provide visibility across all ZTNA use cases.
Ensure High Performance and Service Availability
A ZTNA service must deliver close to 99.999% uptime and high performance backed by Service Level Agreements (SLAs). Review a vendor’s SLAs and look for a global network of points of presence (PoPs) with redundancy in each zone.
Ensure Zero Trust Security Soundness
Look for ZTNA solutions that separate the control and data planes to enable true least-privilege access to applications and other resources. They should offer granular in-app controls, such as read, write, administer permissions, and enabling policies at the command and query levels. The ability to report on groups, users, and application usage with access to video session recordings provides deep visibility. Also check for additional integrated security features such a sandboxing, cloud IPS, and DLP.
Part of a Future-Ready Security Service Edge
Consider how the ZTNA solution can be extended to other use cases—branch access, Internet access, private applications—through a Security Service Edge (SSE). Securing remote ZTNA is a critical step toward a larger zero trust security architecture.
Why Check Point Harmony Connect Remote Access
Check Point Harmony Connect Remote Access secures access to any internal corporate application residing in the data center, IaaS, public or private clouds. Easy to use, it can be deployed in less than 10 minutes.
Harmony Connect Remote Access can be implemented in two ways:
• Clientless Application-Level Access: Apply intuitive ZTNA to web applications, databases, remote desktops, and SSH servers with granular in-app controls. It is ideal for securing remote access by employee-owned devices and third-party partners since no agent is required. It also enables secure access for engineering and DevOps teams who need rich, cloud-native automation capabilities.
- Client-based Network-level Access: This VPN-as-a-Service option is ideal for securing employee access from managed devices. It includes embedded cloud DLP and industry leading IPS to protect apps from the latest vulnerabilities, such as Log4J.