The persistent threat of cyber incidents has led technology and security leaders, around the world, on a search for strategies and tools that can help safeguard their organisations.
In recent years much of the focus has settled around the concept of zero trust and its philosophy of 'never trust, always verify,’ which suggests that no device connected to any network should ever be trusted by default.
According to Palo Alto Networks’ Chief Technology Officer for Australia and New Zealand, Riccardo Galbiati, this concept has become more popular as networks have become more complex – especially as more and more devices are connecting remotely with hybrid work.
“The VPN model of connecting to a physical location, maybe in a data centre, and then out to the application, just could not scale. A new architecture was required to reach a solution,” Galbiati says.
“Zero Trust is a strategy, first and foremost. It aims to solve the problem of trusting technology. As soon as we define locations, devices or attributes (on a network) that we trust more than the rest - and we let that trust be used to access resources - then we are going to cause ourselves many problems, because that trust can be hijacked by someone else. The majority of breaches in cyber security have been conducted because of an abuse of this trust.”
Over time, the zero trust approach to networks has been applied to remote users scenarios and a new category of products was created to fit the purpose. It has been called ZTNA (Zero Trust Network Access).
However, Galbiati says the application of ZTNA has not always lived up to its requirements. For instance, many implementations of ZTNA verify trust only at the time of connection: they fail to validate whether trust is abused over time.
“For Zero Trust to really be part of ZTNA, we need to continuously validate every stage of a digital interaction,” Galbiati says. “That means examining how a user accesses a resource and how resources access each other.”
Another core concept of ZTNA is identity. Galbiati says this should be leveraged at all times to robustly validate whether users are who they say they are when they connect to a resource. He stresses that, on top of this, even if we know who a user might be, organisations must verify whether the device they are connecting from, could have been compromised.
A third requirement for successful ZTNA, is to ensure that users are only accessing what they need in order to perform their roles.
“In Zero Trust it is called least-privilege principle,” Galbiati says. “This is not there to limit or hinder productivity, but to assign (almost dynamically) what a user’s responsibility is and what access to resources they should have. If we start giving too much access, we introduce risk.”
Galbiati says there is one more consideration that is most-often overlooked when deploying ZTNA:
“Although we know who the users are, we know they are coming from safe devices and we are limiting their access to only what they really require,” Galbiati says. “If we forget to scan or monitor what they are doing against malicious activity or possible data theft, then we are still implicitly trusting that conversation. This is what continuous validation of digital interactions means.”
Hence Galbiati says there are a number of actions that security leaders should take to ensure they are truly practicing zero trust. One involves ceasing use of access brokers.
“First of all, if you use a port and a protocol to define an application, you soon realise that you have more applications than ports and protocols. So, when you are opening a single port, you are probably actually allowing traffic to dozens of applications,” he says.
“On top of that, if a user gets access to an application and there is no scanning for malicious content, there is no check for exploits being utilised, or for malware (or malicious files) being transferred across, then everything is trusted because it could only be verified just once by a broker at the beginning.”
Galbiati says these concerns can be alleviated through implementing Palo Alto Networks’ Prisma Access, which delivers consistent security to remote networks and mobile users regardless of their location. Furthermore, that the attributes of Prisma Access serve to deliver a true second-generation approach to ZTNA or ZTNA 2.0, which effectively uses principles of Zero Trust for remote users.
“Users will be always forwarded through a single, central infrastructure that is cloud native,” Galbiati says. “They are restricted in their access via least-privilege principle based upon their identity, the compliance of their device and the applications that they need to access.”
Galbiati says Prisma Access also constantly checks when the user or application behaviour changes.
“We don’t just check if a device or user is compliant at the beginning of a connection, we repeat that check as often as is required, because things can change on that device,” he says. “Continuous trust verification is performed for the duration of the interaction between the user and that application.”
Galbiati says this approach has been used to great effect at the 70-year-old commercial painting contractor, Higgins Coatings.
“Its remote workforce could not handle remote connectivity with a VPN,” Galbiati says. “The bandwidth was becoming clogged up and the user experience was impacted. They adopted Prisma Access and were able to achieve that ZTNA nirvana of being able to know who the users were at any given time, where they were accessing from, how they were accessing and what type of conversations they were having.”
Galbiati says that this ZTNA 2.0 approach delivers the ability to achieve a true zero trust approach to network access without compromising user experience.
“Keeping the business running means you need to secure what keeps the business running - that is how you align a Zero Trust strategy to the business outcome,” Galbiati says.
.png&h=271&w=480&c=1&s=1)
