In its Market Guide for Zero Trust Network Access (ZTNA), Gartner estimates that by 2022, 80% of new business applications open to a partner ecosystem will be accessible via a ZTNA solution. According to Gartner, by 2023, 60% of companies will have replaced their remote VPN access with the ZTNA remote access. Zero Trust is therefore emerging as one of the key issues for CIOs and CISOs in the coming years.
ZTNA / Zero Trust : what are the origins ?
The concept of Zero Trust is relatively new and although the subject is being addressed by more and more organizations, this model is not yet as popular as the VPN. It was John Kindervag, at that time Vice President and Senior Analyst in Forrester’s Security and Risk team, who created, or at least formalized, the Zero Trust concept in 2010.
Today, the U.S. House of Representatives recommends that all government agencies adopt the Zero Trust model. This recommendation comes after a massive data theft experienced in 2014 by the Office of Personnel Management (OPM), the principal human resources management agency and personnel policy manager of the United States federal government. This data breach is considered the worst in the history of the U.S. government, affecting the personal data of 21.5 million employees and former employees within the U.S. government.
In this data theft, the hackers would probably have obtained access authorizations via social engineering, a practice that involves manipulating people by gaining their trust in order to retrieve information. By putting the Zero Trust concept into practice, this massive data breach could probably have been prevented or had its impact largely minimized.
The Zero Trust concept
The Zero Trust is a model that aims to protect the information system (IS) and data of organizations on the premise that they cannot trust anyone. It is therefore a question of verifying both the identities of the people accessing the IS and the devices used to access it, whether they are located outside or inside the organization’s network. This was not the case in older approaches to IS security, which assumed that users and devices located within an organization’s network were trustworthy because they had already passed the organization’s perimeter defenses.
This trust previously given to a user within an organization IS is a source of vulnerability since once an attacker has penetrated an organization’s network, he or she can potentially gain access to the organization’s sensitive resources and data. Several principles allow organizations to implement Zero Trust security, including the following:
Principle of least privilege: Give users only those privileges which are essential to perform their tasks. This is also a key principle of the ANSSI (The National Cybersecurity Agency of France) in its recommendations for the implementation of system partitioning. This practice allows the impact area to be restricted in the event of malicious activity (doc PG-040): “Prohibiting by default any action and proceeding with the exclusive authorization of what is essential for the tasks is the most effective strategy for implementing the principle of least privilege.”
Control of devices accessing the IS: It is not sufficient to control the users accessing the IS. If this user is authorized to access the IS, the device through which he accesses the IS, must also be checked. A benevolent user can indeed unknowingly have a malicious program installed on his device and thus contaminate the IS he is accessing.
Multi-factor authentication: Another important element of the Zero Trust model is the Multi-Factor Authentication (MFA), which makes malicious access more complex by requiring multiple proofs of identity from the user wishing to access the information system. Currently, simple authentication is often done using a login/password couple, an authentication element that can be easily usurped, particularly via social engineering, a practice that enabled the data theft from the Office of Personnel Management in 2014. With the MFA, the user will authenticate himself with at least two of three types of authentication factors: something he knows, such as the login/password couple, something he has, for example via a code received on his smartphone, and something he “is”, for example, his fingerprint or retinal print.
Deploying Zero Trust within your organization
Several solutions allow organizations to comply with the key principles of Zero Trust. The implementation of an access control solution using strong authentication, such as Systancia Access, for example, will enable organizations to make multi-factor authentication mandatory for all employees.
On the other hand, a ZTNA solution such as Systancia Gate will enable highly secure access to selected IS resources for all types of user (mobile employees, teleworkers, outsourcers, etc.) via a single access point, with no incoming flows and no network port opening. The risk of IS contamination is thus limited. The devices used by the employees of an organization can also be checked to ensure that they are compliant. In concrete terms, it is possible to implement rules to validate, for example, the presence of an antivirus, a firewall or updates. The Zero Trust can thus be adapted to many use cases, particularly for teleworking or BYOD (Bring Your Own Device), a practice that is not considered to be very secure by IT Departments.