Zero Trust requires that all users are authenticated, authorized, and continuously assessed for risk to access corporate applications and data.
Many organizations begin their Zero Trust journey with the modernization of their remote access stack. Legacy VPN, and related technologies, aren't just slow, they're characteristic of technologies that rely on implicit trust. But rip-and-replace projects are notoriously resource-intensive and disruptive, causing IT teams to put off beneficial efforts, such as implementing Zero Trust Network Access (ZTNA).
There are implementation decisions companies can make that will bring the team closer to a Zero Trust environment without requiring a massive up-front project. Security pros just need to know the right places to start so they can adopt these technologies in a thoughtful way.
Identify new apps that do not use legacy remote access
Start with business applications that currently lack enhanced protection or have inefficient security architectures in front of them. SaaS applications meet these requirements perfectly, particularly for organizations that want to deliver fast and seamless access to hosted applications without making users jump through unnecessary hoops that disrupt the user experience.
While legitimate users can access SaaS applications from anywhere, the wrong people can also access them. We don’t just mean unauthorized users within the organization, but also cybercriminals.
Attackers can impersonate an authorized user and they can gain access to the critical information the organization hosts in the cloud. Recently, a group of hackers located the super admin credentials for security camera company Verkada and gained access to Verkada customers' surveillance cameras, including Tesla and the Madison County Jail.
Existing security technologies are not effective in protecting SaaS applications. Traditional security models are designed for the on-premises world, but when it comes to the SaaS environment, it’s simply not practical to backhaul traffic to a central location to secure it and send it back out to the internet. This could result in latency and performance degradation and ultimately a poor user experience which really defeats the purpose of SaaS.
As a result, we’re now seeing organizations rethink the way they offer access to applications and the way they stand up security services in front of those applications.
IP lockdown has become one way to ensure that only users coming across the secure and modern ZTNA infrastructure can access the SaaS applications. Doing so prevents account takeover by adding an additional layer of security that attackers will struggle to defeat.
Identify underserved devices or platforms
Standing up security in front of applications is a good start, but companies also need to consider how workers are interfacing with business applications today.
With the broad adoption of remote work, IT now manages more platform diversity. Gone are the days of owned and managed Windows device estates, now it’s very common for IT to manage a combination of platforms including macOS, iOS and Android.
While users like having multiple hardware choices, it leads to inconsistent management and security policies leaving businesses exposed when threats are present on an endpoint.
We have heard from customers that some groups of end users are underserved when it comes to remote access. It’s often caused by poor remote access support from the solution that's installed (e.g., there’s no client for macOS) or it can be that end users are prevented from using the tool in an efficient way. (For example, many legacy VPN clients cause mobile apps to break when re-establishing connections after a network transition.)
C-TEC, a manufacturer of alarm systems, decided to look for a VPN alternative because users were being interrupted by multiple multifactor authentication prompts for Microsoft 365 services when they were outside the corporate perimeter and connecting via the VPN. The company deployed a ZTNA solution starting with its iOS and macOS devices and wants to deploy it on Windows devices next. Throughout the rest of the year, C-TEC will migrate some of its leading enterprise applications to the cloud and start connecting users with ZTNA. Taking this step-by-step approach has made the transition to ZTNA much easier.
Starting with mobile SaaS apps made sense because they are greenfield, they are relatively new and not weighed down by layers of legacy technology. It's also the right place to combine endpoint risk assessments and remote access policies because security teams can achieve them through unified tools.
Expand to more applications and devices
ZTNA doesn’t have to be a difficult journey. Strategically implement ZTNA so that not every app or user needs to convert on day one. That means identifying groups of applications and groups of devices that are underserved because they don’t require the complicated removal of legacy technology. Once these greenfield areas are identified they can act as a proving ground for ZTNA within the organization.
By rolling out ZTNA on a subset of applications and a subset of devices, the company can avoid disruption and get better security in the process.
Michael Covington, vice president, product strategy, Wandera